Merge pull request #2657 from aledbf/firewall_add_new_node

feat(security): allow access to new nodes using the custom firewall

Author: mboersma

contrib/util/custom-firewall.sh

@@ -2,6 +2,11 @@
 
 echo "Obtaining IP addresses of the nodes in the cluster..."
 MACHINES_IP=$(fleetctl list-machines --fields=ip --no-legend | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/')
+
+if [ -n "$NEW_NODE" ]; then
+  MACHINES_IP+=,$NEW_NODE
+fi
+
 echo "Cluster IPs: $MACHINES_IP"
 
 echo "Creating firewall Rules..."
@@ -53,6 +58,9 @@ echo "$template" | sudo tee /var/lib/iptables/rules-save > /dev/null
 echo "Enabling iptables service"
 sudo systemctl enable iptables-restore.service
 
+# Flush custom rules before the restore (so this script is idempotent)
+sudo /usr/sbin/iptables -F Firewall-INPUT
+
 echo "Loading custom iptables firewall"
 sudo /sbin/iptables-restore --noflush /var/lib/iptables/rules-save
 

docs/managing_deis/security_considerations.rst

@@ -66,6 +66,15 @@ be exposed to the public are:
 For providers that do not supply a security group feature, please try
 `contrib/util/custom-firewall.sh`_.
 
+.. note::
+    If you need to add a new node to the cluster and you are using the custom firewall 
+    `contrib/util/custom-firewall.sh`_ you must allow the access to the cluster running
+    the next command in each existing node:
+
+.. code-block:: console
+
+    $ NEW_NODE="IP address" contrib/util/custom-firewall.sh
+
 Router firewall
 ---------------
 The :ref:`Router` component includes a firewall to help thwart attacks. It can be enabled by running: