Categories
Development DevOps

How to Allow Kubernetes Ingress Traffic with Firewalld Enabled: A Step-by-Step Guide

Kubernetes is a popular container orchestration system that helps manage and deploy containerized applications. However, ensuring security can be challenging, especially when enabling external access to services running inside the cluster. In this article, we will walk you through the step-by-step process of allowing Kubernetes ingress traffic with Firewalld enabled.

Kubernetes is an open-source container orchestration platform that provides a way to deploy, manage, and scale containerized applications. It makes use of a networking component called Ingress to allow external traffic to reach the services running inside the Kubernetes cluster. Ingress routes traffic from the outside world to services running within the Kubernetes cluster. To allow Ingress traffic while keeping Firewalld enabled, follow the steps below.

Step 1: Enable deny logging in Firewalld

The first step is to enable deny logging in Firewalld. This step is important because it helps you to monitor all the denied connections in the system. To do this, run the command below:

sudo firewall-cmd --set-log-denied=all

Step 2: Create a new zone containing all the kubernetes veth interface

The second step is to create a new zone that contains all the Kubernetes Virtual Ethernet (veth) interfaces. These interfaces are used to connect the Kubernetes pods to the Kubernetes network. To create a new zone containing all the veth interfaces, run the commands below:

sudo firewall-cmd --permanent --new-zone=k8s-veth
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --zone=k8s-veth --add-interface=<veth1> --add-interface=<veth2> <...>

Note: Replace <veth1>, <veth2>, and <...> with the actual names of the veth interfaces on your system.

Step 3: Create a new zone containing the CNI interface of Kubernetes

The third step is to create a new zone that contains the Container Network Interface (CNI) interface of Kubernetes. This interface is used to manage the network of Kubernetes containers. To create a new zone containing the CNI interface, run the commands below:

sudo firewall-cmd --permanent --new-zone=k8s-cni
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --zone=k8s-cni --add-interface=<cni0>

Note: Replace <cni0> with the actual name of the CNI interface on your system.

Step 4: Allow forward to the zone k8s-cni

The fourth step is to allow forward to the zone k8s-cni. This step is important because it allows traffic to be forwarded from the Kubernetes pods to the Kubernetes network. To allow forward to the k8s-cni zone, run the command below:

sudo firewall-cmd --permanent --zone=k8s-cni --add-forward

Step 5: Create a new policy allowing ingress from the k8s-cni zone to the k8s-veth zone

The fifth step is to create a new policy that allows ingress from the k8s-cni zone to the k8s-veth zone. This policy is important because it allows traffic to flow from the Kubernetes network to the Kubernetes pods. To create a new policy that allows ingress from the k8s-cni zone to the k8s-veth zone, run the commands below:

sudo firewall-cmd --permanent --new-policy=k8s-forward-network
sudo firewall-cmd --permanent --policy=k8s-forward-network --add-ingress-zone=k8s-cni --add-egress-zone=k8s-veth
sudo firewall-cmd --permanent --policy=k8s-forward-network --set-target=ACCEPT
sudo firewall-cmd --permanent --policy=k8s-forward-network --add-service=http --add-service=https
sudo firewall-cmd --reload

Step 6: Monitor all the logs

The sixth step is to monitor all the logs using the command below:

sudo journalctl -xef

This command will display all the logs in real-time, including the allowed and denied connections.

Step 7: Test the configuration

The seventh step is to test the configuration and check for any issues with the added policies. You can do this by trying to access the Kubernetes service from a different network. If the connection is successful, then the configuration is correct.

Step 8: Disable the Firewalld deny logging

The final step is to disable the Firewalld deny logging to reduce the log size. To do this, run the command below:

sudo firewall-cmd --set-log-denied=off

Conclusion

In conclusion, allowing Kubernetes ingress traffic with Firewalld enabled requires creating new zones for the Kubernetes veth and CNI interfaces, allowing forward to the CNI zone, creating a policy that allows ingress from the CNI zone to the veth zone, and monitoring all the logs. By following these steps, you can ensure that your Kubernetes cluster is secure while allowing external traffic to access the services running inside the cluster.

By Edward Fitz Abucay

"How long is forever?"

I'm a software engineer with a passion for innovating and creating products, especially for startups in the web3 and blockchain space. I'm always excited to learn and work with new technologies, and I'm committed to delivering high-quality solutions that meet the needs of my clients or users.

In my free time, I enjoy listening to music of all genres, but classical music holds a special place in my heart. I find it both inspiring and calming, and it helps me to stay focused and creative. I'm also an avid reader of books and manga, and I enjoy discovering new authors and stories.

As a software engineer, I have a strong technical background with experience in various programming languages, frameworks, and tools. I'm always striving to improve my skills and stay up-to-date with the latest trends and best practices. I love working with startups, especially those in the web3 and blockchain space, because I believe that these technologies have the potential to revolutionize the way we live and work.

Overall, I'm a dedicated and driven individual with a wide range of interests and skills. I believe that my passion for software engineering, combined with my love of music and reading, makes me a well-rounded and adaptable professional.

Leave a Reply

Your email address will not be published. Required fields are marked *