github.com/caos/orbos@v1.5.14-0.20221103111702-e6cd0cea7ad4/internal/operator/orbiter/kinds/clusters/kubernetes/firewall.go (about) 1 package kubernetes 2 3 import ( 4 "fmt" 5 6 "github.com/caos/orbos/internal/operator/common" 7 "github.com/caos/orbos/mntr" 8 ) 9 10 func firewallFunc(monitor mntr.Monitor, desired DesiredV0) (desire func(machine *initializedMachine)) { 11 12 return func(machine *initializedMachine) { 13 14 monitor = monitor.WithField("machine", machine.infra.ID()) 15 16 fw := map[string]*common.Allowed{ 17 "kubelet": { 18 Port: fmt.Sprintf("%d", 10250), 19 Protocol: "tcp", 20 }, 21 } 22 23 if machine.pool.tier == Controlplane { 24 fw["etcd"] = &common.Allowed{ 25 Port: fmt.Sprintf("%d-%d", 2379, 2381), 26 Protocol: "tcp", 27 } 28 fw["kube-scheduler"] = &common.Allowed{ 29 Port: fmt.Sprintf("%d", 10251), 30 Protocol: "tcp", 31 } 32 fw["kube-controller"] = &common.Allowed{ 33 Port: fmt.Sprintf("%d", 10252), 34 Protocol: "tcp", 35 } 36 } 37 38 if desired.Spec.Networking.Network == "calico" { 39 fw["calico-bgp"] = &common.Allowed{ 40 Port: fmt.Sprintf("%d", 179), 41 Protocol: "tcp", 42 } 43 } 44 45 firewall := common.ToFirewall("internal", fw) 46 firewallSources := common.Firewall{ 47 Zones: map[string]*common.Zone{ 48 "internal": {Sources: []string{ 49 string(desired.Spec.Networking.PodCidr), 50 string(desired.Spec.Networking.ServiceCidr), 51 }}, 52 }, 53 } 54 firewall.Merge(firewallSources) 55 56 machine.desiredNodeagent.Firewall.Merge(firewall) 57 if firewall.IsContainedIn(machine.currentNodeagent.Open) { 58 machine.currentMachine.FirewallIsReady = true 59 monitor.Debug("firewall is ready") 60 return 61 } 62 63 machine.currentMachine.FirewallIsReady = false 64 monitor.WithField("open", firewall.ToCurrent()).Info("firewall desired") 65 } 66 }