Ingress Node Firewall Operator in OKD

As a cluster administrator, you can install the Ingress Node Firewall Operator by using the OKD CLI or the web console.

As a cluster administrator, you can install the Operator using the CLI.

Prerequisites

  • You have installed the OpenShift CLI ().

  • You have an account with administrator privileges.

Procedure

  1. To create the openshift-ingress-node-firewall namespace, enter the following command:

  2. To create an OperatorGroup CR, enter the following command:

    1. $ cat << EOF| oc create -f -
    2. apiVersion: operators.coreos.com/v1
    3. kind: OperatorGroup
    4. metadata:
    5.   name: ingress-node-firewall-operators
    6.   namespace: openshift-ingress-node-firewall
    7. EOF

  3. Subscribe to the Ingress Node Firewall Operator.

    1. To create a Subscription CR for the Ingress Node Firewall Operator, enter the following command:

      1. $ cat << EOF| oc create -f -
      2. apiVersion: operators.coreos.com/v1alpha1
      3. kind: Subscription
      4. metadata:
      5.   name: ingress-node-firewall-sub
      6.   namespace: openshift-ingress-node-firewall
      7. spec:
      8.   name: ingress-node-firewall
      9.   channel: stable
      10.   source: redhat-operators
      11.   sourceNamespace: openshift-marketplace
      12. EOF

  4. To verify that the Operator is installed, enter the following command:

    1. $ oc get ip -n openshift-ingress-node-firewall

    Example output

    1. install-5cvnz   ingress-node-firewall.4.13.0-202211122336   Automatic   true

  5. To verify the version of the Operator, enter the following command:

    1. $ oc get csv -n openshift-ingress-node-firewall

    Example output

As a cluster administrator, you can install the Operator using the web console.

Prerequisites

  • You have installed the OpenShift CLI (oc).

  • You have an account with administrator privileges.

Procedure

  1. Install the Ingress Node Firewall Operator:

    1. In the OKD web console, click OperatorsOperatorHub.

    2. Select Ingress Node Firewall Operator from the list of available Operators, and then click Install.

    3. On the Install Operator page, under Installed Namespace, select Operator recommended Namespace.

    4. Click Install.

  2. Verify that the Ingress Node Firewall Operator is installed successfully:

    1. Navigate to the OperatorsInstalled Operators page.

    2. Ensure that Ingress Node Firewall Operator is listed in the openshift-ingress-node-firewall project with a Status of InstallSucceeded.

      If the Operator does not have a Status of InstallSucceeded, troubleshoot using the following steps:

      • Inspect the Operator Subscriptions and Install Plans tabs for any failures or errors under Status.

      • Navigate to the WorkloadsPods page and check the logs for pods in the openshift-ingress-node-firewall project.

      • Check the namespace of the YAML file. If the annotation is missing, you can add the annotation workload.openshift.io/allowed=management to the Operator namespace with the following command:

        1. $ oc annotate ns/openshift-ingress-node-firewall workload.openshift.io/allowed=management

The Ingress Node Firewall Operator provides ingress firewall rules at a node level by deploying the daemon set to nodes you specify and manage in the firewall configurations. To deploy the daemon set, you create an IngressNodeFirewallConfig custom resource (CR). The Operator applies the IngressNodeFirewallConfig CR to create ingress node firewall daemon set daemon, which run on all nodes that match the nodeSelector.

You configure rules of the IngressNodeFirewall CR and apply them to clusters using the nodeSelector and setting values to “true”.

The Ingress Node Firewall Operator supports only stateless firewall rules.

The maximum transmission units (MTU) parameter is 4Kb (kilobytes) in OKD 4.13.

Network interface controllers (NICs) that do not support native XDP drivers will run at a lower performance.

Prerequisite

  • The Ingress Node Firewall Operator is installed.

Procedure

To deploy the Ingress Node Firewall Operator, create a IngressNodeFirewallConfig custom resource that will deploy the Operator’s daemon set. You can deploy one or multiple IngressNodeFirewall CRDs to nodes by applying firewall rules.

  1. Create the IngressNodeFirewallConfig inside the openshift-ingress-node-firewall namespace named ingressnodefirewallconfig.

  2. Run the following command to deploy Ingress Node Firewall Operator rules:

    1. $ oc apply -f rule.yaml

The fields for the Ingress Node Firewall configuration object are described in the following table:

Table 1. Ingress Node Firewall Configuration object
FieldTypeDescription

metadata.name

string

The name of the CR object. The name of the firewall rules object must be ingressnodefirewallconfig.

metadata.namespace

string

Namespace for the Ingress Firewall Operator CR object. The IngressNodeFirewallConfig CR must be created inside the namespace.

spec.nodeSelector

string

A node selection constraint used to target nodes through specified node labels. For example:

  1. spec:
  2.   nodeSelector:
  3.     node-role.kubernetes.io/worker: “”

The Operator consumes the CR and creates an ingress node firewall daemon set on all the nodes that match the nodeSelector.

A complete Ingress Node Firewall Configuration is specified in the following example:

Example Ingress Node Firewall Configuration object

  1. apiVersion: ingressnodefirewall.openshift.io/v1alpha1
  2. kind: IngressNodeFirewallConfig
  3. metadata:
  4.   name: ingressnodefirewallconfig
  5.   namespace: openshift-ingress-node-firewall
  6. spec:
  7.   nodeSelector:
  8.     node-role.kubernetes.io/worker: ""

The Operator consumes the CR and creates an ingress node firewall daemon set on all the nodes that match the nodeSelector.

The fields for the Ingress Node Firewall rules object are described in the following table:

Table 2. Ingress Node Firewall rules object
FieldTypeDescription

metadata.name

string

The name of the CR object.

interfaces

array

The fields for this object specify the interfaces to apply the firewall rules to. For example, - en0 and - en1.

array

You can use nodeSelector to select the nodes to apply the firewall rules to. Set the value of your named nodeselector labels to true to apply the rule.

ingress

object

ingress allows you to configure the rules that allow outside access to the services on your cluster.

Ingress object configuration

The values for the ingress object are defined in the following table:

Ingress Node Firewall rules object example

A complete Ingress Node Firewall configuration is specified in the following example:

Example Ingress Node Firewall configuration

  1. apiVersion: ingressnodefirewall.openshift.io/v1alpha1
  2. kind: IngressNodeFirewall
  4.   name: ingressnodefirewall
  5. spec:
  6.   interfaces:
  7.   - eth0
  8.   nodeSelector:
  9.       <do_node_ingress_firewall>: 'true'
  10.   ingress:
  11.   - sourceCIDRs:
  12.        - 172.16.0.0/12
  13.     rules:
  14.     - order: 10
  15.       protocolConfig:
  16.         protocol: ICMP
  17.         icmp:
  18.           icmpType: 8 #ICMP Echo request
  19.       action: Deny
  20.     - order: 20
  21.       protocolConfig:
  22.         protocol: TCP
  23.         tcp:
  24.           ports: "8000-9000"
  25.       action: Deny
  26.   - sourceCIDRs:
  27.        - fc00:f853:ccd:e793::0/64
  28.     rules:
  29.     - order: 10
  30.       protocolConfig:
  31.         protocol: ICMPv6
  32.         icmpv6:
  33.           icmpType: 128 #ICMPV6 Echo request
  34.       action: Deny

Zero trust Ingress Node Firewall rules object example

Zero trust Ingress Node Firewall rules can provide additional security to multi-interface clusters. For example, you can use zero trust Ingress Node Firewall rules to drop all traffic on a specific interface except for SSH.

A complete configuration of a zero trust Ingress Node Firewall rule set is specified in the following example:

Users need to add all ports their application will use to their allowlist in the following case to ensure proper functionality.

Example zero trust Ingress Node Firewall rules

Procedure

  1. Run the following command to view all current rules :

    1. $ oc get ingressnodefirewall

  2. Choose one of the returned <resource> names and run the following command to view the rules or configs:

    1. $ oc get <resource> <name> -o yaml

  • Run the following command to list installed Ingress Node Firewall custom resource definitions (CRD):

    1. $ oc get crds | grep ingressnodefirewall

    Example output

    1. NAME               READY   UP-TO-DATE   AVAILABLE   AGE
    2. ingressnodefirewallconfigs.ingressnodefirewall.openshift.io       2022-08-25T10:03:01Z
    3. ingressnodefirewallnodestates.ingressnodefirewall.openshift.io    2022-08-25T10:03:00Z
    4. ingressnodefirewalls.ingressnodefirewall.openshift.io             2022-08-25T10:03:00Z

  • Run the following command to view the state of the Ingress Node Firewall Operator:

    1. $ oc get pods -n openshift-ingress-node-firewall

    Example output

    The following fields provide information about the status of the Operator: READY, STATUS, AGE, and RESTARTS. The STATUS field is Running when the Ingress Node Firewall Operator is deploying a daemon set to the assigned nodes.

  • Run the following command to collect all ingress firewall node pods’ logs:

    1. $ oc adm must-gather  gather_ingress_node_firewall

    The logs are available in the sos node’s report containing eBPF outputs at /sos_commands/ebpf. These reports include lookup tables used or updated as the ingress firewall XDP handles packet processing, updates statistics, and emits events.