Allow the definition of allowed networks for isolated clusters

api/v2/defaults/defaults.go

@@ -163,6 +163,9 @@ func defaultFirewallSpec(f *v2.FirewallSpec) {
 	if f.Interval == "" {
 		f.Interval = DefaultFirewallReconcileInterval
 	}
+	if f.NetworkAccessType == "" {
+		f.NetworkAccessType = v2.NetworkAccessBaseline
+	}
 }
 
 func getSSHPublicKey(ctx context.Context, seedClient client.Client, secretName, namespace string) (string, error) {

api/v2/types_firewall.go

@@ -110,8 +110,45 @@ type FirewallSpec struct {
 	DNSServerAddress string `json:"dnsServerAddress,omitempty"`
 	// DNSPort specifies port to which DNS proxy should be bound
 	DNSPort *uint `json:"dnsPort,omitempty"`
+
+	// AllowedNetworks defines dedicated networks for which the firewall allows in- and outgoing traffic.
+	// The firewall-controller only enforces this setting in combination with NetworkAccessType set to forbidden.
+	// The node network is always allowed.
+	AllowedNetworks AllowedNetworks `json:"allowedNetworks,omitempty"`
+	// NetworkAccessType defines firewall access restriction to external networks.
+	NetworkAccessType NetworkAccessType `json:"networkAccessType,omitempty"`
+}
+
+// AllowedNetworks is a list of networks which are allowed to connect when NetworkAccessType is forbidden.
+type AllowedNetworks struct {
+	// Ingress defines a list of cidrs which are allowed for incoming traffic like service type loadbalancer.
+	Ingress []string `json:"ingress,omitempty"`
+	// Egress defines a list of cidrs which are allowed for outgoing traffic.
+	Egress []string `json:"egress,omitempty"`
 }
 
+type (
+	// NetworkAccessType defines how a cluster is capable of accessing external networks.
+	NetworkAccessType string
+)
+
+const (
+	// NetworkAccessBaseline allows the cluster to access external networks in a baseline manner
+	NetworkAccessBaseline = NetworkAccessType("baseline")
+	// NetworkAccessRestricted access to external networks is by default restricted to registries, dns and ntp to partition only destinations.
+	// Therefore registries, dns and ntp destinations must be specified in the cloud-profile accordingly-
+	// If this is not the case, restricting the access must not be possible.
+	// Image overrides for all images which are required to create such a shoot, must be specified. No other images are provided in the given registry.
+	// customers can define own rules to access external networks as in the baseline.
+	// Service type loadbalancers are also not restricted.
+	NetworkAccessRestricted = NetworkAccessType("restricted")
+	// NetworkAccessForbidden in this configuration a customer can no longer create rules to access external networks.
+	// which are outside of a given list of allowed networks. This is enforced by the firewall.
+	// Service type loadbalancers are also not possible to open a service ip which is not in the list of allowed networks.
+	// This is also enforced by the firewall.
+	NetworkAccessForbidden = NetworkAccessType("forbidden")
+)
+
 // FirewallTemplateSpec describes the data a firewall should have when created from a template
 type FirewallTemplateSpec struct {
 	// Metadata of the firewalls created from this template.

api/v2/validation/firewall.go

@@ -40,6 +40,7 @@ func (*firewallValidator) validateSpec(f *v2.FirewallSpec, fldPath *field.Path)
 		{path: fldPath.Child("project"), value: f.Project},
 		{path: fldPath.Child("size"), value: f.Size},
 		{path: fldPath.Child("networks"), value: f.Networks},
+		{path: fldPath.Child("networkAccessType"), value: f.NetworkAccessType},
 	}
 
 	allErrs = append(allErrs, r.check()...)
@@ -95,6 +96,27 @@ func (*firewallValidator) validateSpec(f *v2.FirewallSpec, fldPath *field.Path)
 		allErrs = append(allErrs, r.check()...)
 	}
 
+	switch f.NetworkAccessType {
+	case v2.NetworkAccessBaseline, v2.NetworkAccessForbidden, v2.NetworkAccessRestricted:
+		// noop
+	default:
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("networkAccessType"), f.NetworkAccessType, "network access type must be baseline, restriced or forbidden"))
+	}
+
+	for _, cidr := range f.AllowedNetworks.Egress {
+		_, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("allowedNetworks").Child("egress"), cidr, fmt.Sprintf("given network must be a cidr: %v", err)))
+		}
+	}
+
+	for _, cidr := range f.AllowedNetworks.Ingress {
+		_, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("allowedNetworks").Child("ingress"), cidr, fmt.Sprintf("given network must be a cidr: %v", err)))
+		}
+	}
+
 	return allErrs
 }
 
@@ -115,6 +137,8 @@ func (v *firewallValidator) validateSpecUpdate(fOld, fNew *v2.FirewallSpec, fldP
 	allErrs = append(allErrs, apivalidation.ValidateImmutableField(fNew.Project, fOld.Project, fldPath.Child("project"))...)
 	allErrs = append(allErrs, apivalidation.ValidateImmutableField(fNew.Partition, fOld.Partition, fldPath.Child("partition"))...)
 	allErrs = append(allErrs, apivalidation.ValidateImmutableField(fNew.DNSPort, fOld.DNSPort, fldPath.Child("dnsPort"))...)
+	// TODO: after all firewalls were updated to contain the network access type field, we can enable the following validation:
+	// allErrs = append(allErrs, apivalidation.ValidateImmutableField(fNew.NetworkAccessType, fOld.NetworkAccessType, fldPath.Child("networkAccessType"))...)
 
 	return allErrs
 }

api/v2/validation/firewall_test.go

@@ -34,6 +34,7 @@ func Test_firewallValidator_ValidateCreate(t *testing.T) {
 			Project:                 "project-a",
 			Size:                    "size-a",
 			Networks:                []string{"internet"},
+			NetworkAccessType:       v2.NetworkAccessBaseline,
 			EgressRules: []v2.EgressRuleSNAT{
 				{
 					NetworkID: "network-a",
@@ -86,6 +87,34 @@ func Test_firewallValidator_ValidateCreate(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "invalid allowed network egress cidr",
+			mutateFn: func(f *v2.Firewall) *v2.Firewall {
+				f.Spec.AllowedNetworks = v2.AllowedNetworks{
+					Egress: []string{"1.2.3.4", "1.2.3.5/32"},
+				}
+				return f
+			},
+			wantErr: &apierrors.StatusError{
+				ErrStatus: metav1.Status{
+					Message: ` "firewall-123" is invalid: spec.allowedNetworks.egress: Invalid value: "1.2.3.4": given network must be a cidr: netip.ParsePrefix("1.2.3.4"): no '/'`,
+				},
+			},
+		},
+		{
+			name: "invalid allowed network ingress cidr",
+			mutateFn: func(f *v2.Firewall) *v2.Firewall {
+				f.Spec.AllowedNetworks = v2.AllowedNetworks{
+					Ingress: []string{"foo"},
+				}
+				return f
+			},
+			wantErr: &apierrors.StatusError{
+				ErrStatus: metav1.Status{
+					Message: ` "firewall-123" is invalid: spec.allowedNetworks.ingress: Invalid value: "foo": given network must be a cidr: netip.ParsePrefix("foo"): no '/'`,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt
@@ -129,6 +158,7 @@ func Test_firewallValidator_ValidateUpdate(t *testing.T) {
 					Project:                 "project-a",
 					Size:                    "size-a",
 					Networks:                []string{"internet"},
+					NetworkAccessType:       v2.NetworkAccessBaseline,
 					EgressRules: []v2.EgressRuleSNAT{
 						{
 							NetworkID: "network-a",

api/v2/validation/firewalldeployment_test.go

@@ -41,6 +41,7 @@ func Test_firewallDeploymentValidator_ValidateCreate(t *testing.T) {
 					Project:                 "project-a",
 					Size:                    "size-a",
 					Networks:                []string{"internet"},
+					NetworkAccessType:       v2.NetworkAccessBaseline,
 					EgressRules: []v2.EgressRuleSNAT{
 						{
 							NetworkID: "network-a",
@@ -127,6 +128,7 @@ func Test_firewallDeploymentValidator_ValidateUpdate(t *testing.T) {
 					Project:                 "project-a",
 					Size:                    "size-a",
 					Networks:                []string{"internet"},
+					NetworkAccessType:       v2.NetworkAccessBaseline,
 					EgressRules: []v2.EgressRuleSNAT{
 						{
 							NetworkID: "network-a",

api/v2/validation/firewallset_test.go

@@ -41,6 +41,7 @@ func Test_firewalSetValidator_ValidateCreate(t *testing.T) {
 					Project:                 "project-a",
 					Size:                    "size-a",
 					Networks:                []string{"internet"},
+					NetworkAccessType:       v2.NetworkAccessBaseline,
 					EgressRules: []v2.EgressRuleSNAT{
 						{
 							NetworkID: "network-a",
@@ -166,6 +167,7 @@ func Test_firewallSetValidator_ValidateUpdate(t *testing.T) {
 					Project:                 "project-a",
 					Size:                    "size-a",
 					Networks:                []string{"internet"},
+					NetworkAccessType:       v2.NetworkAccessBaseline,
 					EgressRules: []v2.EgressRuleSNAT{
 						{
 							NetworkID: "network-a",

config/crds/firewall.metal-stack.io_firewalldeployments.yaml

@@ -99,6 +99,26 @@ spec:
                   spec:
                     description: Spec contains the firewall specification.
                     properties:
+                      allowedNetworks:
+                        description: AllowedNetworks defines dedicated networks for
+                          which the firewall allows in- and outgoing traffic. The
+                          firewall-controller only enforces this setting in combination
+                          with NetworkAccessType set to forbidden. The node network
+                          is always allowed.
+                        properties:
+                          egress:
+                            description: Egress defines a list of cidrs which are
+                              allowed for outgoing traffic.
+                            items:
+                              type: string
+                            type: array
+                          ingress:
+                            description: Ingress defines a list of cidrs which are
+                              allowed for incoming traffic like service type loadbalancer.
+                            items:
+                              type: string
+                            type: array
+                        type: object
                       controllerURL:
                         description: ControllerURL points to the downloadable binary
                           artifact of the firewall controller.
@@ -165,6 +185,10 @@ spec:
                         description: LogAcceptedConnections if set to true, also log
                           accepted connections in the droptailer log.
                         type: boolean
+                      networkAccessType:
+                        description: NetworkAccessType defines firewall access restriction
+                          to external networks.
+                        type: string
                       networks:
                         description: Networks are the networks to which this firewall
                           is connected. An update on this field requires the recreation

config/crds/firewall.metal-stack.io_firewalls.yaml

@@ -66,6 +66,25 @@ spec:
           spec:
             description: Spec contains the firewall specification.
             properties:
+              allowedNetworks:
+                description: AllowedNetworks defines dedicated networks for which
+                  the firewall allows in- and outgoing traffic. The firewall-controller
+                  only enforces this setting in combination with NetworkAccessType
+                  set to forbidden. The node network is always allowed.
+                properties:
+                  egress:
+                    description: Egress defines a list of cidrs which are allowed
+                      for outgoing traffic.
+                    items:
+                      type: string
+                    type: array
+                  ingress:
+                    description: Ingress defines a list of cidrs which are allowed
+                      for incoming traffic like service type loadbalancer.
+                    items:
+                      type: string
+                    type: array
+                type: object
               controllerURL:
                 description: ControllerURL points to the downloadable binary artifact
                   of the firewall controller.
@@ -131,6 +150,10 @@ spec:
                 description: LogAcceptedConnections if set to true, also log accepted
                   connections in the droptailer log.
                 type: boolean
+              networkAccessType:
+                description: NetworkAccessType defines firewall access restriction
+                  to external networks.
+                type: string
               networks:
                 description: Networks are the networks to which this firewall is connected.
                   An update on this field requires the recreation of the physical

config/crds/firewall.metal-stack.io_firewallsets.yaml

@@ -102,6 +102,26 @@ spec:
                   spec:
                     description: Spec contains the firewall specification.
                     properties:
+                      allowedNetworks:
+                        description: AllowedNetworks defines dedicated networks for
+                          which the firewall allows in- and outgoing traffic. The
+                          firewall-controller only enforces this setting in combination
+                          with NetworkAccessType set to forbidden. The node network
+                          is always allowed.
+                        properties:
+                          egress:
+                            description: Egress defines a list of cidrs which are
+                              allowed for outgoing traffic.
+                            items:
+                              type: string
+                            type: array
+                          ingress:
+                            description: Ingress defines a list of cidrs which are
+                              allowed for incoming traffic like service type loadbalancer.
+                            items:
+                              type: string
+                            type: array
+                        type: object
                       controllerURL:
                         description: ControllerURL points to the downloadable binary
                           artifact of the firewall controller.
@@ -168,6 +188,10 @@ spec:
                         description: LogAcceptedConnections if set to true, also log
                           accepted connections in the droptailer log.
                         type: boolean
+                      networkAccessType:
+                        description: NetworkAccessType defines firewall access restriction
+                          to external networks.
+                        type: string
                       networks:
                         description: Networks are the networks to which this firewall
                           is connected. An update on this field requires the recreation