ufw addon #228
ufw addon #228
Conversation
Signed-off-by: Waleed Gadelkareem <[email protected]>
Signed-off-by: Waleed Gadelkareem <[email protected]>
| " && ufw --force enable") | ||
| FatalOnError(err) | ||
|
|
||
| output, err = addon.communicator.RunCmd(node, "ufw status verbose") |
There was a problem hiding this comment.
Output is overridden on each iteration, maybe we should print the output (moving line 79 into foreach) or collect it here and then print?
There was a problem hiding this comment.
I am not sure if we want to print the output for each server, especially when it is fairly the same output. Let me know your thoughts?
There was a problem hiding this comment.
Actually we are going to execute a command than report the result of the command execution to user as "changes applied to all nodes".
IMHO this is not correct because (as reported above) we can have different rules based on node type, and should be "correct" to explain the change we add to each node or just report the info on expected reported situation to the user (that do not involve UFW execution report on a single node but the rule we are going to apply).
Let's suppose the last node of the iteration already have some rule define (maybe manually?) that are not configured on all nodes, a user can suppose that the result (already existing rule + rule from addon) are configured on all nodes but this is not true.
Maybe is an edge case and we prefer to ignore this situation?
There was a problem hiding this comment.
The ideal situation would be to allow the user to override the rules or append new rules to the basic ones. You would also have to distinguish each rule based on the instance type. Which would make this addon much more complex than it is meant to be IMHO.
| nodeIpRules += " && ufw allow in from " + node.IPAddress + " to any" | ||
| } | ||
| var output string | ||
| for _, node := range addon.nodes { |
There was a problem hiding this comment.
We apply the same rule for each node, but I think each kind of node should have some specific rules, eg: etcd/master node don't need to expose 80/443 (that I suppose should be exposed on workers); maybe I'm missing some part of the setup can you better explain me what we like to achieve with this addon?
There was a problem hiding this comment.
So I think the ufw rules are the trickiest part of this addon. I tried to use the most common rules any new cluster would require. But you can always change these rules via script runner from #229 for ex.
Signed-off-by: Waleed Gadelkareem <[email protected]>
Signed-off-by: Waleed Gadelkareem <[email protected]>
|
whats the state here? |
|
Any updates? |
|
This looks pretty important. Whats the state of this PR? @gadelkareem |
|
push @mavimo @gadelkareem |
|
@xetys I'll take a look in the next few days.. |
|
Any news on this? |
|
Any update? This was referred to by https://www.tmjohnson.co.uk/posts/k8s/ |
|
Any update here? We need this 2 years ago. |
Add ufw to all nodes with the following rules:
fixes #36