Last active
April 5, 2024 01:17
-
-
Save williamcaban/ecfb9a36dbb9e7e4a2a98ff5d1df830a to your computer and use it in GitHub Desktop.
Revisions
-
williamcaban renamed this gist
Apr 5, 2024 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Apr 5, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,51 @@ --- apiVersion: ingressnodefirewall.openshift.io/v1alpha1 kind: IngressNodeFirewallConfig metadata: name: ingressnodefirewallconfig namespace: openshift-ingress-node-firewall spec: nodeSelector: node-role.kubernetes.io/control-plane: "" --- # allow full access from jump host and cluster itself apiVersion: ingressnodefirewall.openshift.io/v1alpha1 kind: IngressNodeFirewall metadata: name: api-access-from-jumphost spec: interfaces: - br-ex nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: "" ingress: - sourceCIDRs: - 192.168.1.130/32 # IP or network of jumphost - 169.254.0.0/16 # link-local network (special use) - 172.30.0.0/16 # services network - 10.128.0.0/14 # cluster network - 192.168.1.30/32 # (control plane node 1) - 192.168.1.31/32 # (control plane node 2) - 192.168.1.32/32 # (control plane node 3) rules: - action: Allow order: 10 # allow access ONLY to the ingress for anyone else - sourceCIDRs: - 0.0.0.0/0 rules: - action: Allow order: 20 protocolConfig: # allow http access to ingress protocol: TCP tcp: ports: 80 - action: Allow order: 30 # allow https access to ingress protocolConfig: protocol: TCP tcp: ports: 443 - action: Deny order: 40