From fbf71f872b18dce955b795e7e4ed3948b55f8ad5 Mon Sep 17 00:00:00 2001 From: Waleed Gadelkareem Date: Mon, 19 Nov 2018 21:22:30 +0100 Subject: [PATCH 1/5] Add ufw addon Signed-off-by: Waleed Gadelkareem --- pkg/addons/addon_ufw.go | 89 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 pkg/addons/addon_ufw.go diff --git a/pkg/addons/addon_ufw.go b/pkg/addons/addon_ufw.go new file mode 100644 index 00000000..7bd27982 --- /dev/null +++ b/pkg/addons/addon_ufw.go @@ -0,0 +1,89 @@ +package addons + +import ( + "fmt" + + "github.com/xetys/hetzner-kube/pkg/clustermanager" +) + +//UfwAddon installs ufw +type UfwAddon struct { + masterNode *clustermanager.Node + communicator clustermanager.NodeCommunicator + nodeCidr string + nodes []clustermanager.Node +} + +//NewUfwAddon installs ufw to the cluster +func NewUfwAddon(provider clustermanager.ClusterProvider, communicator clustermanager.NodeCommunicator) ClusterAddon { + masterNode, _ := provider.GetMasterNode() + return UfwAddon{masterNode: masterNode, communicator: communicator, nodeCidr: provider.GetNodeCidr(), nodes: provider.GetAllNodes()} +} + +func init() { + addAddon(NewUfwAddon) +} + +//Name returns the addons name +func (addon UfwAddon) Name() string { + return "ufw" +} + +//Requires returns a slice with the name of required addons +func (addon UfwAddon) Requires() []string { + return []string{} +} + +//Description returns the addons description +func (addon UfwAddon) Description() string { + return "Uncomplicated Firewall" +} + +//URL returns the URL of the addons underlying project +func (addon UfwAddon) URL() string { + return "https://wiki.ubuntu.com/UncomplicatedFirewall" +} + +//Install performs all steps to install the addon +func (addon UfwAddon) Install(args ...string) { + + var nodeIpRules string + for _, node := range addon.nodes { + nodeIpRules += " && ufw allow in from " + node.IPAddress + " to any" + } + var output string + for _, node := range addon.nodes { + _, err := addon.communicator.RunCmd(node, "apt-get install -y ufw") + FatalOnError(err) + + fmt.Println("ufw installed on " + node.Name) + + _, err = addon.communicator.RunCmd( + node, + "ufw --force reset"+ + nodeIpRules+ + " && ufw allow ssh"+ + " && ufw allow in from "+addon.nodeCidr+" to any"+ // Kubernetes VPN overlay interface + " && ufw allow in from 10.244.0.0/16 to any"+ // Kubernetes pod overlay interface + " && ufw allow 6443"+ // Kubernetes API secure remote port + " && ufw allow 80"+ + " && ufw allow 443"+ + " && ufw default deny incoming"+ + " && ufw --force enable") + FatalOnError(err) + + output, err = addon.communicator.RunCmd(node, "ufw status verbose") + FatalOnError(err) + } + + fmt.Println("ufw enabled with the following rules:\n", output) +} + +//Uninstall performs all steps to remove the addon +func (addon UfwAddon) Uninstall() { + node := *addon.masterNode + _, err := addon.communicator.RunCmd(node, "ufw --force reset && ufw --force disable") + FatalOnError(err) + + fmt.Println("ufw uninstalled") +} From 9596a4a12039e21f93e56ceb59f2043a43f321f8 Mon Sep 17 00:00:00 2001 From: Waleed Gadelkareem Date: Mon, 19 Nov 2018 21:25:34 +0100 Subject: [PATCH 2/5] Uninstall from all nodes Signed-off-by: Waleed Gadelkareem --- pkg/addons/addon_ufw.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/addons/addon_ufw.go b/pkg/addons/addon_ufw.go index 7bd27982..e2ddbd5e 100644 --- a/pkg/addons/addon_ufw.go +++ b/pkg/addons/addon_ufw.go @@ -81,9 +81,9 @@ func (addon UfwAddon) Install(args ...string) { //Uninstall performs all steps to remove the addon func (addon UfwAddon) Uninstall() { - node := *addon.masterNode - _, err := addon.communicator.RunCmd(node, "ufw --force reset && ufw --force disable") - FatalOnError(err) - + for _, node := range addon.nodes { + _, err := addon.communicator.RunCmd(node, "ufw --force reset && ufw --force disable") + FatalOnError(err) + } fmt.Println("ufw uninstalled") } From a114ba439b448389f4984e3c59e580b26153eb8e Mon Sep 17 00:00:00 2001 From: Waleed Gadelkareem Date: Tue, 20 Nov 2018 19:27:15 +0100 Subject: [PATCH 3/5] Apply PR improvements Signed-off-by: Waleed Gadelkareem --- pkg/addons/addon_ufw.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/addons/addon_ufw.go b/pkg/addons/addon_ufw.go index e2ddbd5e..6bbbf56c 100644 --- a/pkg/addons/addon_ufw.go +++ b/pkg/addons/addon_ufw.go @@ -8,7 +8,6 @@ import ( //UfwAddon installs ufw type UfwAddon struct { - masterNode *clustermanager.Node communicator clustermanager.NodeCommunicator nodeCidr string nodes []clustermanager.Node @@ -16,8 +15,7 @@ type UfwAddon struct { //NewUfwAddon installs ufw to the cluster func NewUfwAddon(provider clustermanager.ClusterProvider, communicator clustermanager.NodeCommunicator) ClusterAddon { - masterNode, _ := provider.GetMasterNode() - return UfwAddon{masterNode: masterNode, communicator: communicator, nodeCidr: provider.GetNodeCidr(), nodes: provider.GetAllNodes()} + return UfwAddon{communicator: communicator, nodeCidr: provider.GetNodeCidr(), nodes: provider.GetAllNodes()} } func init() { From 3691c7f90f604e82c4d24681c68d52534053ec06 Mon Sep 17 00:00:00 2001 From: Waleed Gadelkareem Date: Tue, 20 Nov 2018 19:51:06 +0100 Subject: [PATCH 4/5] Fix var name Signed-off-by: Waleed Gadelkareem --- pkg/addons/addon_ufw.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/addons/addon_ufw.go b/pkg/addons/addon_ufw.go index 6bbbf56c..d8a7619f 100644 --- a/pkg/addons/addon_ufw.go +++ b/pkg/addons/addon_ufw.go @@ -45,9 +45,9 @@ func (addon UfwAddon) URL() string { //Install performs all steps to install the addon func (addon UfwAddon) Install(args ...string) { - var nodeIpRules string + var nodeIPRules string for _, node := range addon.nodes { - nodeIpRules += " && ufw allow in from " + node.IPAddress + " to any" + nodeIPRules += " && ufw allow in from " + node.IPAddress + " to any" } var output string for _, node := range addon.nodes { @@ -59,7 +59,7 @@ func (addon UfwAddon) Install(args ...string) { _, err = addon.communicator.RunCmd( node, "ufw --force reset"+ - nodeIpRules+ + nodeIPRules+ " && ufw allow ssh"+ " && ufw allow in from "+addon.nodeCidr+" to any"+ // Kubernetes VPN overlay interface " && ufw allow in from 10.244.0.0/16 to any"+ // Kubernetes pod overlay interface From 0e684ca64c4b552200b8604fb807fd0715d51c96 Mon Sep 17 00:00:00 2001 From: Waleed Gadelkareem Date: Mon, 26 Nov 2018 21:04:29 +0100 Subject: [PATCH 5/5] disable public k8s API --- pkg/addons/addon_ufw.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/addons/addon_ufw.go b/pkg/addons/addon_ufw.go index d8a7619f..7adb55ee 100644 --- a/pkg/addons/addon_ufw.go +++ b/pkg/addons/addon_ufw.go @@ -63,7 +63,6 @@ func (addon UfwAddon) Install(args ...string) { " && ufw allow ssh"+ " && ufw allow in from "+addon.nodeCidr+" to any"+ // Kubernetes VPN overlay interface " && ufw allow in from 10.244.0.0/16 to any"+ // Kubernetes pod overlay interface - " && ufw allow 6443"+ // Kubernetes API secure remote port " && ufw allow 80"+ " && ufw allow 443"+ " && ufw default deny incoming"+