Skip to content

Firewall

Firewall

Follow this documentation when trying to expose a service running in a Kubernetes cluster outside CERN.

The request depends on how you're exposing your service.

Ingress

When exposing the service using Ingress you need to open the firewall for all hosts serving as Ingress controllers.

The recommendation is to create a landb set with these nodes, and ask for a firewall opening with an email to Computer.Security@cern.ch.

In the future we'll automate the management of landb sets.

serviceType: LoadBalancer

When using a serviceType: LoadBalancer, first check the device name corresponding to the virtual IP of your instance:

kubectl get service
NAME        TYPE           CLUSTER-IP       EXTERNAL-IP      PORT(S)                      AGE
myservice   LoadBalancer   10.254.156.232   137.138.111.22   80:31020/TCP,443:31303/TCP   3h53m

host 137.138.111.22
22.111.138.137.in-addr.arpa domain name pointer lbaas-da39e075-190e-47db-9f12-9aad8bb4fac5.cern.ch

Take the dns name resulting from the command above and pass it in the InterfaceName of this link:

https://network.cern.ch/sc/fcgi/sc.fcgi?Action=SearchForUpdate&InterfaceName=lbaas-da39e075-190e-47db-9f12-9aad8bb4fac5.cern.ch

And in the Central Firewall Configuration go ahead and Make Firewall Request.