Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set iptables rules to restrict user access to ports other than the load balancer service port through the VIP #560

Merged
merged 2 commits into from
May 11, 2023
Merged

Set iptables rules to restrict user access to ports other than the load balancer service port through the VIP #560

merged 2 commits into from
May 11, 2023

Conversation

yaocw2020
Copy link
Contributor

@yaocw2020 yaocw2020 commented May 7, 2023
edited
Loading

Set IPTables rules to Restricts user access to ports other than the load balancer service port through the VIP. Moreover, considering DHCP and any other protocol port requirement, those ports should be reachable.

By the way, we also modify the watch_services.go to support changing service load balancer IP.

IPTables Rules example:

-A INPUT -d 172.19.104.147/32 -p tcp -m tcp --dport 80 -m comment --comment "default/primary kube-vip load balancer IP" -j ACCEPT
-A INPUT -d 172.19.104.147/32 -p udp -m udp --dport 68 -m comment --comment "default/primary kube-vip load balancer IP" -j ACCEPT
-A INPUT -d 172.19.104.147/32 -m comment --comment "default/primary kube-vip load balancer IP" -j DROP

Related issue: #479

@yaocw2020
Support changing load balancer IP
1474fcf 
Signed-off-by: Canwu Yao <yaocanwu@gmail.com>
@yaocw2020 yaocw2020 mentioned this pull request May 7, 2023
Closed
@yaocw2020 yaocw2020 changed the title Set iptables rules to Restricts user access to ports other than the load balancer service port through the VIP Set iptables rules to restricts user access to ports other than the load balancer service port through the VIP May 7, 2023
@yaocw2020
Copy link
Contributor Author

The CI error is introduced by other PRs. We may need to submit a new PR to solve it.

@thebsdbox
Copy link
Collaborator

There is already a PR to fix this although I was going to merge it into the v1 branch.

@thebsdbox
Copy link
Collaborator

Is this behind a flag? We currently have two releases (kube-vip and kube-vip-iptables), changing this to default behaviour will break the default image behaviour.

@yaocw2020
Copy link
Contributor Author

Is this behind a flag? We currently have two releases (kube-vip and kube-vip-iptables), changing this to default behaviour will break the default image behaviour.

How can we modify it to the kube-vip-iptables?

futuretea
futuretea reviewed May 9, 2023
View reviewed changes
pkg/manager/services.go Show resolved Hide resolved
pkg/vip/address.go Outdated Show resolved Hide resolved
@yaocw2020 yaocw2020 changed the title Set iptables rules to restricts user access to ports other than the load balancer service port through the VIP Set iptables rules to restrict user access to ports other than the load balancer service port through the VIP May 9, 2023
@thebsdbox
Copy link
Collaborator

As in a flag/env on the implementation, as in it's current form it is would be the default behaviour.
Something like --secureService?

@yaocw2020
Set iptables rules to limit traffic ports
f2f73c0 
Signed-off-by: Canwu Yao <yaocanwu@gmail.com>
@yaocw2020
Copy link
Contributor Author

As in a flag/env on the implementation, as in it's current form it is would be the default behaviour. Something like --secureService?

Done, use an env called enable_service_security.

@thebsdbox
Copy link
Collaborator

Awesome looks good to go! If there is nothing else, I'll give this PR one last look over tomorrow (Awesome work) 😄

@yaocw2020
Copy link
Contributor Author

Awesome looks good to go! If there is nothing else, I'll give this PR one last look over tomorrow (Awesome work) 😄

Thanks. If merged, could you help draft a new release? Our product whose new version is close to release needs this new feature.

thebsdbox
thebsdbox approved these changes May 11, 2023
View reviewed changes
Copy link
Collaborator

@thebsdbox thebsdbox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

@thebsdbox thebsdbox merged commit ed59a13 into kube-vip:main May 11, 2023
@haijianyang haijianyang mentioned this pull request Mar 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@futuretea futuretea futuretea left review comments

@thebsdbox thebsdbox thebsdbox approved these changes

@yastij yastij Awaiting requested review from yastij

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yaocw2020 @thebsdbox @futuretea