Within the ecosystem of Red Hat OpenShift Networking is a new security-focused operator named Ingress Node Firewall that uses an extended Berkeley Packet Filter (eBPF) and eXpress Data Path (XDP) plugin to process custom node firewall rules.
Ingress Node Firewall helps to secure OpenShift nodes from external (e.g. DOS) attacks by configuring user-customized stateless policies that can be applied across all cluster nodes. Because ingress node firewall policies are initially stateless-only relegates it to a Technical Preview of the feature in OpenShift 4.12, but provides users with the chance to develop their firewall customizations. The addition of stateful policies (useful to detect and block flood attacks) is targeting a near-term future release, which will graduate the feature from Technical Preview to fully supported (GA).
How does it work? The Ingress Node Firewall operator manages a Kubernetes custom resource that can be created by the cluster admin to deploy and configure the desired Ingress Node Firewall rules. A Kubernetes admission webhook validates the configuration, and ensures that an accidental misconfiguration cannot inadvertently block cluster traffic required for its normal operation (fail safe). For example, it will not allow the cluster admin to accidentally deny TCP traffic to the API server on port 6443, which would cripple cluster management. The webhook verification simply refuses any rules with a deny action that match against cluster-critical TCP/UDP ports.
Once the rules are created and validated, a combination of XDP+eBPF applies the custom firewall rules by loading Ingress Node Firewall XDP programs to the selected interfaces specified in the rule’s object(s), and then parses traffic packets according to the specified rule actions.
A combination of XDP+eBPF provides a flexible, high performance mechanism to allow early detection and packet filtering, before allowing accepted packets to be processed by the Linux kernel. XDP is a kernel feature that allows execution of a user-supplied eBPF program when a packet is received on a network interface (NIC), which provides that flexibility in how the packets are processed. Because XDP allows attachment of an eBPF program at the earliest stage of the network driver (for NICs that support XDP), it enables immediate handling of packets without needing them to travel further into the kernel network stack, for high performance processing.
Finally, the Ingress Node Firewall updates per rule statistics (allow/deny packets and byte-count) and generates syslog events for any dropped packets that include an event header (ruleId, Interface the packet came in on, packet length in bytes including L2 header) and up to 256 bytes from the packet header.
Cluster administrators can install the Ingress Node Firewall Operator by using the OpenShift Container Platform CLI (oc) or the web console. For more information, see Understanding the Ingress Node Firewall Operator in the OpenShift product documentation.
Sugli autori
Marc Curry is a Distinguished Product Manager in Red Hat's Hybrid Platform Business Unit, specializing in the networking architecture, performance, and scalability of the OpenShift Container Platform.
With over 20 years at Red Hat, Marc has held various technical roles, including serving as a Solutions Architect focused on open-source solutions for the telecommunications industry. His expertise builds upon a strong foundation in scientific and high-performance computing.
Altri risultati simili a questo
Oltre l'Automazione: perché l'aumento delle vulnerabilità di sicurezza basate sull'IA richiede un supporto tecnico umano
Funzionalità post-quantistiche di SSH migliorate in Red Hat Enterprise Linux
Collaboration In Product Security | Compiler
Keeping Track Of Vulnerabilities With CVEs | Compiler
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Virtualizzazione
Il futuro della virtualizzazione negli ambienti aziendali per i carichi di lavoro on premise o nel cloud