Skip to content

Specify initial rule set in firewall spec #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
simcod wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Specify initial rule set in firewall spec #81

simcod wants to merge 3 commits into from

Conversation

@simcod
Copy link

@simcod simcod commented Dec 11, 2025
edited
Loading

Description

Allows specifying an initial rule set for firewall creation.

Code extracted from: #64

@metal-robot metal-robot bot added the area: gardener Affects the gardener area. label Dec 11, 2025
@simcod simcod added the area: cluster-api Affects the cluster-api area. label Dec 11, 2025
@simcod simcod marked this pull request as ready for review December 11, 2025 09:36
@simcod simcod requested a review from a team as a code owner December 11, 2025 09:36
@simcod simcod mentioned this pull request Dec 11, 2025
Open
@vknabel vknabel force-pushed the initial-firewall-ruleset-v2 branch from a4e5cb2 to fd56c1b Compare January 8, 2026 12:18
@vknabel vknabel requested a review from Gerrit91 January 8, 2026 12:18
Gerrit91
Gerrit91 reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

@Gerrit91 Gerrit91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really good, just one remark.

api/v2/types_firewall.go
// Protocol constraints the protocol this rule applies to.
Protocol NetworkProtocol `json:"protocol"`
// To source address cidrs this rule applies to.
To []string `json:"to"`
Copy link
Contributor

@Gerrit91 Gerrit91 Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not have to be 100% complete (this is done by metal-api anyway) but maybe some very basic validation would be nice to prevent misconfiguration. The validations can be found api/v2/validation/firewall.go.

For me it would be sufficient to add:

  • Valid protocol
  • Valid CIDRs
  • Valid port range

Copy link
Author

@simcod simcod Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked the metal-api and added some basic checks. Is that what you were thinking about? Could be slightly refactored to remove duplication.

Copy link
Contributor

@Gerrit91 Gerrit91 Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that was what I was thinking about. Thanks for adding these validations. :)
Please apply your refactorings and I'll give it another review.

@simcod simcod requested a review from Gerrit91 January 15, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Gerrit91 Gerrit91 Awaiting requested review from Gerrit91

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area: cluster-api Affects the cluster-api area. area: gardener Affects the gardener area.

Projects

Development
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simcod @Gerrit91