From f61bfd70a8bf5a2551d6905eeb0a885005dc09fd Mon Sep 17 00:00:00 2001
From: "Manoj Alva(ma257n)" <ma257n@att.com>
Date: Mon, 15 Feb 2021 07:06:05 +0000
Subject: [PATCH] Added support for failsafe rules

- Global policies placed under type/airship-code/network-policies
- site level policies/modifications placed under
  <site>/network-policies

Change-Id: Ic8245d3263a867babd29773540175f8646e193e0
---
 .../target/network-policies/README.md         | 19 +++++++
 .../calico_failsafe_rules_patch.yaml          | 43 ++++++++++++++++
 .../network-policies/kustomization.yaml       |  5 ++
 .../airship-core/network-policies/README.md   | 16 ++++++
 .../network-policies/felixconfiguration.yaml  | 50 +++++++++++++++++++
 .../network-policies/kustomization.yaml       |  2 +
 tools/deployment/02_install_calicoctl.sh      | 25 ++++++++++
 .../deployment/40_deploy_network_policies.sh  | 30 +++++++++++
 8 files changed, 190 insertions(+)
 create mode 100644 manifests/site/test-site/target/network-policies/README.md
 create mode 100644 manifests/site/test-site/target/network-policies/calico_failsafe_rules_patch.yaml
 create mode 100644 manifests/site/test-site/target/network-policies/kustomization.yaml
 create mode 100644 manifests/type/airship-core/network-policies/README.md
 create mode 100644 manifests/type/airship-core/network-policies/felixconfiguration.yaml
 create mode 100644 manifests/type/airship-core/network-policies/kustomization.yaml
 create mode 100755 tools/deployment/02_install_calicoctl.sh
 create mode 100755 tools/deployment/40_deploy_network_policies.sh

diff --git a/manifests/site/test-site/target/network-policies/README.md b/manifests/site/test-site/target/network-policies/README.md
new file mode 100644
index 000000000..c0617656a
--- /dev/null
+++ b/manifests/site/test-site/target/network-policies/README.md
@@ -0,0 +1,19 @@
+# Network Policy  in calico
+
+Restricting traffic between hosts and the outside world can be achieved
+using the following Calico features:
+
+* HostEndpoint resource
+* GlobalNetworkPolicy
+* FelixConfiguration resource with parameters:
+  -FailsafeInboundHostPorts
+  -FailsafeOutboundHostPorts
+Generally a cluster-wide policy is applied to every host.
+
+This site based manifest is designed to override the default global
+FelixConfiguration based in function directory.
+
+For more information on failsafe rules please refer below.
+
+[Host Protection in Calico](https://docs.projectcalico.org/security/protect-hosts)
+
diff --git a/manifests/site/test-site/target/network-policies/calico_failsafe_rules_patch.yaml b/manifests/site/test-site/target/network-policies/calico_failsafe_rules_patch.yaml
new file mode 100644
index 000000000..78573e0dc
--- /dev/null
+++ b/manifests/site/test-site/target/network-policies/calico_failsafe_rules_patch.yaml
@@ -0,0 +1,43 @@
+apiVersion: projectcalico.org/v3
+kind: FelixConfiguration
+metadata:
+  name: default
+spec:
+  failsafeInboundHostPorts:
+  - protocol: tcp
+    port: 22
+  - protocol: udp
+    port: 68
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
+  failsafeOutboundHostPorts:
+  - protocol: udp
+    port: 53
+  - protocol: udp
+    port: 67
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
diff --git a/manifests/site/test-site/target/network-policies/kustomization.yaml b/manifests/site/test-site/target/network-policies/kustomization.yaml
new file mode 100644
index 000000000..03ea676e1
--- /dev/null
+++ b/manifests/site/test-site/target/network-policies/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+  - ../../../../type/airship-core/network-policies
+
+patchesStrategicMerge:
+  - calico_failsafe_rules_patch.yaml
diff --git a/manifests/type/airship-core/network-policies/README.md b/manifests/type/airship-core/network-policies/README.md
new file mode 100644
index 000000000..a127f734f
--- /dev/null
+++ b/manifests/type/airship-core/network-policies/README.md
@@ -0,0 +1,16 @@
+# Failsafe rules in calico
+
+It is easy to inadvertently cut all host connectivity because of
+non-existent or misconfigured network policy. To avoid this,
+Calico provides failsafe rules with default/configurable ports
+that are open on all host endpoints.
+
+The manifest in this directory is planned to disable FailsafeInboundHostPorts
+and FailsafeOutboundHostPorts by setting it none. This could be overriden in
+the respective site manifests.
+
+
+For more information on failsafe rules please refer below.
+
+[Host Protection in Calico](https://docs.projectcalico.org/security/protect-hosts)
+
diff --git a/manifests/type/airship-core/network-policies/felixconfiguration.yaml b/manifests/type/airship-core/network-policies/felixconfiguration.yaml
new file mode 100644
index 000000000..fce3f5392
--- /dev/null
+++ b/manifests/type/airship-core/network-policies/felixconfiguration.yaml
@@ -0,0 +1,50 @@
+# Note: These are the default values, re-specifying them here for example purposes
+# To set failsafeOutboundHostPorts and InboundHostPorts to none set the spec as follows
+#      spec:
+#        failsafeInboundHostPorts:
+#        failsafeOutboundHostPorts:
+# Refer https://docs.projectcalico.org/reference/felix/configuration for more details.
+
+apiVersion: projectcalico.org/v3
+kind: FelixConfiguration
+metadata:
+  name: default
+spec:
+  failsafeInboundHostPorts:
+  - protocol: tcp
+    port: 22
+  - protocol: udp
+    port: 68
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
+  failsafeOutboundHostPorts:
+  - protocol: udp
+    port: 53
+  - protocol: udp
+    port: 67
+  - protocol: tcp
+    port: 179
+  - protocol: tcp
+    port: 2379
+  - protocol: tcp
+    port: 2380
+  - protocol: tcp
+    port: 5473
+  - protocol: tcp
+    port: 6443
+  - protocol: tcp
+    port: 6666
+  - protocol: tcp
+    port: 6667
diff --git a/manifests/type/airship-core/network-policies/kustomization.yaml b/manifests/type/airship-core/network-policies/kustomization.yaml
new file mode 100644
index 000000000..ff72081fb
--- /dev/null
+++ b/manifests/type/airship-core/network-policies/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - felixconfiguration.yaml
diff --git a/tools/deployment/02_install_calicoctl.sh b/tools/deployment/02_install_calicoctl.sh
new file mode 100755
index 000000000..62d2a2c5d
--- /dev/null
+++ b/tools/deployment/02_install_calicoctl.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -xe
+
+: ${CALICOCTL_VERSION:="v3.17.3"}
+curl -O -L  https://github.com/projectcalico/calicoctl/releases/download/v3.17.3/calicoctl
+
+# Install kubectl
+URL="https://github.com/projectcalico"
+sudo -E curl -sSLo /usr/local/bin/calicoctl \
+  "${URL}"/calicoctl/releases/download/"${CALICOCTL_VERSION}"/calicoctl
+
+sudo -E chmod +x /usr/local/bin/calicoctl
diff --git a/tools/deployment/40_deploy_network_policies.sh b/tools/deployment/40_deploy_network_policies.sh
new file mode 100755
index 000000000..043391d92
--- /dev/null
+++ b/tools/deployment/40_deploy_network_policies.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+TMP=$(mktemp -d)
+
+MANIFEST_FILE="$TMP/network-policy.yaml"
+export SITE=${SITE:="test-site"}
+
+export KUBECONFIG=${KUBECONFIG:="$HOME/.airship/kubeconfig"}
+export KUBECONFIG_TARGET_CONTEXT=${KUBECONFIG_TARGET_CONTEXT:="target-cluster"}
+: ${TREASUREMAP_PROJECT:="${PWD}"}
+
+#Generate all of the policies and deploy using calicoctl
+kustomize build --enable_alpha_plugins $TREASUREMAP_PROJECT/manifests/site/$SITE/target/network-policies -o ${MANIFEST_FILE}
+
+#What about per node basis. Also usage of calico apply/replace
+DATASTORE_TYPE=kubernetes calicoctl apply -f ${MANIFEST_FILE}