Allow the definition of allowed networks for isolated clusters (#48)

Co-authored-by: Ulrich Schreiner <[email protected]> Co-authored-by: Gerrit <[email protected]>
metal-stack · Jan 30, 2024 · f89d5cf · f89d5cf
1 parent cf00b12
commit f89d5cf
Show file tree

Hide file tree

Showing 7 changed files with 140 additions and 0 deletions.
diff --git a/api/v2/types_firewall.go b/api/v2/types_firewall.go
@@ -110,6 +110,19 @@ type FirewallSpec struct {
 	DNSServerAddress string `json:"dnsServerAddress,omitempty"`
 	// DNSPort specifies port to which DNS proxy should be bound
 	DNSPort *uint `json:"dnsPort,omitempty"`
+
+	// AllowedNetworks defines dedicated networks for which the firewall allows in- and outgoing traffic.
+	// The firewall-controller only enforces this setting in combination with NetworkAccessType set to forbidden.
+	// The node network is always allowed.
+	AllowedNetworks AllowedNetworks `json:"allowedNetworks,omitempty"`
+}
+
+// AllowedNetworks is a list of networks which are allowed to connect when NetworkAccessType is forbidden.
+type AllowedNetworks struct {
+	// Ingress defines a list of cidrs which are allowed for incoming traffic like service type loadbalancer.
+	Ingress []string `json:"ingress,omitempty"`
+	// Egress defines a list of cidrs which are allowed for outgoing traffic.
+	Egress []string `json:"egress,omitempty"`
 }
 
 // FirewallTemplateSpec describes the data a firewall should have when created from a template

diff --git a/api/v2/validation/firewall.go b/api/v2/validation/firewall.go
@@ -95,6 +95,20 @@ func (*firewallValidator) validateSpec(f *v2.FirewallSpec, fldPath *field.Path)
 		allErrs = append(allErrs, r.check()...)
 	}
 
+	for _, cidr := range f.AllowedNetworks.Egress {
+		_, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("allowedNetworks").Child("egress"), cidr, fmt.Sprintf("given network must be a cidr: %v", err)))
+		}
+	}
+
+	for _, cidr := range f.AllowedNetworks.Ingress {
+		_, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("allowedNetworks").Child("ingress"), cidr, fmt.Sprintf("given network must be a cidr: %v", err)))
+		}
+	}
+
 	return allErrs
 }
 

diff --git a/api/v2/validation/firewall_test.go b/api/v2/validation/firewall_test.go
@@ -86,6 +86,34 @@ func Test_firewallValidator_ValidateCreate(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "invalid allowed network egress cidr",
+			mutateFn: func(f *v2.Firewall) *v2.Firewall {
+				f.Spec.AllowedNetworks = v2.AllowedNetworks{
+					Egress: []string{"1.2.3.4", "1.2.3.5/32"},
+				}
+				return f
+			},
+			wantErr: &apierrors.StatusError{
+				ErrStatus: metav1.Status{
+					Message: ` "firewall-123" is invalid: spec.allowedNetworks.egress: Invalid value: "1.2.3.4": given network must be a cidr: netip.ParsePrefix("1.2.3.4"): no '/'`,
+				},
+			},
+		},
+		{
+			name: "invalid allowed network ingress cidr",
+			mutateFn: func(f *v2.Firewall) *v2.Firewall {
+				f.Spec.AllowedNetworks = v2.AllowedNetworks{
+					Ingress: []string{"foo"},
+				}
+				return f
+			},
+			wantErr: &apierrors.StatusError{
+				ErrStatus: metav1.Status{
+					Message: ` "firewall-123" is invalid: spec.allowedNetworks.ingress: Invalid value: "foo": given network must be a cidr: netip.ParsePrefix("foo"): no '/'`,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt

diff --git a/api/v2/zz_generated.deepcopy.go b/api/v2/zz_generated.deepcopy.go
diff --git a/config/crds/firewall.metal-stack.io_firewalldeployments.yaml b/config/crds/firewall.metal-stack.io_firewalldeployments.yaml
@@ -99,6 +99,26 @@ spec:
                   spec:
                     description: Spec contains the firewall specification.
                     properties:
+                      allowedNetworks:
+                        description: AllowedNetworks defines dedicated networks for
+                          which the firewall allows in- and outgoing traffic. The
+                          firewall-controller only enforces this setting in combination
+                          with NetworkAccessType set to forbidden. The node network
+                          is always allowed.
+                        properties:
+                          egress:
+                            description: Egress defines a list of cidrs which are
+                              allowed for outgoing traffic.
+                            items:
+                              type: string
+                            type: array
+                          ingress:
+                            description: Ingress defines a list of cidrs which are
+                              allowed for incoming traffic like service type loadbalancer.
+                            items:
+                              type: string
+                            type: array
+                        type: object
                       controllerURL:
                         description: ControllerURL points to the downloadable binary
                           artifact of the firewall controller.

diff --git a/config/crds/firewall.metal-stack.io_firewalls.yaml b/config/crds/firewall.metal-stack.io_firewalls.yaml
@@ -66,6 +66,25 @@ spec:
           spec:
             description: Spec contains the firewall specification.
             properties:
+              allowedNetworks:
+                description: AllowedNetworks defines dedicated networks for which
+                  the firewall allows in- and outgoing traffic. The firewall-controller
+                  only enforces this setting in combination with NetworkAccessType
+                  set to forbidden. The node network is always allowed.
+                properties:
+                  egress:
+                    description: Egress defines a list of cidrs which are allowed
+                      for outgoing traffic.
+                    items:
+                      type: string
+                    type: array
+                  ingress:
+                    description: Ingress defines a list of cidrs which are allowed
+                      for incoming traffic like service type loadbalancer.
+                    items:
+                      type: string
+                    type: array
+                type: object
               controllerURL:
                 description: ControllerURL points to the downloadable binary artifact
                   of the firewall controller.

diff --git a/config/crds/firewall.metal-stack.io_firewallsets.yaml b/config/crds/firewall.metal-stack.io_firewallsets.yaml
@@ -102,6 +102,26 @@ spec:
                   spec:
                     description: Spec contains the firewall specification.
                     properties:
+                      allowedNetworks:
+                        description: AllowedNetworks defines dedicated networks for
+                          which the firewall allows in- and outgoing traffic. The
+                          firewall-controller only enforces this setting in combination
+                          with NetworkAccessType set to forbidden. The node network
+                          is always allowed.
+                        properties:
+                          egress:
+                            description: Egress defines a list of cidrs which are
+                              allowed for outgoing traffic.
+                            items:
+                              type: string
+                            type: array
+                          ingress:
+                            description: Ingress defines a list of cidrs which are
+                              allowed for incoming traffic like service type loadbalancer.
+                            items:
+                              type: string
+                            type: array
+                        type: object
                       controllerURL:
                         description: ControllerURL points to the downloadable binary
                           artifact of the firewall controller.