From 79e9c31a42cfaed23f20a5dc08ec4f171e9c0495 Mon Sep 17 00:00:00 2001 From: SuperQ Date: Mon, 26 Sep 2022 15:08:07 +0200 Subject: [PATCH] Add option to disable Kube API firewall The middlewared adds a firewall at every boot to block the Kubernetes API from external access. Add a command line option to drop the firewall rule. Signed-off-by: SuperQ --- README.md | 1 + includes/chores.sh | 11 +++++++++++ includes/no_args.sh | 4 ++++ truetool.sh | 6 +++++- 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fbcfa3c8..5b35fab4 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ It also offers a few handy shortcuts for commonly required chores, like: Enablin | --dns | --dns | None | list all of your applications DNS names and their web ports | | --list-backups | --list-backups | None | Prints a list of backups available | | --helm-enable | --helm-enable | None | Enables Helm command access on SCALE | +| --kubeapi-enable | --kubeapi-enable | None | Enables external access to Kuberntes API port | | --apt-enable | --apt-enable | None | Enables Apt command access on SCALE | | --no-color | --no-color | None | Disables showing colors in terminal output, usefull for SCALE Email output | | -U | -U | None | Update applications, ignoring major version changes | diff --git a/includes/chores.sh b/includes/chores.sh index df6d3a73..3ffa533c 100755 --- a/includes/chores.sh +++ b/includes/chores.sh @@ -12,6 +12,17 @@ chmod +x /usr/bin/apt* && echo -e "${IGreen}APT enabled${Color_Off}"|| echo -e " } export -f aptEnable +kubeapiEnable(){ +local -r comment='iX Custom Rule to drop connection requests to k8s cluster from external sources' +echo -e "${BWhite}Enabling Apt-Commands${Color_Off}" +if iptables -t filter -L INPUT 2> /dev/null | grep -q "${comment}" ; then + iptables -D INPUT -p tcp -m tcp --dport 6443 -m comment --comment "${comment}" -j DROP && echo -e "${IGreen}Kubernetes API enabled${Color_Off}"|| echo -e "${IRed}Kubernetes API Enable FAILED${Color_Off}" +else + echo -e "${IGreen}Kubernetes API already enabled${Color_Off}" +fi +} +export -f kubeapiEnable + # Prune unused docker images to prevent dataset/snapshot bloat related slowdowns on SCALE prune(){ echo -e "${BWhite}Docker Prune${Color_Off}" diff --git a/includes/no_args.sh b/includes/no_args.sh index 951f009b..9ff0f3c0 100755 --- a/includes/no_args.sh +++ b/includes/no_args.sh @@ -12,6 +12,7 @@ no_args(){ echo "7 Enable Helm Commands" echo "8 Enable Apt and Apt-Get Commands" echo "9 Update All Apps" + echo "10 Enable external access to Kuberntes API port" read -rt 600 -p "Please select an option by number: " selection case $selection in @@ -59,6 +60,9 @@ no_args(){ echo "INVALID ENTRY" && exit 1 fi ;; + 10) + kubeapiEnable="true" + ;; *) echo "Unknown option" && exit 1 ;; diff --git a/truetool.sh b/truetool.sh index c73b7411..3997a3af 100755 --- a/truetool.sh +++ b/truetool.sh @@ -68,6 +68,9 @@ else apt-enable) aptEnable="true" ;; + kubeapi-enable) + kubeapiEnable="true" + ;; no-color) noColor ;; @@ -158,7 +161,8 @@ fi [[ "$help" == "true" ]] && help [[ "$helmEnable" == "true" ]] && helmEnable [[ "$aptEnable" == "true" ]] && aptEnable -[[ "$aptEnable" == "true" || "$helmEnable" == "true" ]] && exit +[[ "$kubeapiEnable" == "true" ]] && kubeapiEnable +[[ "$aptEnable" == "true" || "$helmEnable" == "true" || "$kubeapiEnable" == "true" ]] && exit [[ "$listBackups" == "true" ]] && listBackups && exit [[ "$deleteBackup" == "true" ]] && deleteBackup && exit [[ "$dns" == "true" ]] && dns && exit