Skip to content

Commit 1f6aae8

Browse files
sergeymatovsergeymatov
committed
feat: add simple Firewall design
Signed-off-by: Sergey Matov <[email protected]>
1 parent a43b17a commit 1f6aae8

File tree

1 file changed

+153
-2
lines changed

1 file changed

+153
-2
lines changed

docs/proposed-api.md

Lines changed: 153 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,7 @@ spec:
178178
- cidr: 10.1.1.0/24
179179
as: # Means static Src/Dst NAT for vpc1
180180
- cidr: 192.168.1.0/24
181-
ingress:
181+
firewall:
182182
- allow:
183183
stateless: true # it's the only options supported in the first release
184184
tcp:
@@ -187,7 +187,7 @@ spec:
187187
expose:
188188
- ips:
189189
- cidr: 10.2.1.1/32
190-
ingress:
190+
firewall:
191191
- allow:
192192
stateless: true
193193
tcp:
@@ -288,3 +288,154 @@ spec:
288288
- not: 192.168.0.0/16
289289
- not: 3.2.1.0/30
290290
```
291+
292+
## Simple firewall implementation
293+
294+
VPC Firewall implies zero trust if firewall pattern is specified.
295+
296+
```yaml
297+
...
298+
firewall:
299+
- deny:
300+
stateless: true
301+
302+
log: # log traffic event for given pattern
303+
level: debug # warning | info | error
304+
message: "custom log message"
305+
tcp:
306+
src:
307+
cidrs:
308+
- 10.0.0.0/8
309+
- 172.16.0.0/12
310+
ports: [80, 443]
311+
portRanges:
312+
- start: 8000
313+
end: 8999
314+
- start: 3000
315+
end: 3999
316+
dst:
317+
cidrs:
318+
- 192.168.1.0/24
319+
ports: [22, 23]
320+
portRanges:
321+
- start: 1234
322+
end: 2222
323+
udp:
324+
src:
325+
cidrs:
326+
- 10.0.0.0/8
327+
ports: [53, 123]
328+
portRanges:
329+
- start: 5000
330+
end: 5999
331+
dst:
332+
cidrs:
333+
- 8.8.8.8/32
334+
ports: [53]
335+
icmp:
336+
src:
337+
cidrs:
338+
- 10.0.0.0/8
339+
dst:
340+
cidrs:
341+
- 192.168.1.0/24
342+
# TODO: ICMP type/code options
343+
protocol: 47 # Raw protocol number (optional, alternative to tcp/udp/icmp)
344+
- allow:
345+
stateless: true
346+
# All same options as deny
347+
```
348+
349+
### Example 1: VPC-1 To VPC-DB access limitation (no NAT)
350+
351+
```yaml
352+
apiVersion: gateway.githedgehog.com/v1alpha1
353+
kind: Peering
354+
metadata:
355+
name: vpc-1-to-vpc-db
356+
spec:
357+
peering:
358+
vpc-1:
359+
expose:
360+
- ips:
361+
- cidr: 10.1.0.0/24
362+
firewall:
363+
# Allow database responses back
364+
- allow:
365+
stateless: true
366+
log:
367+
level: info
368+
message: "DB traffic hit"
369+
tcp:
370+
src:
371+
ports: [3306, 5432, 1433] # MySQL, PostgreSQL, SQL Server
372+
vpc-db:
373+
expose:
374+
- ips:
375+
- cidr: 10.2.0.0/24
376+
firewall:
377+
# Allow legitimate database connections
378+
- allow:
379+
stateless: true
380+
log:
381+
level: info
382+
message: "Database connection"
383+
tcp:
384+
dst:
385+
ports: [3306, 5432, 1433]
386+
```
387+
388+
### Example 2: VPC-1 access to VPC with k8s API (overlapping IPs, NAT)
389+
390+
```yaml
391+
apiVersion: gateway.githedgehog.com/v1alpha1
392+
kind: Peering
393+
metadata:
394+
name: vpc-1-to-k8s-with-nat
395+
spec:
396+
peering:
397+
vpc-1:
398+
expose:
399+
- ips:
400+
- cidr: 10.1.10.0/24
401+
as:
402+
- cidr: 192.168.10.0/24
403+
firewall:
404+
# Allow K8s API responses back to vpc-1 clients
405+
- allow:
406+
stateless: true
407+
log:
408+
level: debug
409+
message: "Kubernetes API response to vpc-1"
410+
tcp:
411+
src:
412+
ports: [6443]
413+
dst:
414+
cidrs:
415+
- 10.1.10.0/24
416+
- deny:
417+
stateless: true
418+
log:
419+
level: error
420+
message: "vpc-k8s tries to access vpc-1"
421+
vpc-kubernetes:
422+
expose:
423+
- ips:
424+
- cidr: 10.1.10.0/24 # Overlap with vpc-1
425+
as:
426+
- cidr: 192.168.100.0/24 # NAT to different range for vpc-1 to see
427+
firewall:
428+
- allow:
429+
stateless: true
430+
log:
431+
level: info
432+
message: "vpc-1 Kubernetes API access"
433+
tcp:
434+
src:
435+
cidrs:
436+
- 192.168.10.0/24 # From NAT'd vpc-1 subnet
437+
dst:
438+
cidrs:
439+
- 10.1.10.0/24 # To K8s control plane subnet
440+
ports: [6443] # K8s API server only
441+
```

0 commit comments

Comments
 (0)