Host-based firewall in OpenShift
Though the underlying CoreOS of OpenShift nodes is immutable with the careful consideration of security settings, sometime for a more stringent environment, an extra layer of protection is required.
Let’s further tighten the network security with iptable based host firewall in the CoreOS.
The Requirement
I have the following cluster consists of three masters and three workers. The Bastion node and the software based load balancer are on the same node.
Let’s enclose a fence around these nodes. The OpenShift nodes should not be accessed from any other nodes others than its peer nodes and the LB/bastion node. We will use iptable rules to construct this.
Iptable Rules
As the Kubernetes is using iptables to achive its software defined network requirement, the iptables that we are going to use must be carefully planned and tested. Let’s SSH to a node of the cluster to test out the iptable rules with a shell session on one node first.
Starting with the following rule to make sure we have the SSH connection from the bastion node (192.168.10.69). Reject the…