mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-08-08 07:37:06 +02:00
Code Issues Packages Projects Releases Wiki Activity
5,301 Commits 28 Branches 524 Tags 118 MiB
a3f88d2ef5
Commit Graph

4 Commits

Author SHA1 Message Date
Andrey Smirnov
a3f88d2ef5
fix: block NodePort services with ingress firewall 
The previous fix #10354 was not full/complete.

The problem lies in the fact that `kube-proxy` creates a rule like:

```
chain nat-prerouting {
	type nat hook prerouting priority dstnat; policy accept;
	jump services
}
```

This chain has a prerouting hook, which gets executed before Talos's
input hook, and rewrites (does DNAT) for NodePort services before Talos
has a chance to block the packet, but rewritten packet hits the input
chain with DNAT address, or might be forwarded to another host and never
hit the firewall again.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
 2025-02-28 19:56:52 +04:00
Dmitriy Matrenichev
19f15a840c
chore: bump golangci-lint to 1.57.0 
Fix all discovered issues.

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
 2024-03-21 01:06:53 +03:00
Dmitriy Matrenichev
fa3b933705
chore: replace fmt.Errorf with errors.New where possible 
This time use `eg` from `x/tools` repo tool to do this.

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
 2024-02-14 17:39:30 +03:00
Andrey Smirnov
36c8ddb5e1
feat: implement ingress firewall rules 
Fixes #4421

See documentation for details on how to use the feature.

With `talosctl cluster create`, firewall can be easily test with
`--with-firewall=accept|block` (default mode).

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
 2023-11-30 22:58:16 +04:00