Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 7. Using a firewall
Firewalls are not required in MicroShift, but using a firewall can prevent undesired access to the MicroShift API.
7.1. About network traffic through the firewall
Firewalld is a networking service that runs in the background and responds to connection requests, creating a dynamic customizable host-based firewall. If you are using Red Hat Enterprise Linux for Edge (RHEL for Edge) with MicroShift, firewalld should already be installed and you just need to configure it. Details are provided in procedures that follow. Overall, you must explicitly allow the following OVN-Kubernetes traffic when the firewalld service is running:
- CNI pod to CNI pod
- CNI pod to Host-Network pod Host-Network pod to Host-Network pod
- CNI pod
- The Kubernetes pod that uses the CNI network
- Host-Network pod
-
The Kubernetes pod that uses host network You can configure the
firewalldservice by using the following procedures. In most cases, firewalld is part of RHEL for Edge installations. If you do not have firewalld, you can install it with the simple procedure in this section.
MicroShift pods must have access to the internal CoreDNS component and API servers.
7.2. Installing the firewalld service
If you are using RHEL for Edge, firewalld should be installed. To use the service, you can simply configure it. The following procedure can be used if you do not have firewalld, but want to use it.
Install and run the firewalld service for MicroShift by using the following steps.
Procedure
Optional: Check for firewalld on your system by running the following command:
rpm -q firewalld
$ rpm -q firewalldCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the
firewalldservice is not installed, run the following command:sudo dnf install -y firewalld
$ sudo dnf install -y firewalldCopy to Clipboard Copied! Toggle word wrap Toggle overflow To start the firewall, run the following command:
sudo systemctl enable firewalld --now
$ sudo systemctl enable firewalld --nowCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.3. Required firewall settings
An IP address range for the node network must be enabled during firewall configuration. You can use the default values or customize the IP address range. If you choose to customize the node network IP address range from the default 10.42.0.0/16 setting, you must also use the same custom range in the firewall configuration.
| IP Range | Firewall rule required | Description |
|---|---|---|
| 10.42.0.0/16 | No | Host network pod access to other pods |
| 169.254.169.1 | Yes | Host network pod access to Red Hat build of MicroShift API server |
The following are examples of commands for settings that are mandatory for firewall configuration:
Example commands
Configure host network pod access to other pods:
sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
$ sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16Copy to Clipboard Copied! Toggle word wrap Toggle overflow Configure host network pod access to services backed by Host endpoints, such as the Red Hat build of MicroShift API:
sudo firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1
$ sudo firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.4. Using optional port settings
The MicroShift firewall service allows optional port settings.
Procedure
To add customized ports to your firewall configuration, use the following command syntax:
sudo firewall-cmd --permanent --zone=public --add-port=<port number>/<port protocol>
$ sudo firewall-cmd --permanent --zone=public --add-port=<port number>/<port protocol>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Expand Table 7.2. Optional ports Port(s) Protocol(s) Description 80
TCP
HTTP port used to serve applications through the OpenShift Container Platform router.
443
TCP
HTTPS port used to serve applications through the OpenShift Container Platform router.
5353
UDP
mDNS service to respond for OpenShift Container Platform route mDNS hosts.
30000-32767
TCP
Port range reserved for NodePort services; can be used to expose applications on the LAN.
30000-32767
UDP
Port range reserved for NodePort services; can be used to expose applications on the LAN.
6443
TCP
HTTPS API port for the Red Hat build of MicroShift API.
The following are examples of commands used when requiring external access through the firewall to services running on MicroShift, such as port 6443 for the API server, for example, ports 80 and 443 for applications exposed through the router.
Example command
Configuring a port for the MicroShift API server:
sudo firewall-cmd --permanent --zone=public --add-port=6443/tcp
$ sudo firewall-cmd --permanent --zone=public --add-port=6443/tcpCopy to Clipboard Copied! Toggle word wrap Toggle overflow
To close unnecessary ports in your MicroShift instance, follow the procedure in "Closing unused or unnecessary ports to enhance network security".
7.5. Adding services to open ports
On a MicroShift instance, you can open services on ports by using the firewall-cmd command.
Procedure
Optional: You can view all predefined services in firewalld by running the following command
sudo firewall-cmd --get-services
$ sudo firewall-cmd --get-servicesCopy to Clipboard Copied! Toggle word wrap Toggle overflow To open a service that you want on a default port, run the following example command:
sudo firewall-cmd --add-service=mdns
$ sudo firewall-cmd --add-service=mdnsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.6. Allowing network traffic through the firewall
You can allow network traffic through the firewall by configuring the IP address range and inserting the DNS server to allow internal traffic from pods through the network gateway.
Procedure
Use one of the following commands to set the IP address range:
Configure the IP address range with default values by running the following command:
sudo firewall-offline-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
$ sudo firewall-offline-cmd --permanent --zone=trusted --add-source=10.42.0.0/16Copy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the IP address range with custom values by running the following command:
sudo firewall-offline-cmd --permanent --zone=trusted --add-source=<custom IP range>
$ sudo firewall-offline-cmd --permanent --zone=trusted --add-source=<custom IP range>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
To allow internal traffic from pods through the network gateway, run the following command:
sudo firewall-offline-cmd --permanent --zone=trusted --add-source=169.254.169.1
$ sudo firewall-offline-cmd --permanent --zone=trusted --add-source=169.254.169.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you are using a load balancer, allow the IPv6 traffic through the firewall by running the following command:
sudo firewall-cmd --permanent --zone=trusted --add-source=fd01::/48
$ sudo firewall-cmd --permanent --zone=trusted --add-source=fd01::/48Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.6.1. Applying firewall settings
To apply firewall settings, use the following one-step procedure:
Procedure
After you have finished configuring network access through the firewall, run the following command to restart the firewall and apply the settings:
sudo firewall-cmd --reload
$ sudo firewall-cmd --reloadCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.7. Verifying firewall settings
After you have restarted the firewall, you can verify your settings by listing them.
Procedure
To verify rules added in the default public zone, such as ports-related rules, run the following command:
sudo firewall-cmd --list-all
$ sudo firewall-cmd --list-allCopy to Clipboard Copied! Toggle word wrap Toggle overflow To verify rules added in the trusted zone, such as IP-range related rules, run the following command:
sudo firewall-cmd --zone=trusted --list-all
$ sudo firewall-cmd --zone=trusted --list-allCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.8. Overview of firewall ports when a service is exposed
Firewalld is often active when you run services on MicroShift. This can disrupt certain services on MicroShift because traffic to the ports might be blocked by the firewall. You must ensure that the necessary firewall ports are open if you want certain services to be accessible from outside the host. There are several options for opening your ports:
Services of the
NodePortandLoadBalancertype are automatically available with OVN-Kubernetes.In these cases, OVN-Kubernetes adds iptables rules so the traffic to the node IP address is delivered to the relevant ports. This is done using the PREROUTING rule chain and is then forwarded to the OVN-K to bypass the firewalld rules for local host ports and services. Iptables and firewalld are backed by nftables in Red Hat Enterprise Linux (RHEL) 9. The nftables rules, which the iptables generates, always have priority over the rules that the firewalld generates.
Pods with the
HostPortparameter settings are automatically available. This also includes therouter-defaultpod, which uses ports 80 and 443.For
HostPortpods, the CRI-O config sets up iptables DNAT (Destination Network Address Translation) to the pod’s IP address and port.
These methods function for clients whether they are on the same host or on a remote host. The iptables rules, which are added by OVN-Kubernetes and CRI-O, attach to the PREROUTING and OUTPUT chains. The local traffic goes through the OUTPUT chain with the interface set to the lo type. The DNAT runs before it hits filler rules in the INPUT chain.
Because the MicroShift API server does not run in CRI-O, it is subject to the firewall configurations. You can open port 6443 in the firewall to access the API server in your MicroShift node.
7.10. Known firewall issue
To avoid breaking traffic flows with a firewall reload or restart, run firewall commands before starting Red Hat Enterprise Linux (RHEL). The CNI driver in MicroShift makes use of iptable rules for some traffic flows, such as those using the NodePort service. The iptable rules are generated and inserted by the CNI driver, but are deleted when the firewall reloads or restarts. The absence of the iptable rules breaks traffic flows. If firewall commands have to run after MicroShift is started, manually restart ovnkube-master pod in the openshift-ovn-kubernetes namespace to reset the rules controlled by the CNI driver.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}