Feature request - Hooking into firewalls when creating load balancers

[ghubcoder]

Hello, please feel free to close this, I'm just not sure where else to ask 🙂

This is working fine for me with a vanilla install of kubicorn, it's extremely simple to launch.

The only thing that seems to be missing is a step to update the firewalls which have been applied to your k8s nodes so that a rule is added to allow the load balancer to talk to your nodes on the port the new service is listening on. This is a manual step at the moment. Would digitalocean-cloud-controller-manager be the right place to add this hook in, or would a separate service be required?

[andrewsykim]

Hi @ghubcoder, thanks for opening this issue!

Firewalls are not managed by the cloud controller manager at the moment but this would be the ideal place to integrate it. I haven't figured out exactly what this might look like though, if you're willing to take a shot at it I'd be happy to review your PR :).

A good starting place would be to create a firewall controller and start a goroutine in here. The firewall controller should watch for node events and sync the state of cloud firewalls as new nodes and LBs are added to the cluster.

[ghubcoder]

@andrewsykim many thanks for replying so quickly 🙂

Do you have any tips on what a development environment for this looks like? Is it just a case of launching a k8s cluster and deploying your updated version into it, or is it possible to somehow build and run the controller locally (i.e. external to the cluster) and have it watch for node events and make calls to the DO api?

If the latter is possible it would certainly make development easier, rather than having to redeploy it each time.

Edit - Looking at how the AWS provider works here, the security groups are added as part of the LoadBalancer controller, not as a separate controller. I think that makes sense as cloudprovider doesn't provide a firewall interface where we can listen for events. I'd look at adding the firewall calls into do/loadbalancers.go. I'm just going through the code at the moment trying to get a feel for how it works.

[andrewsykim]

@ghubcoder adding the firewall call in do/loadbalancers.go makes sense for now, in the future we can implement a separate controller for traffic between droplets and traffic between LBs

[ghubcoder]

I've made some progress on this, I should have a first stab at it ready soon.

Edit - please see #70

[peterver]

@andrewsykim A good starting point for firewall creation could be to see how the terraform digitalocean_firewall resource does this ? I've always liked the way they are setup there. ( just putting in my 50 cents )

[docs] digital ocean firewall docs terraform
[source] digitalocean_firewall.go

[timoreimann]

We have work #332 pending right now that is dedicated to dynamically opening up and closing down ports on a managed firewall for NodePort access. LBs are not considered right now, but could be extended once the PR lands.

However, I'd like to have clarity around whether managing LB access in firewalls is still a thing users want. FWIW, LB traffic flows through the internal interface, and many cluster provisioning approaches presumably set up firewalls to allow traffic to flow within the VPC more liberally. I don't have enough historical context to know whether the situation was different back when this issue was filed.

If folks are still interested in the kind of functionality this issue is about, please post back and ideally outline your use case.

[timoreimann]

Closing since the work to automatically manage NodePorts in firewalls has completed, and no further feedback has been received.