Puppet Class: gitlab_runner::firewall
- Defined in:
- modules/gitlab_runner/manifests/firewall.pp
Overview
SPDX-License-Identifier: Apache-2.0
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# File 'modules/gitlab_runner/manifests/firewall.pp', line 2
class gitlab_runner::firewall (
Stdlib::IP::Address $subnet,
Wmflib::Ensure $ensure = present,
Boolean $restrict_firewall = false,
Boolean $block_dockerhub = true,
Hash[String, Gitlab_runner::AllowedService] $allowed_services = [],
Stdlib::IP::Address::V4::CIDR $internal_ip_range = '10.0.0.0/8',
) {
ferm::conf { 'docker-ferm':
ensure => $ensure,
prio => 20,
content => template('gitlab_runner/docker-ferm.erb'),
}
if $restrict_firewall {
# reject all docker traffic to internal wmnet network
ferm::rule { 'docker-default-reject':
ensure => $ensure,
prio => 19,
rule => "daddr ${internal_ip_range} REJECT;",
desc => 'reject all docker traffic to internal wmnet network',
chain => 'DOCKER-ISOLATION',
}
# explicitly allow traffic to certain services
$allowed_services.each | String $name, Gitlab_runner::AllowedService $allowed_service | {
$proto = pick($allowed_service['proto'], 'tcp')
ferm::rule { "docker-allow-${$name}":
ensure => $ensure,
prio => 18,
rule => "daddr (@resolve(${allowed_service['host']})) proto ${proto} dport ${allowed_service['port']} ACCEPT;",
desc => "allow traffic to ${name} from docker",
chain => 'DOCKER-ISOLATION',
}
}
}
if $block_dockerhub {
#reject all docker traffic to dockerhub
ferm::rule { 'docker-dockerhub-reject':
ensure => $ensure,
prio => 19,
rule => 'daddr @resolve((registry-1.docker.io docker.io index.docker.io hub.docker.com production.cloudflare.docker.com)) REJECT;',
desc => 'reject all docker traffic to dockerhub',
chain => 'DOCKER-ISOLATION',
}
}
}
|