feat: default security policy for mgmt/worker/witness nodes

pkg/config/config.go

@@ -414,7 +414,7 @@ func GenerateRancherdConfig(config *HarvesterConfig) (*yipSchema.YipConfig, erro
 		return nil, err
 	}
 
-	if _, err := UpdateManagementInterfaceConfig(&runtimeConfig, config.ManagementInterface, true); err != nil {
+	if _, err := UpdateManagementInterfaceConfig(&runtimeConfig, config.ManagementInterface, true, config.Role); err != nil {
 		return nil, err
 	}
 

pkg/config/cos.go

@@ -190,7 +190,7 @@ func ConvertToCOS(config *HarvesterConfig) (*yipSchema.YipConfig, error) {
 			return nil, err
 		}
 
-		_, err = UpdateManagementInterfaceConfig(&initramfs, cfg.ManagementInterface, false)
+		_, err = UpdateManagementInterfaceConfig(&initramfs, cfg.ManagementInterface, false, config.Role)
 		if err != nil {
 			return nil, err
 		}
@@ -475,7 +475,7 @@ func SaveOriginalNetworkConfig() error {
 // - generates wicked interface files (`/etc/sysconfig/network/ifcfg-*` and `ifroute-*`)
 // - manipulates nameservers in `/etc/resolv.conf`.
 // - call `wicked ifreload all` if `run` flag is true.
-func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Network, run bool) (string, error) {
+func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Network, run bool, role string) (string, error) {
 	if len(mgmtInterface.Interfaces) == 0 {
 		return "", errors.New("no slave defined for management network bond")
 	}
@@ -498,7 +498,7 @@ func UpdateManagementInterfaceConfig(stage *yipSchema.Stage, mgmtInterface Netwo
 		}
 	}
 
-	if err := updateBridge(stage, MgmtInterfaceName, &mgmtInterface); err != nil {
+	if err := updateBridge(stage, MgmtInterfaceName, &mgmtInterface, role); err != nil {
 		return "", err
 	}
 
@@ -594,7 +594,7 @@ func updateBond(stage *yipSchema.Stage, name string, network *Network) error {
 	return nil
 }
 
-func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network) error {
+func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network, role string) error {
 	// add Bridge named MgmtInterfaceName and attach Bond named MgmtBondInterfaceName to bridge
 
 	needVlanInterface := false
@@ -611,7 +611,11 @@ func updateBridge(stage *yipSchema.Stage, name string, mgmtNetwork *Network) err
 		Group:       0,
 	})
 
-	preUpScript, err := render("wicked-setup-bridge.sh", MgmtBondInterfaceName)
+	roleData := map[string]interface{}{
+		"Role": role,
+		"Bond": MgmtBondInterfaceName,
+	}
+	preUpScript, err := render("wicked-setup-bridge.sh", roleData)
 	if err != nil {
 		return err
 	}

pkg/config/templates/wicked-setup-bridge.sh

@@ -12,6 +12,31 @@ case $ACTION in
 	post-up)
 		# accept all vlan, PVID=1 by default
 		bridge vlan add vid 2-4094 dev $INTERFACE self
-		bridge vlan add vid 2-4094 dev {{ . }}
+		bridge vlan add vid 2-4094 dev {{ .Bond }}
+
+		{{ if ne .Role "" -}}
+		iptables -P INPUT DROP
+
+		iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+		iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+		iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+		iptables -A INPUT -p udp --dport 8472 -j ACCEPT
+		iptables -A INPUT -p tcp -m multiport --dports 6443:6444 -j ACCEPT
+		iptables -A INPUT -p tcp -m multiport --dports 10248:10250 -j ACCEPT
+		iptables -A INPUT -p tcp --dport 10010 -j ACCEPT
+		iptables -A INPUT -p tcp --dport 9091 -j ACCEPT
+		iptables -A INPUT -p tcp --dport 9099 -j ACCEPT
+		{{ if or (eq .Role "default") (eq .Role "management") -}}
+		iptables -A INPUT -p tcp --dport 9345 -j ACCEPT
+		iptables -A INPUT -p tcp -m multiport --dports 10256:10260 -j ACCEPT
+		iptables -A INPUT -p tcp -m multiport --dports 2379:2382 -j ACCEPT
+		iptables -A INPUT -p tcp -m multiport --dports 2399:2402 -j ACCEPT
+
+		iptables -A INPUT -p tcp --dport 2112 -j ACCEPT
+		{{ else -}}
+		iptables -A INPUT -p tcp --dport 10256 -j ACCEPT
+		{{ end -}}
+		iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+		{{ end -}}
 		;;
 esac

pkg/console/dashboard_panels.go

@@ -515,6 +515,16 @@ func nodeIsPresent() bool {
 	return true
 }
 
+func removeTempEtcdPorts() {
+	command := fmt.Sprint(`iptables -D INPUT -p tcp -m multiport --dports 2399:2402 -j ACCEPT`)
+	cmd := exec.Command("/bin/sh", "-c", command)
+	cmd.Env = os.Environ()
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		logrus.Error(err, string(output))
+	}
+}
+
 func getHarvesterStatus() string {
 	if current.firstHost && !current.installed {
 		if !k8sIsReady() || !chartIsInstalled() {
@@ -532,6 +542,7 @@ func getHarvesterStatus() string {
 	rancherReady := isPodReady("cattle-system", "app=rancher")
 	harvesterAPIReady := isAPIReady(current.managementURL, "/version")
 	if harvesterReady && harvesterWebhookReady && rancherReady && harvesterAPIReady {
+		removeTempEtcdPorts()
 		return wrapColor(statusReady, colorGreen)
 	}
 	return wrapColor(statusNotReady, colorYellow)

pkg/console/network.go

@@ -75,7 +75,7 @@ func applyNetworks(network config.Network, hostname string) ([]byte, error) {
 			},
 		},
 	}
-	_, err = config.UpdateManagementInterfaceConfig(&conf.Stages["live"][1], network, true)
+	_, err = config.UpdateManagementInterfaceConfig(&conf.Stages["live"][1], network, true, "")
 	if err != nil {
 		return nil, err
 	}