我上周安装了一个openshift原始3.11集群,我已经遇到2个与安全相关的问题。 (服务器仅具有1个公共可访问网络接口) Dnsmasq被用于进行DDoS反射/ 放大攻击,portmapper服务也是如此。
Openshift确实设置了iptables规则来使集群正常工作,我感谢这些规则确保了集群本身的安全性,但是有两个问题证明我是错误的。
我通过对端口53和111进行防火墙访问并授予群集中节点之间的所有访问权限来解决了这2个问题 但我不确定是否足够。
您是否要添加任何最佳实践/规则以使Openshift集群安全,并且由于iptables规则是由openshift本身设置的,因此我应该编辑iptables规则吗?
到目前为止,这是我的master-etc节点的iptables -L的输出,说实话,我发现此规则有点宽松,但是由于我不是iptables和openshift pro,所以我不确定是否可以。
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-NODEPORT-NON-LOCAL all -- anywhere anywhere /* Ensure that non-local NodePort traffic can flow */
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
OPENSHIFT-FIREWALL-ALLOW all -- anywhere anywhere /* firewall overrides */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- node2.domain.com anywhere
ACCEPT all -- node1.domain.com anywhere
ACCEPT all -- master.domain.com anywhere
OS_FIREWALL_ALLOW all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
OPENSHIFT-ADMIN-OUTPUT-RULES all -- anywhere anywhere /* administrator overrides */
OPENSHIFT-FIREWALL-FORWARD all -- anywhere anywhere /* firewall overrides */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere node2.domain.com
ACCEPT all -- anywhere node1.domain.com
ACCEPT all -- anywhere master.domain.com
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (1 references)
target prot opt source destination
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
Chain KUBE-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x1/0x1
ACCEPT all -- 10.128.0.0/14 anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere 10.128.0.0/14 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-NODEPORT-NON-LOCAL (1 references)
target prot opt source destination
Chain KUBE-SERVICES (1 references)
target prot opt source destination
REJECT tcp -- anywhere 172.30.188.158 /* openshift-ansible-service-broker/asb:port-1337 has no endpoints */ tcp dpt:menandmice-dns reject-with icmp-port-unreachable
REJECT tcp -- anywhere 172.30.188.158 /* openshift-ansible-service-broker/asb:port-1338 has no endpoints */ tcp dpt:wmc-log-svc reject-with icmp-port-unreachable
Chain OPENSHIFT-ADMIN-OUTPUT-RULES (1 references)
target prot opt source destination
Chain OPENSHIFT-FIREWALL-ALLOW (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:4789 /* VXLAN incoming */
ACCEPT all -- anywhere anywhere /* from SDN to localhost */
ACCEPT all -- anywhere anywhere /* from docker to localhost */
Chain OPENSHIFT-FIREWALL-FORWARD (1 references)
target prot opt source destination
DROP all -- 10.128.0.0/14 anywhere /* attempted resend after connection close */ ctstate INVALID
ACCEPT all -- anywhere 10.128.0.0/14 /* forward traffic from SDN */
ACCEPT all -- 10.128.0.0/14 anywhere /* forward traffic to SDN */
Chain OS_FIREWALL_ALLOW (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10250
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10256
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT udp -- anywhere anywhere state NEW udp dpt:4789
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:cslistener:ndmp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:jetcmeserver
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2379
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2380
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:senomix02
ACCEPT udp -- anywhere anywhere state NEW udp dpt:senomix02
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:EtherNet/IP-1
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24007
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24008
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:49152:49251
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24010
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:iscsi-target
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sunrpc
在启动时,我会将所有计算节点(node1和node2)上输入的默认策略更改为Drop。