Skip to content

[feat][improvement][docs] implement FirewallRule CRD and support in firewall controller, remove finalizers on AddressSets#588

Merged
AshleyDumaine merged 2 commits intomainfrom
firewallrule-crd
Dec 12, 2024
Merged

[feat][improvement][docs] implement FirewallRule CRD and support in firewall controller, remove finalizers on AddressSets#588
AshleyDumaine merged 2 commits intomainfrom
firewallrule-crd

Conversation

@AshleyDumaine
Copy link
Contributor

@AshleyDumaine AshleyDumaine commented Dec 6, 2024
edited
Loading

What this PR does / why we need it: Adds a new CRD that can be reused to construct LinodeFirewalls in case rules are common between firewalls (e.g. common rules for control plane and worker node Firewalls)

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

Example using AddressSets and FirewallRules:

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeFirewall
metadata:
  name: sample-fw
spec:
  enabled: true
  inboundPolicy: DROP
  inboundRules:
    - action: ACCEPT
      label: inbound-api-server
      ports: "6443"
      protocol: TCP
      addresses:
        ipv4:
          - "192.168.255.0/24"
    - action: ACCEPT
      label: intra-cluster
      ports: "1-65535"
      protocol: "TCP"
      addressSetRefs:  # Can be used together with .addresses if desired.
        - name: vpc-addrset
          kind: AddressSet
  inboundRuleRefs:  # Can be used together with .inboundRules if desired
    - name: example-fwrule-udp
      kind: FirewallRule
    - name: example-fwrule-icmp
      kind: FirewallRule
  # outboundRules: []
  # outboundRuleRefs: []
  # outboundPolicy: ACCEPT
---
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: AddressSet
metadata:
  name: vpc-addrset
spec:
  ipv4:
    - "10.0.0.0/8"
---
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: FirewallRule
metadata:
  name: example-fwrule-udp
spec:
  action: ACCEPT
  label: intra-cluster-udp
  ports: "1-65535"
  protocol: "UDP"
  addresses:
    ipv4:
      - "10.0.0.0/8"
---
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: FirewallRule
metadata:
  name: example-fwrule-icmp
spec:
  action: ACCEPT
  label: intra-cluster-icmp
  protocol: "ICMP"
  addressSetRefs:  # Can be used together with .addresses if desired.
    - name: vpc-addrset
      kind: AddressSet

Base automatically changed from addrset-crd to main December 9, 2024 13:37
@AshleyDumaine AshleyDumaine force-pushed the firewallrule-crd branch 6 times, most recently from ce5f735 to adfd853 Compare December 9, 2024 15:46
@AshleyDumaine AshleyDumaine marked this pull request as ready for review December 9, 2024 15:47
cbang-akamai
cbang-akamai reviewed Dec 9, 2024
View reviewed changes
cbang-akamai
cbang-akamai reviewed Dec 10, 2024
View reviewed changes
@AshleyDumaine AshleyDumaine force-pushed the firewallrule-crd branch 3 times, most recently from 4a7367e to b5b6a86 Compare December 10, 2024 21:38
cbang-akamai
cbang-akamai reviewed Dec 11, 2024
View reviewed changes
cbang-akamai
cbang-akamai reviewed Dec 11, 2024
View reviewed changes
@AshleyDumaine AshleyDumaine force-pushed the firewallrule-crd branch 5 times, most recently from be9f246 to 6703087 Compare December 12, 2024 15:23
@AshleyDumaine AshleyDumaine force-pushed the firewallrule-crd branch 6 times, most recently from d7ef155 to af9b7f7 Compare December 12, 2024 16:34
@AshleyDumaine AshleyDumaine force-pushed the firewallrule-crd branch 2 times, most recently from db1009a to 289e798 Compare December 12, 2024 16:41
@AshleyDumaine AshleyDumaine changed the title [feat] implement FirewallRule CRD and support in firewall controller [feat] implement FirewallRule CRD and support in firewall controller, remove finalizers on AddressSets Dec 12, 2024
@AshleyDumaine AshleyDumaine changed the title [feat] implement FirewallRule CRD and support in firewall controller, remove finalizers on AddressSets [feat][improvement][docs] implement FirewallRule CRD and support in firewall controller, remove finalizers on AddressSets Dec 12, 2024
@AshleyDumaine AshleyDumaine added documentation Improvements or additions to documentation improvement labels Dec 12, 2024
cbang-akamai
cbang-akamai previously approved these changes Dec 12, 2024
View reviewed changes
cbang-akamai
cbang-akamai approved these changes Dec 12, 2024
View reviewed changes
Copy link
Contributor

@cbang-akamai cbang-akamai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Put the finalizers back in 😤

@AshleyDumaine
Copy link
Contributor Author

AshleyDumaine commented Dec 12, 2024

Put the finalizers back in 😤

@AshleyDumaine AshleyDumaine merged commit b246624 into main Dec 12, 2024
@AshleyDumaine AshleyDumaine deleted the firewallrule-crd branch December 12, 2024 19:51
@cbang-akamai
Copy link
Contributor

cbang-akamai commented Dec 12, 2024

Put the finalizers back in 😤

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@cbang-akamai cbang-akamai cbang-akamai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation improvement new-feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AshleyDumaine @cbang-akamai