Skip to content

Commit a4e5cb2

Browse files
simcodsimcod
committed
Specify initial rule set in firewall spec
1 parent e22f2b3 commit a4e5cb2

6 files changed

Lines changed: 366 additions & 12 deletions

api/v2/types_firewall.go

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,9 @@ type FirewallSpec struct {
7474
// EgressRules contains egress rules configured for this firewall.
7575
EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`
7676

77+
// InitialRuleSet is the initial firewall ruleset applied before the firewall-controller starts running.
78+
InitialRuleSet *InitialRuleSet `json:"initialRuleSet,omitempty"`
79+
7780
// Interval on which rule reconciliation by the firewall-controller should happen.
7881
Interval string `json:"interval,omitempty"`
7982
// DryRun if set to true, firewall rules are not applied. For devel-purposes only.
@@ -122,6 +125,46 @@ type FirewallTemplateSpec struct {
122125
Spec FirewallSpec `json:"spec,omitempty"`
123126
}
124127

128+
// InitialRuleSet is the initial rule set deployed on the firewall.
129+
type InitialRuleSet struct {
130+
// Egress rules to be deployed initially on the firewall.
131+
Egress []EgressRule `json:"egress,omitempty"`
132+
// Ingress rules to be deployed initially on the firewall.
133+
Ingress []IngressRule `json:"ingress,omitempty"`
134+
}
135+
136+
// NetworkProtocol represents the kind of network protocol.
137+
type NetworkProtocol string
138+
139+
const (
140+
// NetworkProtocolTCP represents tcp connections.
141+
NetworkProtocolTCP = "TCP"
142+
// NetworkProtocolUDP represents udp connections.
143+
NetworkProtocolUDP = "UDP"
144+
)
145+
146+
type EgressRule struct {
147+
// Comment provides a human readable description of this rule.
148+
Comment string `json:"comment,omitempty"`
149+
// Ports contains all affected network ports.
150+
Ports []int32 `json:"ports"`
151+
// Protocol constraints the protocol this rule applies to.
152+
Protocol NetworkProtocol `json:"protocol"`
153+
// To source address cidrs this rule applies to.
154+
To []string `json:"to"`
155+
}
156+
157+
type IngressRule struct {
158+
// Comment provides a human readable description of this rule.
159+
Comment string `json:"comment,omitempty"`
160+
// Ports contains all affected network ports.
161+
Ports []int32 `json:"ports"`
162+
// Protocol constraints the protocol this rule applies to.
163+
Protocol NetworkProtocol `json:"protocol"`
164+
// From source address cidrs this rule applies to.
165+
From []string `json:"from"`
166+
}
167+
125168
// EgressRuleSNAT holds a Source-NAT rule
126169
type EgressRuleSNAT struct {
127170
// NetworkID is the network for which the egress rule will be configured.

api/v2/zz_generated.deepcopy.go

Lines changed: 84 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crds/firewall.metal-stack.io_firewalldeployments.yaml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,75 @@ spec:
180180
Image is the os image of the firewall.
181181
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
182182
type: string
183+
initialRuleSet:
184+
description: InitialRuleSet is the initial firewall ruleset
185+
applied before the firewall-controller starts running.
186+
properties:
187+
egress:
188+
description: Egress rules to be deployed initially on
189+
the firewall.
190+
items:
191+
properties:
192+
comment:
193+
description: Comment provides a human readable description
194+
of this rule.
195+
type: string
196+
ports:
197+
description: Ports contains all affected network
198+
ports.
199+
items:
200+
format: int32
201+
type: integer
202+
type: array
203+
protocol:
204+
description: Protocol constraints the protocol this
205+
rule applies to.
206+
type: string
207+
to:
208+
description: To target addresses this rule applies
209+
to. May contain IPs or dns names.
210+
items:
211+
type: string
212+
type: array
213+
required:
214+
- ports
215+
- protocol
216+
- to
217+
type: object
218+
type: array
219+
ingress:
220+
description: Ingress rules to be deployed initially on
221+
the firewall.
222+
items:
223+
properties:
224+
comment:
225+
description: Comment provides a human readable description
226+
of this rule.
227+
type: string
228+
from:
229+
description: From source addresses this rule applies
230+
to. May contain IPs or dns names.
231+
items:
232+
type: string
233+
type: array
234+
ports:
235+
description: Ports contains all affected network
236+
ports.
237+
items:
238+
format: int32
239+
type: integer
240+
type: array
241+
protocol:
242+
description: Protocol constraints the protocol this
243+
rule applies to.
244+
type: string
245+
required:
246+
- from
247+
- ports
248+
- protocol
249+
type: object
250+
type: array
251+
type: object
183252
internalPrefixes:
184253
description: |-
185254
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.

config/crds/firewall.metal-stack.io_firewalls.yaml

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,71 @@ spec:
135135
Image is the os image of the firewall.
136136
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
137137
type: string
138+
initialRuleSet:
139+
description: InitialRuleSet is the initial firewall ruleset applied
140+
before the firewall-controller starts running.
141+
properties:
142+
egress:
143+
description: Egress rules to be deployed initially on the firewall.
144+
items:
145+
properties:
146+
comment:
147+
description: Comment provides a human readable description
148+
of this rule.
149+
type: string
150+
ports:
151+
description: Ports contains all affected network ports.
152+
items:
153+
format: int32
154+
type: integer
155+
type: array
156+
protocol:
157+
description: Protocol constraints the protocol this rule
158+
applies to.
159+
type: string
160+
to:
161+
description: To target addresses this rule applies to. May
162+
contain IPs or dns names.
163+
items:
164+
type: string
165+
type: array
166+
required:
167+
- ports
168+
- protocol
169+
- to
170+
type: object
171+
type: array
172+
ingress:
173+
description: Ingress rules to be deployed initially on the firewall.
174+
items:
175+
properties:
176+
comment:
177+
description: Comment provides a human readable description
178+
of this rule.
179+
type: string
180+
from:
181+
description: From source addresses this rule applies to.
182+
May contain IPs or dns names.
183+
items:
184+
type: string
185+
type: array
186+
ports:
187+
description: Ports contains all affected network ports.
188+
items:
189+
format: int32
190+
type: integer
191+
type: array
192+
protocol:
193+
description: Protocol constraints the protocol this rule
194+
applies to.
195+
type: string
196+
required:
197+
- from
198+
- ports
199+
- protocol
200+
type: object
201+
type: array
202+
type: object
138203
internalPrefixes:
139204
description: |-
140205
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.

config/crds/firewall.metal-stack.io_firewallsets.yaml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,75 @@ spec:
172172
Image is the os image of the firewall.
173173
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
174174
type: string
175+
initialRuleSet:
176+
description: InitialRuleSet is the initial firewall ruleset
177+
applied before the firewall-controller starts running.
178+
properties:
179+
egress:
180+
description: Egress rules to be deployed initially on
181+
the firewall.
182+
items:
183+
properties:
184+
comment:
185+
description: Comment provides a human readable description
186+
of this rule.
187+
type: string
188+
ports:
189+
description: Ports contains all affected network
190+
ports.
191+
items:
192+
format: int32
193+
type: integer
194+
type: array
195+
protocol:
196+
description: Protocol constraints the protocol this
197+
rule applies to.
198+
type: string
199+
to:
200+
description: To target addresses this rule applies
201+
to. May contain IPs or dns names.
202+
items:
203+
type: string
204+
type: array
205+
required:
206+
- ports
207+
- protocol
208+
- to
209+
type: object
210+
type: array
211+
ingress:
212+
description: Ingress rules to be deployed initially on
213+
the firewall.
214+
items:
215+
properties:
216+
comment:
217+
description: Comment provides a human readable description
218+
of this rule.
219+
type: string
220+
from:
221+
description: From source addresses this rule applies
222+
to. May contain IPs or dns names.
223+
items:
224+
type: string
225+
type: array
226+
ports:
227+
description: Ports contains all affected network
228+
ports.
229+
items:
230+
format: int32
231+
type: integer
232+
type: array
233+
protocol:
234+
description: Protocol constraints the protocol this
235+
rule applies to.
236+
type: string
237+
required:
238+
- from
239+
- ports
240+
- protocol
241+
type: object
242+
type: array
243+
type: object
175244
internalPrefixes:
176245
description: |-
177246
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.

0 commit comments

Comments
 (0)