daemon: firewall pods

This introduces a new tc rule that blocks traffic from outside the cluster targeting pod IPs directly. It requires an adjustment of the BPF filter priority to above 32, which is expected to be set by the Constellation Helm installer.
edgelesssys · May 29, 2024 · d9b6c2a · d9b6c2a
1 parent c808d02
commit d9b6c2a
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
@@ -715,6 +715,37 @@ spec:
           - name: cni-path
             mountPath: /host/opt/cni/bin
       {{- end }} # .Values.cni.install
+      - name: firewall-pods
+        image: {{ include "cilium.image" .Values.image | quote }}
+        imagePullPolicy: IfNotPresent
+        command:
+        - /bin/bash
+        - -exc
+        - |
+          pref=32
+          interface=$(ip route | awk '/^default/ { print $5 }')
+          tc qdisc add dev "${interface}" clsact || true
+          tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true
+          handle=0
+          for cidr in ${POD_CIDRS}; do
+            handle=$((handle + 1))
+            tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop
+          done
+        env:
+        - name: POD_CIDRS
+          valueFrom:
+            configMapKeyRef:
+              key: encryption-strict-mode-pod-cidrs
+              name: cilium-config
+              optional: true
+        resources:
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
       restartPolicy: Always
       priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
       serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}