Comments (15)
timoreimann
commented on May 14, 2024
1
@Richard87 AFAIK, NodePorts on GKE are not publicly exposed by default to enable a distinction between providing local access (within your project / environment) and true public access. Not sure though how that notion maps to DigitalOcean.
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 14, 2024
1
Unless someone wants it more badly than me, I'd take a stab on this one next. :)
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 14, 2024
@andrewsykim could you elaborate on what the desired behavior should look like? For instance, do we intend to set up a deny all ingress policy for every node that comes up? Or are there specific events that guide how firewall rules should be provisioned?
Thanks!
from digitalocean-cloud-controller-manager.
Richard87
commented on May 14, 2024
My feeling is that it should open all NodePorts automatically since they are designed to be available from the outside of the cluster?
from digitalocean-cloud-controller-manager.
andrewsykim
commented on May 14, 2024
yeah, so one behaviour of firewall controller would be to turn on access to those node ports if a droplet is added to a LB, etc. This was more desired back when private networking was more like "shared" networking. Today with private netwokring being completely isolated per user perhaps this may not be needed. What do you think?
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 14, 2024
Sorry, this one dropped off my radar. Trying to catch up now...
Do all droplets get assigned a publicly routable IP address? If so, wouldn't that make any process running on a Kubernetes cluster and listening on all devices (e.g., a pod with a host port or a native process) be generally accessible from the outside?
That's the only scenario I can see where you may still want to have a firewall to make sure nothing gets accidentally exposed. I suppose users could still manage firewalls on their own, but an integration in DO's CCM might be more convenient?
WDYT?
from digitalocean-cloud-controller-manager.
andrewsykim
commented on May 14, 2024
Hmm, good point. For public IPs, I guess firewalls is the only option here. Having DO CCM manage this makes sense to me.
from digitalocean-cloud-controller-manager.
andrewsykim
commented on May 14, 2024
Should be easy enough to create a custom controller for this, similar to what we've done for #142
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 14, 2024
@andrewsykim 👍 a few further design questions come to my mind:
- should we enable or disable the firewall by default? My guess is we can't just enable it as that would be a breaking change from the existing behavior. Or would we still be fine with it since CCM hasn't reached 1.x yet?
- how do we allow users to choose a specific default firewall setting (especially the inverse to what we decide for in 1)? Maybe a new CLI parameter to CCM, e.g.,
--firewall=off? - how would users toggle the firewall settings for individual ports? I suppose they could go through the usual DO firewall API given that CCM doesn't try to reconcile changes again.
Thanks!
from digitalocean-cloud-controller-manager.
andrewsykim
commented on May 14, 2024
- I think disable by default is a good starting point
- Flag on CCM is best I think.
- I think CCM should reconcile state changes though? I'm not sure if we want to allow users to toggle individual ports. If anything it should be cluster wide setting or at the very least a per Service setting (via annotations).
^ not strongly held opinions so happy to discuss alternatives.
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 14, 2024
@andrewsykim my thinking regarding 3. was that certain users may not want to use a LoadBalancer-typed service for one reason or another (minimizing cost, more sophisticated routing mechanisms, etc.) and instead prefer to talk to NodePorts directly. Not sure how realistic that really is, however, so I'm totally okay with taking the reconciliation route and adjusting only when a use case arises. 👌
from digitalocean-cloud-controller-manager.
andrewsykim
commented on May 14, 2024
@timoreimann please go ahead! Just note that we will likely have it disabled by default for quite some time to battle test it and make sure it won't break anyone's production clusters :)
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 14, 2024
@andrewsykim makes total sense -- will make sure the default is off. 👍
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 14, 2024
There's also the open PR #70 which ensures that existing firewalls will be extended / reduced once a LoadBalancer-typed service is created / destroyed. I believe we need to have this as well eventually.
from digitalocean-cloud-controller-manager.
timoreimann
commented on May 14, 2024
It took a bit, but we now have #332 open to manage a dedicated firewall for dynamic NodePort access. LBs are not taken into account yet for reasons for scoping and re-questioning the actual need. See #68 (comment) for details.
from digitalocean-cloud-controller-manager.
Related Issues (20)
- do-loadbalancer-protocol: 'http2' results in 'http2' --> 'http' HOT 4
- Extending Loadbalancer timeout duration HOT 1
- Misconfigured cloud-controller-manager.yml (HA deployment that uses daemonset) HOT 1
- Change release pipeline to promote dev manifests
- Protect load balancer from being deleted HOT 7
- udp loadbalancer failing to create HOT 8
- Controller manual mode HOT 17
- Allow the region to be explicitly specified instead of using the Region metadata API HOT 5
- K8 annotations for load balancer name / id do not work as expected HOT 4
- Typos in README.md
- IPv6 address missing in nodes status HOT 9
- Prevent duplicate do-loadbalancer-name annotation from changing LB ownership
- do-loadbalancer should accept a certificate name as an alternative to the certificate ID
- Wrong validation regex for service.beta.kubernetes.io/do-loadbalancer-allow-rules HOT 2
- Feature Request: Create a Helm chart for DO CCM HOT 1
- Cloud Controller Manager doesn't add droplets to Load Balancer HOT 6
- `k8s.gcr.io` is no longer used HOT 2
- CI: Bypass branch protection on release workflow execution
- do-loadbalancer-allow-rules doesn't work (firewall is not configured) HOT 1
- Confusion with do-loadbalancer-hostname HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from digitalocean-cloud-controller-manager.