This message was deleted Rancher Users #elemental

Join Slack

This message was deleted.

# elemental

adamant-kite-43734

03/01/2024, 12:37 PM

This message was deleted.

bland-account-99790

03/01/2024, 2:14 PM

what do you mean by firewall rules?

bland-account-99790

03/01/2024, 2:23 PM

If you mean firewalld rules, in rke2 we recommend disabling firewalld because of conflicts and unexpected behaviour: https://docs.rke2.io/known_issues#firewalld-conflicts-with-default-networking

bland-book-71921

03/01/2024, 2:36 PM

I’m talking about the netfilter rules that calico provisions (iptables)

bland-book-71921

03/01/2024, 2:37 PM

on the host node itself (harvester node)

bland-account-99790

03/01/2024, 2:41 PM

Calico uses iptables to enforce network policies. These are used to restrict traffic within the cluster

bland-book-71921

03/01/2024, 2:43 PM

Correct. I see that when listing the iptables rules on the harvester/rancher node. I also see that if I manually use iptables and insert rules at the top, calico will eventually (quite quickly) move its own calico-INPUT rule to the top.

bland-account-99790

03/01/2024, 2:43 PM

Yes, Calico is in full control of the iptables

bland-book-71921

03/01/2024, 2:44 PM

aye. So how would I add my own custom netfilter rules through calico that persist across harvester/rancher node boot?

bland-account-99790

03/01/2024, 2:47 PM

If there are no calico rules in the chain, then Calico should not touch them. If there are, depending on what you want to add, you can use calico GlobalNetworkPolicy which allows to create policies for nodes: https://docs.tigera.io/calico/latest/network-policy/hosts/protect-hosts

bland-account-99790

03/01/2024, 2:48 PM

And there is another option, which is telling Calico to not touch iptables, but of course this can be a bit dangerous because if you touch something that breaks Calico's iptable rules, Calico won't be able to recover automatically

bland-account-99790

03/01/2024, 2:50 PM

If I remember correctly, to tell Calico to not update iptables you must set

iptablesRefreshInterval=0

in the Felix config

bland-account-99790

03/01/2024, 2:50 PM

There are several

iptables

parameters in felix config which might be interesting for our use case ==> https://docs.tigera.io/calico/latest/reference/resources/felixconfig#spec

👀 1

bland-book-71921

03/01/2024, 2:52 PM

Thanks! I’d like to have it continue to manage it OR harvester will break. So, I need to go down the path of doing it properly. 1. Once I can do so. 2. I need to make this persistent across harvester/elemental node reboots. 3. Then I need to apply it to the harvester install.yaml so that it provisions on cluster creation

👍 1

bland-account-99790

03/01/2024, 2:57 PM

I see, good luck Kristian! ;)

bland-book-71921

03/01/2024, 3:03 PM

🙏

5 Views

Open in Slack

Previous Next