This repository provides an easy way to deploy Linode Firewall Operator into a kubernetes cluster.
The operator listens to the cluster events and dynamically add worker nodes to the designated firewall instance.
- Linode Kubernetes Cluster
- Have outbound connectivity to https://api.linode.com
- Dedicated Linode Firewall for the cluster
- The firewall should only be used for the cluster
- Operator will compare the worker nodes against the firewall device list and remove any devices that are not cluster nodes
- Linode PAT Token with "Firewalls Read/Write" permissions
-
Deploy required CRD and Operator:
curl -s https://raw.githubusercontent.com/gangyi89/deploy-linode-operator/main/deploy-linode-fw-operator.sh | bash -s -- <MY_NAMESPACE>
Note: Specify the desired namespace for the operator. If not specified, the default namespace will be used.
-
Copy firewall object:
-
Copy the sample
cluster-firewall.yamlfile -
Populate the Firewall ID and Linode API Key
-
Deploy the firewall object to the same namespace:
kubectl apply -f cluster-firewall.yaml -n <MY_NAMESPACE>
-
This operator automatically creates and removes worker node instances from a dedicated Linode Firewall based on the node events emitted by the Kubernetes cluster. When a node creation/removal is emitted, the operator reconciles the current list of nodes against the firewall device list and updates the firewall accordingly.
- Current design assumes a 1:1 relationship between a Cluster and a Firewall instance.
- It currently has no awareness of node pools and will treat all nodes the same.
Note: Linode automatically removes a node from the firewall list when the node is deleted, hence the operator simply verifies and logs the delete activity.
| Parameter | Type | Mandatory | Description |
|---|---|---|---|
| firewallId | int | Y | Dedicated FirewallId for the cluster |
| apiKeySecret.name | string | Y | Name of kubernetes Secret |
| apiKeySecret.key | string | Y | Key of kubernetes Secret |
| apiKeySecret.namespace | string | N | If namespace is not specifed, namespace of the operator will be used |
| interval | string | N | Periodically performs reconciliation on top of node events. Format is in s, m, h, d. Default is 10h |
Yes, you can, but it's not necessary. In the event that the node containing the operator is removed, the operator will be rescheduled to another node and perform reconciliation at start-up.
The operator is designed to consume the API Key from a Secret object. Hence, you can apply a consistent Kubernetes secrets management strategy to secure the API Key.
Yes! To the operator, the above operations are nothing but create and delete node events. The operator will handle all of these scenarios.
The node will only be added in when the next reconciliation is triggered. Either due to a node add/delete detected by the cluster or after 10hr (default operator reconcile interval). Alternatively, specify the interval parameter to control the frequency of the reconciliation - on top of event triggered reconciliation.
This section discribe some of the places that can be looked into to identify issues with the operator.
- Describe the cluster firewall object and verify the status and events:
kubectl describe clusterfirewall -n <MY_NAMESPACE>
- Verify the status currently contains all the nodes in the cluster (no less and no more). The status is updated everytime reconcilation happens.
- Look for any error messages under the events section. All errors are logged as events and can be used to debug the issue.
- Check the logs of the operator pod:
kubectl logs linode-fw-operator-xxxxxxxx-xxxxx -n <MY_NAMESPACE>
Reconcilation Started and Reconcilation Completed depics 1 cycle of reconcilation. From there, you will be able to identify what time was the last run reconciliation and also identify any errors that might have occurred.
This project is of the work of an individual and is not affiliated with Linode in any way.