{"id":18637260,"url":"https://github.com/openshift/ingress-node-firewall","last_synced_at":"2025-10-29T05:18:29.227Z","repository":{"id":41802779,"uuid":"509589947","full_name":"openshift/ingress-node-firewall","owner":"openshift","description":"Ingress node firewall implements Kubernetes operator to provision stateless ingress node level firewall rules, stateless ingress node firewall implementation is done using eBPF XDP kernel plugin","archived":false,"fork":false,"pushed_at":"2025-09-29T14:43:30.000Z","size":60796,"stargazers_count":64,"open_issues_count":9,"forks_count":27,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-09-29T15:37:46.899Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openshift.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-07-01T21:12:23.000Z","updated_at":"2025-09-29T13:57:23.000Z","dependencies_parsed_at":"2024-02-19T15:08:32.263Z","dependency_job_id":"db701050-276b-4275-bf74-f590e777026f","html_url":"https://github.com/openshift/ingress-node-firewall","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/openshift/ingress-node-firewall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fingress-node-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fingress-node-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fingress-node-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fingress-node-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openshift","download_url":"https://codeload.github.com/openshift/ingress-node-firewall/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift%2Fingress-node-firewall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281563814,"owners_count":26522710,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-29T02:00:06.901Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T05:34:40.182Z","updated_at":"2025-10-29T05:18:29.213Z","avatar_url":"https://github.com/openshift.png","language":"C","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"logo.jpg\" alt=\"logo\" width=\"25%\"/\u003e\n\u003c/p\u003e\n\n# Ingress Node Firewall\nThis is the Ingress node Firewall Operator, implementing [Operator pattern](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) for deploying Ingress node firewall daemon on kubernetes cluster.\nIt uses [Controllers](https://kubernetes.io/docs/concepts/architecture/controller/)\nwhich provides a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster\n\n[![Project maturity: alpha](https://img.shields.io/badge/maturity-alpha-orange.svg)]() [![license](https://img.shields.io/github/license/openshift/ingress-node-firewall.svg?maxAge=2592000)](https://github.com/openshift/ingress-node-firewall/blob/master/LICENSE) [![Containers](https://img.shields.io/badge/containers-ready-green.svg)](https://quay.io/openshift/ingress-node-firewall-operator:4.13) [![Go report card](https://goreportcard.com/badge/github.com/openshift/ingress-node-firewall)](https://goreportcard.com/report/github.com/openshift/ingress-node-firewall) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6726/badge)](https://bestpractices.coreinfrastructure.org/projects/6726)\n\n\n## Usage\n\nOnce the Ingress Node Firewall Operator is installed, you have to create an `IngressNodeFirewallConfig` custom resource to deploy the Operator's DaemonSet.\nThe `IngressNodeFirewallConfig` custom resource needs to be created inside the `ingress-node-firewall-system` namespace and be named `ingressnodefirewallconfig`. Only one `IngressNodeFirewallConfig` resource can exist in a cluster.\nThe operator will consume this resource and create ingress node firewall daemonset `daemon` which runs on all nodes that match the `nodeSelector`.\n\nFollowing is example of `IngressNodeFirewallConfig` resource:\n```yaml\napiVersion: ingressnodefirewall.openshift.io/v1alpha1\nkind: IngressNodeFirewallConfig\nmetadata:\n  name: ingressnodefirewallconfig\n  namespace: ingress-node-firewall-system\nspec:\n  nodeSelector:\n    node-role.kubernetes.io/worker: \"\"\n```\n\nAfter that, deploy one or multiple `IngressNodeFirewall` resources to apply firewall rules to your nodes. Make sure that the `nodeSelector` matches a set of nodes. The Ingress Node Firewall Operator will create objects of kind `IngressNodeFirewallNodeState` for each node that is matches by at least one `IngressNodeFirewall` resource:\n```yaml\napiVersion: ingressnodefirewall.openshift.io/v1alpha1\nkind: IngressNodeFirewall\nmetadata:\n  name: ingressnodefirewall-demo-1\nspec:\n  interfaces:\n  - eth0\n  nodeSelector:\n    node-role.kubernetes.io/worker: \"\"\n  ingress:\n  - sourceCIDRs:\n       - 1.1.1.1/24\n       - 100:1::1/64\n    rules:\n    - order: 10\n      protocolConfig:\n        protocol: TCP\n        tcp:\n          ports: \"100-200\"\n      action: Allow\n```\n\nYou can use the following shortcut to deploy samples, including `IngressNodeFirewallConfig` and `IngressNodeFirewall` resources:\n```\nmake deploy-samples\n```\n\nAnd in order to uninstall them:\n```\nmake undeploy-samples\n```\n\n## Deploying the operator\n\n### Prerequisites\n\nYou need to install the following packages:\n\noperator-sdk 1.22.0\n\ncontroller-gen v0.9.0+\n\nFor fedora, you will need the following packages\n```sh\nsudo dnf install glibc-devel glibc-devel.i686\n```\n\n### Running on a KinD cluster\n\n#### Creating a kind cluster with the operator installed\n\n##### In a single step\n\n1. Download latest [KinD](https://kind.sigs.k8s.io/docs/user/quick-start) stable version\n2. Install KinD and the operator and export KUBECONFIG\n```sh\nmake create-and-deploy-kind-cluster\nexport KUBECONFIG=$(pwd)/hack/kubeconfig\n```\n**Note:** If prompted to do so, manually edit file `config/manager/env.yaml` and set the value of environment variable\n`DAEMONSET_IMAGE`. This should only happen if `yq` cannot be found.\n\n##### Deploying kind and the operator manually\n\n1. Download latest [KinD](https://kind.sigs.k8s.io/docs/user/quick-start) stable version\n2. Install KinD and export KUBECONFIG\n```sh\nmake create-kind-cluster\nexport KUBECONFIG=$(pwd)/hack/kubeconfig\n```\n3. Install custom resource definitions\n```sh\nmake install\n```\n4. Build controller container image\n```sh\nmake docker-build IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest\n```\n5. Load controller container image to KinD container(s)\n```sh\nkind load docker-image \u003csome-registry\u003e/ingress-node-firewall-controller:latest\n```\n6. Build daemon container image\n```sh\nmake docker-build-daemon DAEMON_IMG=\u003csome-registry\u003e/ingress-node-firewall-daemon:latest\n```\n7. Load daemon container image to KinD container(s)\n```sh\nkind load docker-image \u003csome-registry\u003e/ingress-node-firewall-daemon:latest\n```\n8. Set the daemon image name\n```sh\nhack/set-daemon-image.sh \u003csome-registry\u003e/ingress-node-firewall-daemon:latest\n```\n9. Deploy resources to KinD cluster\n```sh\nmake deploy-kind IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest\n```\n#### Deploying using Bpfman for eBPF programs management\n\nAfter completing all the steps in the previous section and deploying the ingress node firewall operator,\nyou must deploy the bpfman-operator:\n\n```shell\ngit clone https://github.com/bpfman/bpfman-operator.git\ncd bpfman-operator\nmake deploy\n```\n\nThis will deploy the `bpfman-operator` and start the `bpfman-daemon` pods.\n\n```shell\noc get pods -n bpfman\nNAME                               READY   STATUS    RESTARTS   AGE\nbpfman-daemon-45jtk                3/3     Running   0          63s\nbpfman-daemon-8x9j7                3/3     Running   0          63s\nbpfman-daemon-c9td4                3/3     Running   0          63s\nbpfman-operator-7f67bc7c57-5cpqr   2/2     Running   0          75s\n\n```\n\nTo select bpfman to manage INFW programs, set `ebpfProgramManagerMode` to true in `IngressNodeFirewallConfig`.\n\n```yaml\napiVersion: ingressnodefirewall.openshift.io/v1alpha1\nkind: IngressNodeFirewallConfig\nmetadata:\n  name: ingressnodefirewallconfig\n  namespace: ingress-node-firewall-system\nspec:\n  nodeSelector:\n    node-role.kubernetes.io/worker: \"\"\n  ebpfProgramManagerMode: true\n```\n\nIf there are any updates to eBPF programs, then we need to build and push bytecode images\n\n```shell\nmake build-and-push-bc-image\n```\n\n#### Removing the operator from the kind cluster\n\nIn order to remove the operator:\n1. Undeploy resources from KinD cluster\n```sh\nmake undeploy-kind\n```\n2. Uninstall custom resource definitions:\n```sh\nmake uninstall\n```\n\n#### Deleting the kind cluster\n\nIn order to delete the kind cluster:\n```sh\nmake destroy-kind-cluster\n```\n\n### Running on an OCP cluster\n\nIn order to run this operator on OpenShift, one can either deploy from manifests or from the OLM.\nIn both cases, follow the [Common steps](README.md#common-steps) first and then follow either [Deploy from manifests](README.md#deploy-from-manifests) or [Deploy with OLM](README.md#deploy-with-olm).\n\n#### Common steps\n\n1. Create OCP cluster\n2. Build controller container image\n```sh\nmake docker-build IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest\n# or make podman-build IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest\n```\n3. Push controller container image to an image registry\n```sh\nmake docker-push IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest\n# or make podman-push IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest\n```\n4. Build daemon container image\n```sh\nmake docker-build-daemon DAEMON_IMG=\u003csome-registry\u003e/ingress-node-firewall-daemon:latest\n# or make podman-build-daemon DAEMON_IMG=\u003csome-registry\u003e/ingress-node-firewall-daemon:latest\n```\n5. Push controller container image to an image registry\n```sh\nmake docker-push-daemon DAEMON_IMG=\u003csome-registry\u003e/ingress-node-firewall-daemon:latest\n# or make podman-push-daemon DAEMON_IMG=\u003csome-registry\u003e/ingress-node-firewall-daemon:latest\n```\n6. Set the daemon image name\n```sh\nhack/set-daemon-image.sh \u003csome-registry\u003e/ingress-node-firewall-daemon:latest\n```\n\n#### Deploy from manifests\n\n7. Install custom resource definitions\n```sh\nmake install\n```\n8. Deploy resources to OpenShift cluster\n```sh\nmake deploy IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest\n```\n\n##### To uninstall\n\nUndeploy resources from OCP cluster\n```sh\nmake undeploy\n```\nUninstall custom resource definitions\n```sh\nmake uninstall\n```\n\n#### Deploy with OLM\n\n7. Build and push bundle and index images to an image registry. \n```sh\nmake build-and-push-bundle-images \\\n  IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest \\\n  BUNDLE_IMG=\u003csome-registry\u003e/ingress-node-firewall-bundle:latest \\\n  BUNDLE_INDEX_IMG=\u003csome-registry\u003e/ingress-node-firewall-index:latest\n# or make podman-build-and-push-bundle-images \\\n#      IMG=\u003csome-registry\u003e/ingress-node-firewall-controller:latest \\\n#      BUNDLE_IMG=\u003csome-registry\u003e/ingress-node-firewall-bundle:latest \\\n#      BUNDLE_INDEX_IMG=\u003csome-registry\u003e/ingress-node-firewall-index:latest\n```\n\n8. Deploy with OLM\n```sh\nmake deploy-with-olm \\\n  NAMESPACE=openshift-ingress-node-firewall \\\n  BUNDLE_INDEX_IMG=\u003csome-registry\u003e/ingress-node-firewall-index:latest\n```\n\n##### To uninstall\n\nUndeploy resources from OCP cluster\n```sh\noc delete ns openshift-ingress-node-firewall\n```\nUninstall custom resource definitions\n```sh\nmake uninstall\n```\n\n## Testing\n\n### Running test\n\nTo run ingress-node-firewall-operator unit tests (no cluster required), execute the following:\n```shell\nmake test\n```\n\u003e NOTE: Some tests (e.g. `ebpfsyncer_test.go`) will only be triggered if `make test` is run as the root user. \n\nTo test for race conditions, run:\n```sh\nmake test-race\n```\n\n### Running E2E test\n\n1. Bring up KinD cluster and deploy ingress node firewall operator from the steps outlined previously.\n2. Run full E2E test\n```shell\nmake test-e2e\n```\nNote: See test README.md for test options and known issues.\n\n## Statistics\n\nStatistics are generated by the BPF program when a packet is allowed or denied outputting the total packets allowed and\ndenied plus also the number of bytes handled. This statistics are captured in user space by the node daemons and exposed\nas prometheus format metrics which are then scraped by prometheus on OCP. We do not deploy Prometheus with our KinD setup scripts\nbut the metrics will still be available to query from a service named `ingress-node-firewall-daemon-metrics` or from\nwithin the node daemons themselves:\n1. Exec into one of the node daemons\n```sh\nkubectl exec -n ${OPERATOR_NAMESPACE} -it ${NODE_DAEMON_NAME} sh\n```\n2. Retrieve the Prometheus formatted metrics\n```sh\nCurl 127.0.0.1:39401/metrics\n```\n\nWithin OCP, you may use the OCP console to access the promql console to search for the following metrics:\n- ingressnodefirewall_node_packet_allow_total\n- ingressnodefirewall_node_packet_allow_bytes\n- ingressnodefirewall_node_packet_deny_total\n- ingressnodefirewall_node_packet_deny_bytes\n\n## Useful commands and tricks\n\n### Generating operator bundle\n\nIn order to generate an operator bundle, run the following:\n```shell\nmake bundle\nmake manifests\n```\n\n### Building the DaemonSet image\n\nThis operator depends on the DaemonSet image. You can build this image and push it to your registry with:\n```\nmake docker-build-daemon DAEMON_IMG=\u003cregistry\u003e/\u003cimage\u003e:\u003ctag\u003e\n# or make podman-build-daemon DAEMON_IMG=\u003cregistry\u003e/\u003cimage\u003e:\u003ctag\u003e\nmake docker-push-daemon DAEMON_IMG=\u003cregistry\u003e/\u003cimage\u003e:\u003ctag\u003e\n# or make podman-push-daemon DAEMON_IMG=\u003cregistry\u003e/\u003cimage\u003e:\u003ctag\u003e\n```\n\n### Running the operator locally\n\n\u003e NOTE: Running the operator like this shall be used for development purposes only.\n\u003e It may be helpful when making changes to and testing the main controller.\n\u003e However, there may be obstacles getting this to work with the DaemonSet.\n\u003e See [Running on a KinD cluster](README.md#running-on-a-kind-cluster) and\n\u003e [Running on an OCP cluster](README.md#running-on-an-ocp-cluster) for more reliable instructions.\n\n1. Export your kubernetes credentials\n2. Create the project and service account\n```sh\noc new-project ingress-node-firewall-system\noc create sa ingress-node-firewall-daemon\noc adm policy add-scc-to-user privileged -z ingress-node-firewall-daemon\n```\n\n3. Run this operator locally with the following commands:\n```sh\nexport DAEMONSET_IMAGE=\u003cregistry\u003e/\u003cimage\u003e:\u003ctag\u003e\nexport DAEMONSET_NAMESPACE=ingress-node-firewall-system\nexport KUBE_RBAC_PROXY_IMAGE=quay.io/openshift/origin-kube-rbac-proxy:latest\nmake install run\n```\n\n4. Create `IngressNodeFirewallConfig` CR.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenshift%2Fingress-node-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenshift%2Fingress-node-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenshift%2Fingress-node-firewall/lists"}