$ cat << EOF| oc create -f -
apiVersion: v1
kind: Namespace
metadata:
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: v1.24
name: openshift-ingress-node-firewall
EOF
The ingress Node Firewall Operator allows administrators to manage firewall configurations at the node level.
The ingress Node Firewall Operator provides ingress firewall rules at a node level by deploying the daemon set to nodes you specify and manage in the firewall configurations. To deploy the daemon set, you create an ingressNodeFirewallConfig
custom resource (CR). The Operator applies the ingressNodeFirewallConfig
CR to create ingress node firewall daemon set daemon
, which run on all nodes that match the nodeSelector
.
You configure rules
of the ingressNodeFirewall
CR and apply them to clusters using the nodeSelector
and setting values to "true".
The ingress Node Firewall Operator supports only stateless firewall rules. Network interface controllers (NICs) that do not support native XDP drivers will run at a lower performance. For OKD 4.14 or later, you must run ingress Node Firewall Operator on Fedora 9.0 or later. |
As a cluster administrator, you can install the ingress Node Firewall Operator by using the OKD CLI or the web console.
As a cluster administrator, you can install the Operator using the CLI.
You have installed the OpenShift CLI (oc
).
You have an account with administrator privileges.
To create the openshift-ingress-node-firewall
namespace, enter the following command:
$ cat << EOF| oc create -f -
apiVersion: v1
kind: Namespace
metadata:
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: v1.24
name: openshift-ingress-node-firewall
EOF
To create an OperatorGroup
CR, enter the following command:
$ cat << EOF| oc create -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: ingress-node-firewall-operators
namespace: openshift-ingress-node-firewall
EOF
Subscribe to the ingress Node Firewall Operator.
To create a Subscription
CR for the ingress Node Firewall Operator, enter the following command:
$ cat << EOF| oc create -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: ingress-node-firewall-sub
namespace: openshift-ingress-node-firewall
spec:
name: ingress-node-firewall
channel: stable
source: redhat-operators
sourceNamespace: openshift-marketplace
EOF
To verify that the Operator is installed, enter the following command:
$ oc get ip -n openshift-ingress-node-firewall
NAME CSV APPROVAL APPROVED
install-5cvnz ingress-node-firewall.4.0-202211122336 Automatic true
To verify the version of the Operator, enter the following command:
$ oc get csv -n openshift-ingress-node-firewall
NAME DISPLAY VERSION REPLACES PHASE
ingress-node-firewall.4.0-202211122336 ingress Node Firewall Operator 4.0-202211122336 ingress-node-firewall.4.0-202211102047 Succeeded
As a cluster administrator, you can install the Operator using the web console.
You have installed the OpenShift CLI (oc
).
You have an account with administrator privileges.
Install the ingress Node Firewall Operator:
In the OKD web console, click Operators → OperatorHub.
Select ingress Node Firewall Operator from the list of available Operators, and then click Install.
On the Install Operator page, under Installed Namespace, select Operator recommended Namespace.
Click Install.
Verify that the ingress Node Firewall Operator is installed successfully:
Navigate to the Operators → Installed Operators page.
Ensure that ingress Node Firewall Operator is listed in the openshift-ingress-node-firewall project with a Status of InstallSucceeded.
During installation an Operator might display a Failed status. If the installation later succeeds with an InstallSucceeded message, you can ignore the Failed message. |
If the Operator does not have a Status of InstallSucceeded, troubleshoot using the following steps:
Inspect the Operator Subscriptions and Install Plans tabs for any failures or errors under Status.
Navigate to the Workloads → Pods page and check the logs for pods in the openshift-ingress-node-firewall
project.
Check the namespace of the YAML file. If the annotation is missing, you can add the annotation workload.openshift.io/allowed=management
to the Operator namespace with the following command:
$ oc annotate ns/openshift-ingress-node-firewall workload.openshift.io/allowed=management
For single-node OpenShift clusters, the |
The ingress Node Firewall Operator is installed.
To deploy the ingress Node Firewall Operator, create a ingressNodeFirewallConfig
custom resource that will deploy the Operator’s daemon set. You can deploy one or multiple ingressNodeFirewall
CRDs to nodes by applying firewall rules.
Create the ingressNodeFirewallConfig
inside the openshift-ingress-node-firewall
namespace named ingressnodefirewallconfig
.
Run the following command to deploy ingress Node Firewall Operator rules:
$ oc apply -f rule.yaml
The fields for the ingress Node Firewall configuration object are described in the following table:
Field | Type | Description | ||
---|---|---|---|---|
|
|
The name of the CR object. The name of the firewall rules object must be |
||
|
|
Namespace for the ingress Firewall Operator CR object. The |
||
|
|
A node selection constraint used to target nodes through specified node labels. For example:
|
||
|
|
Specifies if the Node ingress Firewall Operator uses the eBPF Manager Operator or not to manage eBPF programs. This capability is a Technology Preview feature. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
The Operator consumes the CR and creates an ingress node firewall daemon set on all the nodes that match the |
A complete ingress Node Firewall Configuration is specified in the following example:
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: ingressNodeFirewallConfig
metadata:
name: ingressnodefirewallconfig
namespace: openshift-ingress-node-firewall
spec:
nodeSelector:
node-role.kubernetes.io/worker: ""
The Operator consumes the CR and creates an ingress node firewall daemon set on all the nodes that match the |
The fields for the ingress Node Firewall rules object are described in the following table:
Field | Type | Description |
---|---|---|
|
|
The name of the CR object. |
|
|
The fields for this object specify the interfaces to apply the firewall rules to. For example, |
|
|
You can use |
|
|
|
The values for the ingress
object are defined in the following table:
Field | Type | Description | ||
---|---|---|---|---|
|
|
Allows you to set the CIDR block. You can configure multiple CIDRs from different address families.
|
||
|
|
ingress firewall
Set
|
A complete ingress Node Firewall configuration is specified in the following example:
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: ingressNodeFirewall
metadata:
name: ingressnodefirewall
spec:
interfaces:
- eth0
nodeSelector:
matchLabels:
<ingress_firewall_label_name>: <label_value> (1)
ingress:
- sourceCIDRs:
- 172.16.0.0/12
rules:
- order: 10
protocolConfig:
protocol: ICMP
icmp:
icmpType: 8 #ICMP Echo request
action: Deny
- order: 20
protocolConfig:
protocol: TCP
tcp:
ports: "8000-9000"
action: Deny
- sourceCIDRs:
- fc00:f853:ccd:e793::0/64
rules:
- order: 10
protocolConfig:
protocol: ICMPv6
icmpv6:
icmpType: 128 #ICMPV6 Echo request
action: Deny
1 | A <label_name> and a <label_value> must exist on the node and must match the nodeselector label and value applied to the nodes you want the ingressfirewallconfig CR to run on. The <label_value> can be true or false . By using nodeSelector labels, you can target separate groups of nodes to apply different rules to using the ingressfirewallconfig CR. |
Zero trust ingress Node Firewall rules can provide additional security to multi-interface clusters. For example, you can use zero trust ingress Node Firewall rules to drop all traffic on a specific interface except for SSH.
A complete configuration of a zero trust ingress Node Firewall rule set is specified in the following example:
Users need to add all ports their application will use to their allowlist in the following case to ensure proper functionality. |
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: ingressNodeFirewall
metadata:
name: ingressnodefirewall-zero-trust
spec:
interfaces:
- eth1 (1)
nodeSelector:
matchLabels:
<ingress_firewall_label_name>: <label_value> (2)
ingress:
- sourceCIDRs:
- 0.0.0.0/0 (3)
rules:
- order: 10
protocolConfig:
protocol: TCP
tcp:
ports: 22
action: Allow
- order: 20
action: Deny (4)
1 | Network-interface cluster |
2 | The <label_name> and <label_value> needs to match the nodeSelector label and value applied to the specific nodes with which you wish to apply the ingressfirewallconfig CR. |
3 | 0.0.0.0/0 set to match any CIDR |
4 | action set to Deny |
eBPF Manager Operator integration is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
The ingress Node Firewall uses eBPF programs to implement some of its key firewall functionality. By default these eBPF programs are loaded into the kernel using a mechanism specific to the ingress Node Firewall. You can configure the ingress Node Firewall Operator to use the eBPF Manager Operator for loading and managing these programs instead.
When this integration is enabled, the following limitations apply:
The ingress Node Firewall Operator uses TCX if XDP is not available and TCX is incompatible with bpfman.
The ingress Node Firewall Operator daemon set pods remain in the ContainerCreating
state until the firewall rules are applied.
The ingress Node Firewall Operator daemon set pods run as privileged.
The ingress Node Firewall uses eBPF programs to implement some of its key firewall functionality. By default these eBPF programs are loaded into the kernel using a mechanism specific to the ingress Node Firewall.
As a cluster administrator, you can configure the ingress Node Firewall Operator to use the eBPF Manager Operator for loading and managing these programs instead, adding additional security and observability functionality.
You have installed the OpenShift CLI (oc
).
You have an account with administrator privileges.
You installed the ingress Node Firewall Operator.
You have installed the eBPF Manager Operator.
Apply the following labels to the ingress-node-firewall-system
namespace:
$ oc label namespace openshift-ingress-node-firewall \
pod-security.kubernetes.io/enforce=privileged \
pod-security.kubernetes.io/warn=privileged --overwrite
Edit the ingressNodeFirewallConfig
object named ingressnodefirewallconfig
and set the ebpfProgramManagerMode
field:
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: ingressNodeFirewallConfig
metadata:
name: ingressnodefirewallconfig
namespace: openshift-ingress-node-firewall
spec:
nodeSelector:
node-role.kubernetes.io/worker: ""
ebpfProgramManagerMode: <ebpf_mode>
where:
<ebpf_mode>
: Specifies whether or not the ingress Node Firewall Operator uses the eBPF Manager Operator to manage eBPF programs. Must be either true
or false
. If unset, eBPF Manager is not used.
Run the following command to view all current rules :
$ oc get ingressnodefirewall
Choose one of the returned <resource>
names and run the following command to view the rules or configs:
$ oc get <resource> <name> -o yaml
Run the following command to list installed ingress Node Firewall custom resource definitions (CRD):
$ oc get crds | grep ingressnodefirewall
NAME READY UP-TO-DATE AVAILABLE AGE
ingressnodefirewallconfigs.ingressnodefirewall.openshift.io 2022-08-25T10:03:01Z
ingressnodefirewallnodestates.ingressnodefirewall.openshift.io 2022-08-25T10:03:00Z
ingressnodefirewalls.ingressnodefirewall.openshift.io 2022-08-25T10:03:00Z
Run the following command to view the state of the ingress Node Firewall Operator:
$ oc get pods -n openshift-ingress-node-firewall
NAME READY STATUS RESTARTS AGE
ingress-node-firewall-controller-manager 2/2 Running 0 5d21h
ingress-node-firewall-daemon-pqx56 3/3 Running 0 5d21h
The following fields provide information about the status of the Operator:
READY
, STATUS
, AGE
, and RESTARTS
. The STATUS
field is Running
when the ingress Node Firewall Operator is deploying a daemon set to the assigned nodes.
Run the following command to collect all ingress firewall node pods' logs:
$ oc adm must-gather – gather_ingress_node_firewall
The logs are available in the sos node’s report containing eBPF bpftool
outputs at /sos_commands/ebpf
. These reports include lookup tables used or updated as the ingress firewall XDP handles packet processing, updates statistics, and emits events.