Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] DenyDefaultLoadBalancerSourceRanges #15

Open
elithrar opened this issue Aug 3, 2019 · 0 comments
Open

[feature] DenyDefaultLoadBalancerSourceRanges #15

elithrar opened this issue Aug 3, 2019 · 0 comments
Assignees
@elithrar
Labels
enhancement New feature or request
Milestone
v1 🚧

Comments

@elithrar
Copy link
Owner

elithrar commented Aug 3, 2019
edited
Loading

The README now has an example for a DenyDefaultLoadBalancerSourceRanges that denies implicitly set loadBalancerSourceRanges fields - e.g.

// DenyDefaultLoadBalancerSourceRanges denies any kind: Service of type:
// LoadBalancer that does not explicitly set .spec.loadBalancerSourceRanges -
// which defaults to 0.0.0.0/0 (e.g. Internet traffic, if routable).
//
// This prevents LoadBalancers from being accidentally exposed to the Internet.
func DenyDefaultLoadBalancerSourceRanges() AdmitFunc {
    // Return a function of type AdmitFunc
    return func(admissionReview *admission.AdmissionReview) (*admission.AdmissionResponse, error) {
        kind := admissionReview.Request.Kind.Kind
        // Create an *admission.AdmissionResponse that denies by default.
        resp := newDefaultDenyResponse()

        // Create an object to deserialize our requests' object into
        service := core.Service{}
        deserializer := serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer()
        if _, _, err := deserializer.Decode(admissionReview.Request.Object.Raw, nil, &service); err != nil {
          return nil, err
        }

        // Allow non-LoadBalancer Services to pass through.
        if service.Spec.Type != "LoadBalancer" {
          resp.Allowed = true
          resp.Result.Message = fmt.Sprintf(
            "received a non-LoadBalancer type (%s)",
            service.Spec.Type,
          )
          return resp, nil
        }

        // Inspect the service.Spec.LoadBalancerSourceRanges field
        // If unset, reject it.
        // Returning an error from an AdmitFunc will automatically deny admission of that requests' object.
        if service.Spec.LoadBalancerSourceRanges == nil {
          return resp, fmt.Errorf("LoadBalancers without explicitly configured LoadBalancerSourceRanges are not allowed.")
        }

        // Set resp.Allowed to true before returning your AdmissionResponse
        resp.Allowed = true
        return resp, nil
    }
}

We should provide a real version of this, and consider:

  • supporting the ability to outright deny the 0.0.0.0/0 range
  • rejecting cases where the user did not provide explicit ranges - which allows 0.0.0.0/0 as per the docs

Possible API:

func DenyDefaultLoadBalancerSourceRanges(allowExplicitZeroRoutes bool) AdmitFunc {

Note: If .spec.loadBalancerSourceRanges is not set, Kubernetes allows traffic from 0.0.0.0/0 to the Node Security Group(s). If nodes have public IP addresses, be aware that non-NLB traffic can also reach all instances in those modified security groups.

Docs:
@elithrar elithrar added the enhancement New feature or request label Aug 3, 2019
@elithrar elithrar added this to the v1 🚧 milestone Aug 3, 2019
@elithrar elithrar self-assigned this Aug 3, 2019
@elithrar elithrar pinned this issue Aug 3, 2019
@elithrar elithrar unpinned this issue Aug 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elithrar elithrar

Labels
enhancement New feature or request
Projects
None yet
Milestone
v1 🚧
Development

No branches or pull requests
1 participant
@elithrar