I installed an openshift origin 3.11 cluster last week and I have already encountered 2 security related issues. (The servers only have 1 public accessible network interface) Dnsmasq was being used to conduct DDoS reflection/ amplification attacks and so was the portmapper service.
Openshift does set up iptables rules to make the cluster work and I thank these rules assured the security of the cluster itself but with the 2 issues proved me wrong.
I resolved this 2 issues by firewalling access to port 53 and 111 and granting all access between nodes in the cluster but I'm not sure if this is enough.
Do you have any best practice/rules to add in order to make an openshift cluster safe and am I supposed to edit the iptables rules since they have been set up by openshift itself?
This is the output of my iptables -L of the master-etc node so far and honestly I found this rules a little too permissive but since I'm not an iptables and openshift pro I'm not sure if I'm ok with them.
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-NODEPORT-NON-LOCAL all -- anywhere anywhere /* Ensure that non-local NodePort traffic can flow */
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
OPENSHIFT-FIREWALL-ALLOW all -- anywhere anywhere /* firewall overrides */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- node2.domain.com anywhere
ACCEPT all -- node1.domain.com anywhere
ACCEPT all -- master.domain.com anywhere
OS_FIREWALL_ALLOW all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
OPENSHIFT-ADMIN-OUTPUT-RULES all -- anywhere anywhere /* administrator overrides */
OPENSHIFT-FIREWALL-FORWARD all -- anywhere anywhere /* firewall overrides */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere node2.domain.com
ACCEPT all -- anywhere node1.domain.com
ACCEPT all -- anywhere master.domain.com
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (1 references)
target prot opt source destination
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
Chain KUBE-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x1/0x1
ACCEPT all -- 10.128.0.0/14 anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere 10.128.0.0/14 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-NODEPORT-NON-LOCAL (1 references)
target prot opt source destination
Chain KUBE-SERVICES (1 references)
target prot opt source destination
REJECT tcp -- anywhere 172.30.188.158 /* openshift-ansible-service-broker/asb:port-1337 has no endpoints */ tcp dpt:menandmice-dns reject-with icmp-port-unreachable
REJECT tcp -- anywhere 172.30.188.158 /* openshift-ansible-service-broker/asb:port-1338 has no endpoints */ tcp dpt:wmc-log-svc reject-with icmp-port-unreachable
Chain OPENSHIFT-ADMIN-OUTPUT-RULES (1 references)
target prot opt source destination
Chain OPENSHIFT-FIREWALL-ALLOW (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:4789 /* VXLAN incoming */
ACCEPT all -- anywhere anywhere /* from SDN to localhost */
ACCEPT all -- anywhere anywhere /* from docker to localhost */
Chain OPENSHIFT-FIREWALL-FORWARD (1 references)
target prot opt source destination
DROP all -- 10.128.0.0/14 anywhere /* attempted resend after connection close */ ctstate INVALID
ACCEPT all -- anywhere 10.128.0.0/14 /* forward traffic from SDN */
ACCEPT all -- 10.128.0.0/14 anywhere /* forward traffic to SDN */
Chain OS_FIREWALL_ALLOW (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10250
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10256
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT udp -- anywhere anywhere state NEW udp dpt:4789
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:cslistener:ndmp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:jetcmeserver
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2379
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2380
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:senomix02
ACCEPT udp -- anywhere anywhere state NEW udp dpt:senomix02
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:EtherNet/IP-1
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24007
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24008
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:49152:49251
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:24010
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:iscsi-target
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sunrpcI would have changed the default policy in input to Drop on all compute nodes (node1 and node2) as a starter.