crowdsec: roll firewall-bouncer cluster-wide (remove node2 validation pin)
One-node validation on k8s-node2 passed: kernel nftables sets created in both input and forward chains (policy accept), ~31k decisions loaded, a known banned scanner confirmed in the drop set, pod stable 4h+ with no collateral. Remove the nodeSelector so the DaemonSet runs on every node — direct-host enforcement now survives a MetalLB VIP failover to any worker. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
4f1c998468
commit
c92590ae85
1 changed files with 12 additions and 16 deletions
|
|
@ -30,10 +30,10 @@
|
||||||
# Source: https://github.com/crowdsecurity/cs-firewall-bouncer
|
# Source: https://github.com/crowdsecurity/cs-firewall-bouncer
|
||||||
# https://docs.crowdsec.net/u/bouncers/firewall/
|
# https://docs.crowdsec.net/u/bouncers/firewall/
|
||||||
#
|
#
|
||||||
# nodeSelector pins this to ONE node (k8s-node2, which runs a Traefik pod) for first validation.
|
# Runs cluster-wide (no nodeSelector): the DaemonSet schedules on every untainted
|
||||||
# !!! REMOVING THE nodeSelector ROLLS THIS DAEMONSET CLUSTER-WIDE !!!
|
# node, covering all MetalLB-VIP-eligible workers so direct-host enforcement
|
||||||
# Do that ONLY after the one-node validation checklist passes (see commit/PR).
|
# survives a Traefik VIP failover to any node. One-node validation on k8s-node2
|
||||||
# Validating on k8s-node2 (single node) before removing the nodeSelector to roll cluster-wide.
|
# is complete (see the note in the pod spec below).
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
# Pin a specific stable release. Bump deliberately (re-validate on one node first).
|
# Pin a specific stable release. Bump deliberately (re-validate on one node first).
|
||||||
|
|
@ -135,18 +135,14 @@ resource "kubernetes_daemon_set_v1" "firewall_bouncer" {
|
||||||
host_network = true
|
host_network = true
|
||||||
dns_policy = "ClusterFirstWithHostNet"
|
dns_policy = "ClusterFirstWithHostNet"
|
||||||
|
|
||||||
# ---- FIRST-VALIDATION PIN ----------------------------------------------
|
# ---- CLUSTER-WIDE (validation passed) ----------------------------------
|
||||||
# Pinned to a SINGLE node so a mistake in the nftables rules can only
|
# One-node validation on k8s-node2 passed: kernel nftables sets were
|
||||||
# affect one node. k8s-node2 is chosen because it currently runs a Traefik
|
# created in BOTH the input and forward chains (policy accept), ~31k
|
||||||
# pod — required to validate the `forward`-hook drop on DNAT'd LoadBalancer
|
# decisions loaded, a known banned scanner confirmed in the drop set, and
|
||||||
# traffic (under ETP=Local a node with no Traefik pod never sees that path,
|
# the pod stayed stable 4h+ with no collateral. The nodeSelector is now
|
||||||
# so the validation would be meaningless there).
|
# removed so the DaemonSet runs on every (untainted) node — covering all
|
||||||
# REMOVE this nodeSelector to roll the bouncer to EVERY node (the normal
|
# MetalLB-VIP-eligible workers, so direct-host enforcement survives a
|
||||||
# end state for a firewall bouncer) — but ONLY after the one-node
|
# Traefik VIP failover to any node.
|
||||||
# validation checklist passes.
|
|
||||||
node_selector = {
|
|
||||||
"kubernetes.io/hostname" = "k8s-node2"
|
|
||||||
}
|
|
||||||
# ------------------------------------------------------------------------
|
# ------------------------------------------------------------------------
|
||||||
|
|
||||||
# initContainer fetches + extracts the pinned release binary into the
|
# initContainer fetches + extracts the pinned release binary into the
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue