Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failsafeInboundHostPorts not parsable as []v3.ProtoPort #9886

Open
bebehei opened this issue Feb 22, 2025 · 0 comments
Open

failsafeInboundHostPorts not parsable as []v3.ProtoPort #9886

bebehei opened this issue Feb 22, 2025 · 0 comments

Comments

@bebehei
Copy link

bebehei commented Feb 22, 2025

I'm currently struggling to setup my K8s cluster, while applying firewall configuration.

Expected Behavior

failsafeInboundHostPorts is controllable in the default config.

Current Behavior

root@k8s-controlplane-1:~# kubectl calico apply -f felix-config.yaml 
Failed to execute command: error parsing document: cannot parse string '' into field FelixConfigurationSpec.failsafeInboundHostPorts of type []v3.ProtoPort
root@k8s-controlplane-1:~#

Possible Solution

unknown

Steps to Reproduce (for bugs)

Initial installation of my cluster on the first control plane node:

#!/usr/bin/env bash

CALICO_VERSION=v3.29.2

set -ex

kubeadm init [...]

cat > values.yaml <<-EOF
defaultFelixConfiguration:
  enabled: true
  wireguardEnabled: true
  wireguardEnabledV6: true
EOF

kubectl create namespace tigera-operator
helm repo add projectcalico https://docs.tigera.io/calico/charts
helm upgrade calico projectcalico/tigera-operator --version v3.29.2" -f values.yaml --namespace tigera-operator

sudo curl -L "https://github.com/projectcalico/calico/releases/download/${CALICO_VERSION}/calicoctl-linux-amd64" -o /usr/local/bin/kubectl-calico
sudo chmod +x /usr/local/bin/kubectl-calico

After that, I try to update the felix configuration to disable especially port 22.

However any value I tested in FailsafeInboundHostPorts fails with the same error message:

# felix-config.yaml is produced by: `kubectl calico get FelixConfiguration default -o yaml > felix-config.yaml` and then manually stripped.

$> cat > felix-config.yaml <<EOF
apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
  name: default
spec:
  bpfConnectTimeLoadBalancing: TCP
  bpfEnabled: false
  bpfHostNetworkedNATWithoutCTLB: Enabled
  bpfLogLevel: ""
  floatingIPs: Disabled
  healthPort: 9099
  logSeverityScreen: Info
  nftablesMode: Disabled
  reportingInterval: 0s
  vxlanVNI: 4096
  wireguardEnabled: true
  wireguardEnabledV6: true
  FailsafeInboundHostPorts: ""
EOF
$> kubectl calico apply -f felix-config.yaml
Failed to execute command: error parsing document: cannot parse string '' into field FelixConfigurationSpec.failsafeInboundHostPorts of type []v3.ProtoPort

Tested the following strings:

  • tcp:<vpn-ip>/32:22,tcp:<vpn-ip>/32:22,udp:68,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667
    • vpn-ip was actually replaced by the correct CIDR
  • tcp:22
  • 22:tcp
  • 17:22
  • 22:17
  • tcp:22,udp:68,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667
    • This is the documented default.

Context

I'm trying to implement a firewall on the K8s-Workers to filter out any other host traffic. All traffic is running over public IP space. Therefore

At least Port 22 shall be blocked.

My K8s hosts are all inside public networks, so I need to restrict the traffic. They're interconnected via WireGuard.

Your Environment

  • Calico version: Helm chart tagged to --version v3.29.2
  • Calico dataplane: iptables v1.8.10 (nf_tables)
  • Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes v1.32.2 commit 67a30c0adcf52bd3f56ff0893ce19966be12991f
  • Operating System and version: Ubuntu 24.04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bebehei