A Backstage Software Template for managing firewall rules using Crossplane.
This template creates the necessary Crossplane resources to manage firewall rules in your infrastructure. It includes:
- XRD (Composite Resource Definition): Defines the FirewallRule API
- Composition: Implements the firewall rule management logic
- Example Claim: Shows how to create a firewall rule
- π Security Management: Define network access control rules
- π Protocol Support: TCP, UDP, ICMP, or all protocols
- β‘ Action Control: Accept, drop, or reject traffic
- π CIDR Support: Full IPv4 CIDR notation support
Ensure Crossplane is installed in your cluster:
kubectl create namespace crossplane-system
helm repo add crossplane-stable https://charts.crossplane.io/stable
helm install crossplane --namespace crossplane-system crossplane-stable/crossplaneInstall the necessary Crossplane composition functions:
kubectl apply -f - <<EOF
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-go-templating
spec:
package: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.10.0
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-auto-ready
spec:
package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
EOF- Navigate to the Software Catalog
- Click "Create Component"
- Select "Firewall Rule"
- Fill in the required parameters:
- Rule Name: Unique identifier for this firewall rule
- Namespace: Kubernetes namespace (default:
default) - Source IP/CIDR: Source address or network
- Destination IP/CIDR: Destination address or network
- Protocol: ALL, TCP, UDP, or ICMP
- Action: ACCEPT, DROP, or REJECT
- Owner: Team or user who owns this resource
- Apply the XRD:
kubectl apply -f content/definition.yaml- Apply the Composition:
kubectl apply -f content/composition.yaml- Create a claim:
kubectl apply -f content/example.yaml| Parameter | Description | Type | Default | Required |
|---|---|---|---|---|
name |
Rule name | string | - | Yes |
namespace |
Kubernetes namespace | string | default |
No |
source |
Source IP/CIDR | string | - | Yes |
destination |
Destination IP/CIDR | string | - | Yes |
protocol |
Network protocol | string | ALL |
No |
action |
Rule action | string | ACCEPT |
No |
owner |
Resource owner | string | group:platform |
No |
spec:
source: 0.0.0.0/0
destination: 0.0.0.0/0
protocol: ALL
action: ACCEPTspec:
source: 192.168.1.0/24
destination: 10.0.0.0/8
protocol: ALL
action: DROPspec:
source: 0.0.0.0/0
destination: 10.0.0.100
protocol: TCP
action: ACCEPT
# Note: Port specification would be added in productionspec:
source: 10.0.0.0/24
destination: 10.0.1.0/24
protocol: ICMP
action: ACCEPTAllows the traffic to pass through. This is the default action for permissive rules.
Silently discards the packet without sending any response to the source. Used for stealth blocking.
Blocks the traffic and sends an ICMP response to the source indicating the traffic was rejected.
The template creates a composite resource that:
- ConfigMap: Stores firewall rule configuration
- Provider Integration: Would connect to actual firewall/security group providers
- Rule Application: Applies rules to network infrastructure
For production use, you'll need to:
- Install a Cloud Provider: Such as provider-aws, provider-azure, or provider-gcp
- Configure Provider Credentials: Set up authentication for your cloud provider
- Update Composition: Replace the mock implementation with actual security group resources
Example with AWS Security Groups:
- step: create-security-group-rule
functionRef:
name: function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
kind: GoTemplate
source: Inline
inline:
template: |
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroupRule
spec:
forProvider:
region: us-east-1
type: ingress
fromPort: 443
toPort: 443
protocol: tcp
cidrBlocks:
- {{ .observed.composite.resource.spec.source }}
securityGroupIdRef:
name: my-security-groupExample with Azure Network Security Groups:
- step: create-nsg-rule
functionRef:
name: function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
kind: GoTemplate
source: Inline
inline:
template: |
apiVersion: network.azure.upbound.io/v1beta1
kind: SecurityRule
spec:
forProvider:
access: {{ .observed.composite.resource.spec.action }}
direction: Inbound
priority: 100
protocol: {{ .observed.composite.resource.spec.protocol }}
sourceAddressPrefix: {{ .observed.composite.resource.spec.source }}
destinationAddressPrefix: {{ .observed.composite.resource.spec.destination }}The template supports standard CIDR notation:
- Individual IP:
192.168.1.1 - Subnet:
192.168.1.0/24(256 addresses) - Large Network:
10.0.0.0/8(16,777,216 addresses) - All IPs:
0.0.0.0/0
Rule not being applied
- Check if the composition is properly configured
- Verify ConfigMap was created successfully
- Check composition logs:
kubectl describe composition firewallrule
Invalid CIDR format
- Ensure IP addresses are valid (0-255 for each octet)
- CIDR suffix must be 0-32
- Use online CIDR calculators to verify format
Rule conflicts
- Check for overlapping rules with different actions
- Verify rule priority/order if supported by provider
- Principle of Least Privilege: Only allow necessary traffic
- Default Deny: Start with blocking all, then allow specific traffic
- Segmentation: Use different rules for different network segments
- Logging: Enable logging for DROP/REJECT actions
- Regular Review: Periodically audit firewall rules
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request
MIT License - see LICENSE file for details
For issues and questions:
- GitHub Issues: open-service-portal/service-firewall-template
- Discussions: open-service-portal/discussions