Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10758

puppetlabs-firewall : How to ignore dynamically created iptables firewallchains created by Kubernetes & Calico?

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Environment:

      Multiple Ubuntu nodes, running Kubernetes in installed by Rancher/RKE. iptables firewall is managed by puppetlabs/firewall v1.15.3.

       

    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: Puppetlabs/firewall v1.15.3
      Puppet Version: 5.4.0
      OS Name/Version: Ubuntu 18.04.4 LTS

       

      Our Kubernetes cluster has a bunch of firewall chains that appear to be named dynamically. There are hundreds of them in our cluster, and have names such as:
       

      firewallchain { 'KUBE-SEP-5UABCDKJJKLLKCCS:nat:IPv4':
        ensure => 'present',
      }
      firewallchain { 'KUBE-SEP-5WI987LK8907AAAA:nat:IPv4':
        ensure => 'present',
      }

      firewallchain

      { 'cali-pi-_NK9JKkljKLJkjLKJlk:filter:IPv4':   ensure => 'present', }

      firewallchain

      { 'cali-pi-_NK9KlkHLKlklkjLKJ:mangle:IPv4':   ensure => 'present', }

      Our main firewall class purges all unmanaged rules. We normally tell it to NOT purge specific firewallchains by adding puppet rules like this in a application class:

      https://gist.github.com/pmoranga/9c4f194a1ac4102d4f94

      firewallchain

      { 'PREROUTING:nat:IPv4':     purge => true,   ignore => [ 'DOCKER', 'KUBE-*', 'cali*', ], }

      However, there doesn't appear to be a way to ignore dynamically named firewall chains. For example, I cannot create resource containing a wildcard:

      firewallchain 

      { 'cali-*:mangle:IPv4':   ensure => 'present', }

      As this still seems to purge hundreds of firewallchains in our cluster:

       

      Jul 30 01:27:45 docker01  puppet-agent[52078]: (/Stage[main]/Profile::Firewall/Firewallchain[cali-pi-_NK9JKkljKLJkjLKJlk:filter:IPv4]/ensure) removed
      Jul 30 01:27:45 docker01 puppet-agent[52078]: (/Stage[main]/Profile::Firewall/Firewallchain[cali-pi-_NK9KlkHLKlklkjLKJ:filter:IPv4]/ensure) removed
      Jul 30 01:27:45 docker01 puppet-agent[52078]: (/Stage[main]/Profile::Firewall/Firewallchain[cali-po-_NK9JKkljKLJkjLKJlk:filter:IPv4]/ensure) removed
      Jul 30 01:27:45 docker01 puppet-agent[52078]: (/Stage[main]/Profile::Firewall/Firewallchain[cali-po-_NK9KlkHLKlklkjLKJIPv4]/ensure) removed

      Desired Behavior:

      I would expect Puppetlabs/firewall to have a way to not purge dynamically generated firewall chains.

      Actual Behavior:

      Puppetlabs/firewall purges all dynamic firewall chains added by Kubernetes or Calico, which prevents nearly all traffic within the overlay network and brings down the cluster.

      Please take a moment and attach any relevant log output and/or manifests. This will help us immensely when troubleshooting the issue.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            stefanlasiewski Stefan Lasiewski
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support