OpenShift 4.12: Ingress Node Firewall Operator

Within the ecosystem of Red Hat OpenShift Networking is a new security-focused operator named Ingress Node Firewall that uses an extended Berkeley Packet Filter (eBPF) and eXpress Data Path (XDP) plugin to process custom node firewall rules.

Ingress Node Firewall helps to secure OpenShift nodes from external (e.g. DOS) attacks by configuring user-customized stateless policies that can be applied across all cluster nodes. Because ingress node firewall policies are initially stateless-only relegates it to a Technical Preview of the feature in OpenShift 4.12, but provides users with the chance to develop their firewall customizations.  The addition of stateful policies (useful to detect and block flood attacks) is targeting a near-term future release, which will graduate the feature from Technical Preview to fully supported (GA). 

How does it work?  The Ingress Node Firewall operator manages a Kubernetes custom resource that can be created by the cluster admin to deploy and configure the desired Ingress Node Firewall rules.  A Kubernetes admission webhook validates the configuration, and ensures that an accidental misconfiguration cannot inadvertently block cluster traffic required for its normal operation (fail safe).  For example, it will not allow the cluster admin to accidentally deny TCP traffic to the API server on port 6443, which would cripple cluster management.  The webhook verification simply refuses any rules with a deny action that match against cluster-critical TCP/UDP ports.

Once the rules are created and validated, a combination of XDP+eBPF applies the custom firewall rules by loading Ingress Node Firewall XDP programs to the selected interfaces specified in the rule’s object(s), and then parses traffic packets according to the specified rule actions.  

A combination of XDP+eBPF provides a flexible, high performance mechanism to allow early detection and packet filtering, before allowing accepted packets to be processed by the Linux kernel.  XDP is a kernel feature that allows execution of a user-supplied eBPF program when a packet is received on a network interface (NIC), which provides that flexibility in how the packets are processed.  Because XDP allows attachment of an eBPF program at the earliest stage of the network driver (for NICs that support XDP), it enables immediate handling of packets without needing them to travel further into the kernel network stack, for high performance processing. 

Finally, the Ingress Node Firewall updates per rule statistics (allow/deny packets and byte-count) and generates syslog events for any dropped packets that include an event header (ruleId, Interface the packet came in on, packet length in bytes including L2 header) and up to 256 bytes from the packet header. 

Cluster administrators can install the Ingress Node Firewall Operator by using the OpenShift Container Platform CLI (oc) or the web console.  For more information, see Understanding the Ingress Node Firewall Operator in the OpenShift product documentation.