Right now the /etc/nftables IP whitelist on lovelace is only refreshed on
deployment. This is suboptimal, since worst case our resources may get
scheduled on a new node that is not whitelisted in the firewall.
The ideal solution would involve as little manual work as possible. nftables
has an include directive: we could write a timer / cronjob to update a
nftables file containing only the LKE ip addresses, which is then included
in our Ansible-managed main nftables.conf. We would have to take care of
setting up an initial IP whitelist in said file to prevent errors when
provisioning a new server (where the timer has not run yet).
Right now the
/etc/nftablesIP whitelist on lovelace is only refreshed ondeployment. This is suboptimal, since worst case our resources may get
scheduled on a new node that is not whitelisted in the firewall.
The ideal solution would involve as little manual work as possible.
nftableshas an
includedirective: we could write a timer / cronjob to update anftablesfile containing only the LKE ip addresses, which is then includedin our Ansible-managed main
nftables.conf. We would have to take care ofsetting up an initial IP whitelist in said file to prevent errors when
provisioning a new server (where the timer has not run yet).