Add support for NodeNetworkPolicy

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
antrea-io · Nov 15, 2023 · 3a18e52 · 3a18e52
1 parent 4a52bca
commit 3a18e52
Show file tree

Hide file tree

Showing 41 changed files with 3,966 additions and 174 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -108,6 +108,80 @@ Kubernetes: `>= 1.16.0-0`
 | nodeIPAM.nodeCIDRMaskSizeIPv6 | int | `64` | Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. |
 | nodeIPAM.serviceCIDR | string | `""` | IPv4 CIDR ranges reserved for Services. |
 | nodeIPAM.serviceCIDRv6 | string | `""` | IPv6 CIDR ranges reserved for Services. |
+| nodeNetworkPolicy.privilegedEgressRules[0].comment | string | `"allow egress traffic to DNS port"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[0].ports[0] | int | `53` |  |
+| nodeNetworkPolicy.privilegedEgressRules[0].protocol | string | `"udp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[10].comment | string | `"allow ICMPv6 echo-reply traffic"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[10].icmpType | int | `129` |  |
+| nodeNetworkPolicy.privilegedEgressRules[10].protocol | string | `"icmp6"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[11].comment | string | `"allow IPv6 Neighbor Solicitation traffic"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[11].icmpType | int | `135` |  |
+| nodeNetworkPolicy.privilegedEgressRules[11].protocol | string | `"icmp6"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[12].comment | string | `"allow IPv6 Neighbor Advertisement traffic"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[12].icmpType | int | `136` |  |
+| nodeNetworkPolicy.privilegedEgressRules[12].protocol | string | `"icmp6"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[1].comment | string | `"allow egress traffic to DNS port"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[1].ports[0] | int | `53` |  |
+| nodeNetworkPolicy.privilegedEgressRules[1].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[2].comment | string | `"allow egress traffic to HTTP/HTTPS port"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[2].ports[0] | int | `80` |  |
+| nodeNetworkPolicy.privilegedEgressRules[2].ports[1] | int | `443` |  |
+| nodeNetworkPolicy.privilegedEgressRules[2].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[3].comment | string | `"allow egress traffic to Kubernetes DNS metric"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[3].ports[0] | int | `9153` |  |
+| nodeNetworkPolicy.privilegedEgressRules[3].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[4].comment | string | `"allow egress traffic to Kubernetes ports"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[4].ports[0] | int | `6443` |  |
+| nodeNetworkPolicy.privilegedEgressRules[4].ports[1] | string | `"10248:10250"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[4].ports[2] | string | `"10256:10258"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[4].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[5].comment | string | `"allow egress traffic to Antrea ports"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[5].ports[0] | string | `"10348:10351"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[5].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[6].comment | string | `"allow egress traffic to Wireguard ports"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[6].ports[0] | string | `"51820:51821"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[6].protocol | string | `"udp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[7].comment | string | `"allow ICMP echo-reply traffic"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[7].icmpType | int | `0` |  |
+| nodeNetworkPolicy.privilegedEgressRules[7].protocol | string | `"icmp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[8].comment | string | `"allow ICMP echo-request traffic"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[8].icmpType | int | `8` |  |
+| nodeNetworkPolicy.privilegedEgressRules[8].protocol | string | `"icmp"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[9].comment | string | `"allow ICMPv6 echo-request traffic"` |  |
+| nodeNetworkPolicy.privilegedEgressRules[9].icmpType | int | `128` |  |
+| nodeNetworkPolicy.privilegedEgressRules[9].protocol | string | `"icmp6"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[0].comment | string | `"allow ingress traffic to SSH"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[0].ports[0] | int | `22` |  |
+| nodeNetworkPolicy.privilegedIngressRules[0].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[1].comment | string | `"allow ingress traffic to Kubernetes ports"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[1].ports[0] | int | `6443` |  |
+| nodeNetworkPolicy.privilegedIngressRules[1].ports[1] | string | `"10248:10250"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[1].ports[2] | string | `"10256:10258"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[1].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[2].comment | string | `"allow ingress traffic to Antrea ports"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[2].ports[0] | string | `"10348:10351"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[2].protocol | string | `"tcp"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[3].comment | string | `"allow ingress traffic to Wireguard ports"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[3].ports[0] | string | `"51820:51821"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[3].protocol | string | `"udp"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[4].comment | string | `"allow ICMP echo-reply traffic"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[4].icmpType | int | `0` |  |
+| nodeNetworkPolicy.privilegedIngressRules[4].protocol | string | `"icmp"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[5].comment | string | `"allow ICMP echo-request traffic"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[5].icmpType | int | `8` |  |
+| nodeNetworkPolicy.privilegedIngressRules[5].protocol | string | `"icmp"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[6].comment | string | `"allow ICMPv6 echo-request traffic"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[6].icmpType | int | `128` |  |
+| nodeNetworkPolicy.privilegedIngressRules[6].protocol | string | `"icmp6"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[7].comment | string | `"allow ICMPv6 echo-reply traffic"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[7].icmpType | int | `129` |  |
+| nodeNetworkPolicy.privilegedIngressRules[7].protocol | string | `"icmp6"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[8].comment | string | `"allow IPv6 Neighbor Solicitation traffic"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[8].icmpType | int | `135` |  |
+| nodeNetworkPolicy.privilegedIngressRules[8].protocol | string | `"icmp6"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[9].comment | string | `"allow IPv6 Neighbor Advertisement traffic"` |  |
+| nodeNetworkPolicy.privilegedIngressRules[9].icmpType | int | `136` |  |
+| nodeNetworkPolicy.privilegedIngressRules[9].protocol | string | `"icmp6"` |  |
 | nodePortLocal.enable | bool | `false` | Enable the NodePortLocal feature. |
 | nodePortLocal.portRange | string | `"61000-62000"` | Port range used by NodePortLocal when creating Pod port mappings. |
 | ovs.bridgeName | string | `"br-int"` | Name of the OVS bridge antrea-agent will create and use. |

diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -79,6 +79,9 @@ featureGates:
 # Enable Egress traffic shaping.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "EgressTrafficShaping" "default" false) }}
 
+# Enable users to protect their Kubernetes Node.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodeNetworkPolicy" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}
@@ -431,3 +434,11 @@ secondaryNetwork:
 {{- end }}
 
 {{- end }}
+
+nodeNetworkPolicy:
+{{- with .Values.nodeNetworkPolicy }}
+  privilegedIngressRules:
+  {{- toYaml .privilegedIngressRules | trim | nindent 4 }}
+  privilegedEgressRules:
+  {{- toYaml .privilegedEgressRules | trim | nindent 4 }}
+{{- end }}
diff --git a/build/charts/antrea/conf/antrea-controller.conf b/build/charts/antrea/conf/antrea-controller.conf
@@ -54,6 +54,9 @@ featureGates:
 # set security postures for their clusters.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AdminNetworkPolicy" "default" false) }}
 
+# Enable users to protect their Kubernetes Node.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodeNetworkPolicy" "default" false) }}
+
 # The port for the antrea-controller APIServer to serve on.
 # Note that if it's set to another value, the `containerPort` of the `api` port of the
 # `antrea-controller` container must be set to the same value.

diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -388,6 +388,97 @@ multicluster:
     # -- WireGuard tunnel port for cross-cluster traffic.
     port: 51821
 
+nodeNetworkPolicy:
+  # Configure nodeNetworkPolicy privileged ingress rules for Antrea Agent. They could be applied to both IPv4 and IPv6.
+  privilegedIngressRules:
+    - protocol: tcp
+      ports:
+      - 22
+      comment: "allow ingress traffic to SSH"
+    - protocol: tcp
+      ports:
+      - 6443
+      - 10248:10250
+      - 10256:10258
+      comment:  "allow ingress traffic to Kubernetes ports"
+    - protocol: tcp
+      ports:
+      - 10348:10351
+      comment:  "allow ingress traffic to Antrea ports"
+    - protocol: udp
+      ports:
+      - 51820:51821
+      comment: "allow ingress traffic to Wireguard ports"
+    - protocol: icmp
+      icmpType: 0
+      comment: "allow ICMP echo-reply traffic"
+    - protocol: icmp
+      icmpType: 8
+      comment: "allow ICMP echo-request traffic"
+    - protocol: icmp6
+      icmpType: 128
+      comment: "allow ICMPv6 echo-request traffic"
+    - protocol: icmp6
+      icmpType: 129
+      comment: "allow ICMPv6 echo-reply traffic"
+    - protocol: icmp6
+      icmpType: 135
+      comment: "allow IPv6 Neighbor Solicitation traffic"
+    - protocol: icmp6
+      icmpType: 136
+      comment: "allow IPv6 Neighbor Advertisement traffic"
+  # Configure nodeNetworkPolicy privileged egress rules for Antrea Agent. They could be applied to both IPv4 and IPv6.
+  privilegedEgressRules:
+    - protocol: udp
+      ports:
+      - 53
+      comment: "allow egress traffic to DNS port"
+    - protocol: tcp
+      ports:
+      - 53
+      comment: "allow egress traffic to DNS port"
+    - protocol: tcp
+      ports:
+        - 80
+        - 443
+      comment: "allow egress traffic to HTTP/HTTPS port"
+    - protocol: tcp
+      ports:
+        - 9153
+      comment: "allow egress traffic to Kubernetes DNS metric"
+    - protocol: tcp
+      ports:
+      - 6443
+      - 10248:10250
+      - 10256:10258
+      comment: "allow egress traffic to Kubernetes ports"
+    - protocol: tcp
+      ports:
+      - 10348:10351
+      comment: "allow egress traffic to Antrea ports"
+    - protocol: udp
+      ports:
+      - 51820:51821
+      comment: "allow egress traffic to Wireguard ports"
+    - protocol: icmp
+      icmpType: 0
+      comment: "allow ICMP echo-reply traffic"
+    - protocol: icmp
+      icmpType: 8
+      comment: "allow ICMP echo-request traffic"
+    - protocol: icmp6
+      icmpType: 128
+      comment: "allow ICMPv6 echo-request traffic"
+    - protocol: icmp6
+      icmpType: 129
+      comment: "allow ICMPv6 echo-reply traffic"
+    - protocol: icmp6
+      icmpType: 135
+      comment: "allow IPv6 Neighbor Solicitation traffic"
+    - protocol: icmp6
+      icmpType: 136
+      comment: "allow IPv6 Neighbor Advertisement traffic"
+
 testing:
   # -- Enable code coverage measurement (used when testing Antrea only).
   coverage: false

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -5574,6 +5574,9 @@ data:
     # Enable Egress traffic shaping.
     #  EgressTrafficShaping: false
 
+    # Enable users to protect their Kubernetes Node.
+    #  NodeNetworkPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5882,6 +5885,95 @@ data:
       maxAge: 28
       # Compress enables gzip compression on rotated files.
       compress: true
+
+    nodeNetworkPolicy:
+      privilegedIngressRules:
+      - comment: allow ingress traffic to SSH
+        ports:
+        - 22
+        protocol: tcp
+      - comment: allow ingress traffic to Kubernetes ports
+        ports:
+        - 6443
+        - 10248:10250
+        - 10256:10258
+        protocol: tcp
+      - comment: allow ingress traffic to Antrea ports
+        ports:
+        - 10348:10351
+        protocol: tcp
+      - comment: allow ingress traffic to Wireguard ports
+        ports:
+        - 51820:51821
+        protocol: udp
+      - comment: allow ICMP echo-reply traffic
+        icmpType: 0
+        protocol: icmp
+      - comment: allow ICMP echo-request traffic
+        icmpType: 8
+        protocol: icmp
+      - comment: allow ICMPv6 echo-request traffic
+        icmpType: 128
+        protocol: icmp6
+      - comment: allow ICMPv6 echo-reply traffic
+        icmpType: 129
+        protocol: icmp6
+      - comment: allow IPv6 Neighbor Solicitation traffic
+        icmpType: 135
+        protocol: icmp6
+      - comment: allow IPv6 Neighbor Advertisement traffic
+        icmpType: 136
+        protocol: icmp6
+      privilegedEgressRules:
+      - comment: allow egress traffic to DNS port
+        ports:
+        - 53
+        protocol: udp
+      - comment: allow egress traffic to DNS port
+        ports:
+        - 53
+        protocol: tcp
+      - comment: allow egress traffic to HTTP/HTTPS port
+        ports:
+        - 80
+        - 443
+        protocol: tcp
+      - comment: allow egress traffic to Kubernetes DNS metric
+        ports:
+        - 9153
+        protocol: tcp
+      - comment: allow egress traffic to Kubernetes ports
+        ports:
+        - 6443
+        - 10248:10250
+        - 10256:10258
+        protocol: tcp
+      - comment: allow egress traffic to Antrea ports
+        ports:
+        - 10348:10351
+        protocol: tcp
+      - comment: allow egress traffic to Wireguard ports
+        ports:
+        - 51820:51821
+        protocol: udp
+      - comment: allow ICMP echo-reply traffic
+        icmpType: 0
+        protocol: icmp
+      - comment: allow ICMP echo-request traffic
+        icmpType: 8
+        protocol: icmp
+      - comment: allow ICMPv6 echo-request traffic
+        icmpType: 128
+        protocol: icmp6
+      - comment: allow ICMPv6 echo-reply traffic
+        icmpType: 129
+        protocol: icmp6
+      - comment: allow IPv6 Neighbor Solicitation traffic
+        icmpType: 135
+        protocol: icmp6
+      - comment: allow IPv6 Neighbor Advertisement traffic
+        icmpType: 136
+        protocol: icmp6
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -5962,6 +6054,9 @@ data:
     # set security postures for their clusters.
     #  AdminNetworkPolicy: false
 
+    # Enable users to protect their Kubernetes Node.
+    #  NodeNetworkPolicy: false
+
     # The port for the antrea-controller APIServer to serve on.
     # Note that if it's set to another value, the `containerPort` of the `api` port of the
     # `antrea-controller` container must be set to the same value.
@@ -6866,7 +6961,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: 62084808ac873d0c0d719e5254ec35c6612d7b9780972b39a508d7cc3f4245c0
       labels:
         app: antrea
         component: antrea-agent
@@ -7107,7 +7202,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e59e0431902646d46cba490279184fea2bdd3c8b486b5a7b1d3ece9a91614634
+        checksum/config: 62084808ac873d0c0d719e5254ec35c6612d7b9780972b39a508d7cc3f4245c0
       labels:
         app: antrea
         component: antrea-controller