Chapter 8. Using a firewall

Firewalld is a networking service that runs in the background and responds to connection requests, creating a dynamic customizable host-based firewall. If you are using Red Hat Enterprise Linux for Edge (RHEL for Edge) with MicroShift, firewalld should be installed and you only need to configure it.

Details are provided in procedures that follow. Overall, you must explicitly allow the following OVN-Kubernetes traffic when the firewalld service is running.

To install and enable firewalld on your RHEL for Edge host when the package is missing, you can use dnf to install the package and systemctl to enable and start the service. Optionally check for the package with rpm -q firewalld before you install.

An IP address range for the node network must be enabled during firewall configuration. You can use the default values or customize the IP address range. If you choose to customize the node network IP address range from the default 10.42.0.0/16 setting, you must also use the same custom range in the firewall configuration.

To allow external access to services and APIs in MicroShift, you can add custom ports to your firewall configuration. Use the listed ports and protocols as a guide for HTTP, HTTPS, NodePort, mDNS, and API access.

For a complete list of ports and protocols, see "Optional ports".

The following examples show commands to open firewall access for services running on MicroShift.

To open default ports for predefined services through firewalld on your MicroShift instance, you can use the firewall-cmd command. Add each service with the --add-service option.

You can allow network traffic through the firewall by configuring the IP address range and inserting the DNS server to allow internal traffic from pods through the network gateway.

To apply firewall settings after you have finished configuring network access through the firewall, you can reload the firewall service.

After you have restarted the firewall, you can verify your settings by listing them with the firewall-cmd command.

Firewalld is often active when you run services on MicroShift. This can disrupt certain services on MicroShift because traffic to the ports might be blocked by the firewall. You must ensure that the necessary firewall ports are open if you want certain services to be accessible from outside the host.

There are several options for opening your ports:

These methods function for clients whether they are on the same host or on a remote host. The iptables rules, which are added by OVN-Kubernetes and CRI-O, attach to the PREROUTING and OUTPUT chains. The local traffic goes through the OUTPUT chain with the interface set to the lo type. The DNAT runs before it hits filler rules in the INPUT chain.

Because the MicroShift API server does not run in CRI-O, it is subject to the firewall configurations. You can open port 6443 in the firewall to access the API server in your MicroShift node.

To avoid traffic failures after a firewalld reload or restart on MicroShift, run firewall commands before you start Red Hat Enterprise Linux (RHEL). If you must run firewall commands later, restart the ovnkube-master pod in openshift-ovn-kubernetes to restore iptable rules that OVN-Kubernetes manages.

The CNI driver in MicroShift makes use of iptable rules for some traffic flows, such as those using the NodePort service. The iptable rules are generated and inserted by the CNI driver, but are deleted when the firewall reloads or restarts. The absence of the iptable rules breaks traffic flows.