Kubernetes is an open-source container orchestration platform that provides a way to deploy, manage, and scale containerized applications. It makes use of a networking component called Ingress to allow external traffic to reach the services running inside the Kubernetes cluster. Ingress routes traffic from the outside world to services running within the Kubernetes cluster. To allow Ingress traffic while keeping Firewalld enabled, follow the steps below.
Step 1: Enable deny logging in Firewalld
The first step is to enable deny logging in Firewalld. This step is important because it helps you to monitor all the denied connections in the system. To do this, run the command below:
sudo firewall-cmd --set-log-denied=all
Step 2: Create a new zone containing all the kubernetes veth interface
The second step is to create a new zone that contains all the Kubernetes Virtual Ethernet (veth) interfaces. These interfaces are used to connect the Kubernetes pods to the Kubernetes network. To create a new zone containing all the veth interfaces, run the commands below:
sudo firewall-cmd --permanent --new-zone=k8s-veth
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --zone=k8s-veth --add-interface=<veth1> --add-interface=<veth2> <...>
Note: Replace <veth1>, <veth2>, and <...> with the actual names of the veth interfaces on your system.
Step 3: Create a new zone containing the CNI interface of Kubernetes
The third step is to create a new zone that contains the Container Network Interface (CNI) interface of Kubernetes. This interface is used to manage the network of Kubernetes containers. To create a new zone containing the CNI interface, run the commands below:
sudo firewall-cmd --permanent --new-zone=k8s-cni
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --zone=k8s-cni --add-interface=<cni0>
Note: Replace <cni0> with the actual name of the CNI interface on your system.
Step 4: Allow forward to the zone k8s-cni
The fourth step is to allow forward to the zone k8s-cni. This step is important because it allows traffic to be forwarded from the Kubernetes pods to the Kubernetes network. To allow forward to the k8s-cni zone, run the command below:
sudo firewall-cmd --permanent --zone=k8s-cni --add-forward
Step 5: Create a new policy allowing ingress from the k8s-cni zone to the k8s-veth zone
The fifth step is to create a new policy that allows ingress from the k8s-cni zone to the k8s-veth zone. This policy is important because it allows traffic to flow from the Kubernetes network to the Kubernetes pods. To create a new policy that allows ingress from the k8s-cni zone to the k8s-veth zone, run the commands below:
sudo firewall-cmd --permanent --new-policy=k8s-forward-network
sudo firewall-cmd --permanent --policy=k8s-forward-network --add-ingress-zone=k8s-cni --add-egress-zone=k8s-veth
sudo firewall-cmd --permanent --policy=k8s-forward-network --set-target=ACCEPT
sudo firewall-cmd --permanent --policy=k8s-forward-network --add-service=http --add-service=https
sudo firewall-cmd --reloadStep 6: Monitor all the logs
The sixth step is to monitor all the logs using the command below:
sudo journalctl -xef
This command will display all the logs in real-time, including the allowed and denied connections.
Step 7: Test the configuration
The seventh step is to test the configuration and check for any issues with the added policies. You can do this by trying to access the Kubernetes service from a different network. If the connection is successful, then the configuration is correct.
Step 8: Disable the Firewalld deny logging
The final step is to disable the Firewalld deny logging to reduce the log size. To do this, run the command below:
sudo firewall-cmd --set-log-denied=off
Conclusion
In conclusion, allowing Kubernetes ingress traffic with Firewalld enabled requires creating new zones for the Kubernetes veth and CNI interfaces, allowing forward to the CNI zone, creating a policy that allows ingress from the CNI zone to the veth zone, and monitoring all the logs. By following these steps, you can ensure that your Kubernetes cluster is secure while allowing external traffic to access the services running inside the cluster.