Though the underlying CoreOS of OpenShift nodes is immutable with the careful consideration of security settings, sometime for a more stringent environment, an extra layer of protection is required.
Let’s further tighten the network security with iptable based host firewall in the CoreOS.
I have the following cluster consists of three masters and three workers. The Bastion node and the software based load balancer are on the same node.
Let’s enclose a fence around these nodes. The OpenShift nodes should not be accessed from any other nodes others than its peer nodes and the LB/bastion node. We will use iptable rules to construct this.
As the Kubernetes is using iptables to achive its software defined network requirement, the iptables that we are going to use must be carefully planned and tested. Let’s SSH to a node of the cluster to test out the iptable rules with a shell session on one node first.
Starting with the following rule to make sure we have the SSH connection from the bastion node (192.168.10.69). Reject the other SSH connection if its not from the bastion node.
iptables -I INPUT 1 -s 192.168.10.69 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 2 ! -s 192.168.10.69 -p tcp --dport 22 -j REJECT
Then we create a cutom chain
Cluster-Nodes-Only to manage the cluster traffic and insert it after the SSH rule.
iptables -N Cluster-Nodes-Only
iptables -I INPUT 3 -j Cluster-Nodes-Only
Allow the traffic coming from other nodes and the bastion/LB node,
iptables -A Cluster-Nodes-Only -m iprange \
--src-range 192.168.10.60-192.168.10.69 -j ACCEPT
For OpenShift, there will be traffic coming from the Pod network and Service network. Find out their CIDR with the command below,
oc describe network.config cluster
Host Prefix: 23