From e6f9828fc8ad3aebd16aa4224a386221c6e4e89a Mon Sep 17 00:00:00 2001 From: Chris Chiu Date: Wed, 29 May 2024 20:30:26 +0800 Subject: [PATCH] feat: default security policy for mgmt/worker/witness nodes Put particular ports in whitelist per different role to allow particular traffic to pass through. Link: https://github.com/harvester/harvester/issues/5681 Signed-off-by: Chris Chiu --- pkg/config/config.go | 2 +- pkg/config/cos.go | 14 +++++++---- pkg/config/templates/wicked-setup-bridge.sh | 27 ++++++++++++++++++++- pkg/console/dashboard_panels.go | 11 +++++++++ pkg/console/network.go | 2 +- 5 files changed, 48 insertions(+), 8 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index 54947db77..0b370d906 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -414,7 +414,7 @@ func GenerateRancherdConfig(config *HarvesterConfig) (*yipSchema.YipConfig, erro return nil, err } - if _, err := UpdateManagementInterfaceConfig(&runtimeConfig, config.ManagementInterface, true); err != nil { + if _, err := UpdateManagementInterfaceConfig(&runtimeConfig, config.ManagementInterface, true, config.Role); err != nil { return nil, err } diff --git a/pkg/config/cos.go b/pkg/config/cos.go index 3e550a1ab..f0339e98a 100644 --- a/pkg/config/cos.go +++ b/pkg/config/cos.go @@ -190,7 +190,7 @@ func ConvertToCOS(config *HarvesterConfig) (*yipSchema.YipConfig, error) { return nil, err } - _, err = UpdateManagementInterfaceConfig(&initramfs, cfg.ManagementInterface, false) + _, err = UpdateManagementInterfaceConfig(&initramfs, cfg.ManagementInterface, false, config.Role) if err != nil { return nil, err } @@ -475,7 +475,7 @@ func SaveOriginalNetworkConfig() error { // - generates wicked interface files (`/etc/sysconfig/network/ifcfg-*` and `ifroute-*`) // - manipulates nameservers in `/etc/resolv.conf`. // - call `wicked ifreload all` if `run` flag is true. -func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Network, run bool) (string, error) { +func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Network, run bool, role string) (string, error) { if len(mgmtInterface.Interfaces) == 0 { return "", errors.New("no slave defined for management network bond") } @@ -498,7 +498,7 @@ func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Netwo } } - if err := updateBridge(stage, MgmtInterfaceName, &mgmtInterface); err != nil { + if err := updateBridge(stage, MgmtInterfaceName, &mgmtInterface, role); err != nil { return "", err } @@ -594,7 +594,7 @@ func updateBond(stage *yipSchema.Stage, name string, network *Network) error { return nil } -func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network) error { +func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network, role string) error { // add Bridge named MgmtInterfaceName and attach Bond named MgmtBondInterfaceName to bridge needVlanInterface := false @@ -611,7 +611,11 @@ func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network) err Group: 0, }) - preUpScript, err := render("wicked-setup-bridge.sh", MgmtBondInterfaceName) + roleData := map[string]interface{}{ + "Role": role, + "Bond": MgmtBondInterfaceName, + } + preUpScript, err := render("wicked-setup-bridge.sh", roleData) if err != nil { return err } diff --git a/pkg/config/templates/wicked-setup-bridge.sh b/pkg/config/templates/wicked-setup-bridge.sh index c73b602d9..d18b82740 100644 --- a/pkg/config/templates/wicked-setup-bridge.sh +++ b/pkg/config/templates/wicked-setup-bridge.sh @@ -12,6 +12,31 @@ case $ACTION in post-up) # accept all vlan, PVID=1 by default bridge vlan add vid 2-4094 dev $INTERFACE self - bridge vlan add vid 2-4094 dev {{ . }} + bridge vlan add vid 2-4094 dev {{ .Bond }} + + {{ if ne .Role "" -}} + iptables -P INPUT DROP + + iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -p udp --dport 8472 -j ACCEPT + iptables -A INPUT -p tcp -m multiport --dports 6443:6444 -j ACCEPT + iptables -A INPUT -p tcp -m multiport --dports 10248:10250 -j ACCEPT + iptables -A INPUT -p tcp --dport 10010 -j ACCEPT + iptables -A INPUT -p tcp --dport 9091 -j ACCEPT + iptables -A INPUT -p tcp --dport 9099 -j ACCEPT + {{ if or (eq .Role "default") (eq .Role "management") -}} + iptables -A INPUT -p tcp --dport 9345 -j ACCEPT + iptables -A INPUT -p tcp -m multiport --dports 10256:10260 -j ACCEPT + iptables -A INPUT -p tcp -m multiport --dports 2379:2382 -j ACCEPT + iptables -A INPUT -p tcp -m multiport --dports 2399:2402 -j ACCEPT + + iptables -A INPUT -p tcp --dport 2112 -j ACCEPT + {{ else -}} + iptables -A INPUT -p tcp --dport 10256 -j ACCEPT + {{ end -}} + iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + {{ end -}} ;; esac diff --git a/pkg/console/dashboard_panels.go b/pkg/console/dashboard_panels.go index a3fdc3237..7e522669a 100644 --- a/pkg/console/dashboard_panels.go +++ b/pkg/console/dashboard_panels.go @@ -515,6 +515,16 @@ func nodeIsPresent() bool { return true } +func removeTempEtcdPorts() { + command := fmt.Sprint(`iptables -D INPUT -p tcp -m multiport --dports 2399:2402 -j ACCEPT`) + cmd := exec.Command("/bin/sh", "-c", command) + cmd.Env = os.Environ() + output, err := cmd.CombinedOutput() + if err != nil { + logrus.Error(err, string(output)) + } +} + func getHarvesterStatus() string { if current.firstHost && !current.installed { if !k8sIsReady() || !chartIsInstalled() { @@ -532,6 +542,7 @@ func getHarvesterStatus() string { rancherReady := isPodReady("cattle-system", "app=rancher") harvesterAPIReady := isAPIReady(current.managementURL, "/version") if harvesterReady && harvesterWebhookReady && rancherReady && harvesterAPIReady { + removeTempEtcdPorts() return wrapColor(statusReady, colorGreen) } return wrapColor(statusNotReady, colorYellow) diff --git a/pkg/console/network.go b/pkg/console/network.go index 6f57b75d7..e335321b0 100644 --- a/pkg/console/network.go +++ b/pkg/console/network.go @@ -75,7 +75,7 @@ func applyNetworks(network config.Network, hostname string) ([]byte, error) { }, }, } - _, err = config.UpdateManagementInterfaceConfig(&conf.Stages["live"][1], network, true) + _, err = config.UpdateManagementInterfaceConfig(&conf.Stages["live"][1], network, true, "") if err != nil { return nil, err }