From e2388c7df431c086cd49199f0e12ff1c5744a6c3 Mon Sep 17 00:00:00 2001
From: unchama <11990197+unchama@users.noreply.github.com>
Date: Sat, 16 Dec 2023 15:39:50 +0900
Subject: [PATCH] =?UTF-8?q?feat:=20bungeecord=E7=94=A8=E3=81=AEcilium-netw?=
=?UTF-8?q?ork-policy=E3=82=92=E9=8C=AC=E6=88=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../cilium-networking/README.md | 11 +
...--from-tcpshield--to-bungeecord-debug.yaml | 235 ++++++++++++++++++
...w--from-tcpshield--to-bungeecord-prod.yaml | 235 ++++++++++++++++++
.../tcpshield-config-generator.sh | 27 ++
4 files changed, 508 insertions(+)
create mode 100644 seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/README.md
create mode 100644 seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-debug.yaml
create mode 100644 seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-prod.yaml
create mode 100755 seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh
diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/README.md b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/README.md
new file mode 100644
index 000000000..52f12ae3d
--- /dev/null
+++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/README.md
@@ -0,0 +1,11 @@
+# tcpshield-condig-generator.sh について
+
+Minecarftの通信ポート(seichi_infraの場合はBungeeCord)はOrigin IP上で公開されており、悪意を持った第三者がポートスキャンなどで発見した場合、Origin IPへのDoS Attackの懸念がある。
+
+これらポートはDDoS対策基盤であるTCPShield以外からの通信に応答する必要はないため、TCPShield以外からの通信に応答しない様にBungeeCordのEndpointに対してCiliumNetworkingPolicyを書いている。
+
+TCPShieldが通信に使用するIPアドレスは以下URLにて公開されている。
+
+
+
+もし何らかの理由でTCPShield側が使用するIPアドレスが変更となった場合は `tcpshield-condig-generator.sh` を使用して最新のIPListをもとにCiliumNetworkingPolicyを生成し、それを参考に各環境の既存のCiliumNetworkingPolicyを編集すること。
diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-debug.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-debug.yaml
new file mode 100644
index 000000000..cd95c6fc7
--- /dev/null
+++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-debug.yaml
@@ -0,0 +1,235 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: allow--from-tcpshield--to-bungeecord-debug
+ namespace: seichi-debug-gateway
+spec:
+ endpointSelector:
+ matchLabels:
+ app: bungeecord
+ ingress:
+ - fromCIDRSet:
+ - cidr: 198.178.119.0/24
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 104.234.6.0/24
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.19.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.99.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.99.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.99.64/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.38.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.222.93.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.222.93.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.222.92.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 135.148.217.96/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 135.148.217.192/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.178.221.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 217.182.27.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.77.31.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 178.33.198.192/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 149.202.13.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.89.81.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.89.81.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.195.87.96/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.195.87.128/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.195.52.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 141.95.23.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 141.95.62.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 146.59.66.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 146.59.66.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 146.59.65.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.81.4.128/29
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.222.55.28/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 149.56.152.184/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 158.69.58.208/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.79.61.228/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.178.244.40/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.178.108.172/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 178.32.145.164/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 5.196.219.36/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.89.127.36/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.89.50.132/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 54.36.236.48/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 54.38.216.200/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.75.85.108/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.38.153.44/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.83.245.80/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 135.125.217.68/32
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 143.244.56.249/32
+ toPorts:
+ - ports:
+ - port: "25565"
diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-prod.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-prod.yaml
new file mode 100644
index 000000000..55b92b2a3
--- /dev/null
+++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-prod.yaml
@@ -0,0 +1,235 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: allow--from-tcpshield--to-bungeecord-prod
+ namespace: seichi-gateway
+spec:
+ endpointSelector:
+ matchLabels:
+ app: bungeecord
+ ingress:
+ - fromCIDRSet:
+ - cidr: 198.178.119.0/24
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 104.234.6.0/24
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.19.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.99.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.99.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.99.64/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.161.38.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.222.93.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.222.93.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.222.92.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 135.148.217.96/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 135.148.217.192/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.178.221.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 217.182.27.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.77.31.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 178.33.198.192/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 149.202.13.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.89.81.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.89.81.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.195.87.96/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.195.87.128/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.195.52.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 141.95.23.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 141.95.62.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 146.59.66.0/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 146.59.66.32/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 146.59.65.224/27
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.81.4.128/29
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.222.55.28/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 149.56.152.184/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 158.69.58.208/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.79.61.228/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.178.244.40/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.178.108.172/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 178.32.145.164/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 5.196.219.36/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.89.127.36/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.89.50.132/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 54.36.236.48/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 54.38.216.200/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.75.85.108/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.38.153.44/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 51.83.245.80/30
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 135.125.217.68/32
+ toPorts:
+ - ports:
+ - port: "25565"
+ - fromCIDRSet:
+ - cidr: 143.244.56.249/32
+ toPorts:
+ - ports:
+ - port: "25565"
diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh
new file mode 100755
index 000000000..422576181
--- /dev/null
+++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+TCPSHIELD_IP_LIST=$(curl -Ss https://tcpshield.com/v4/)
+
+cat < _generated-config.yaml
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: allow--from-tcpshield--to-bungeecord-hogehoge
+ namespace: hogehoge-namespace
+spec:
+ endpointSelector:
+ matchLabels:
+ app: bungeecord
+EOF
+
+for cidr in "$TCPSHIELD_IP_LIST"
+do
+ cat <> _generated-config.yaml
+ - fromCIDRSet:
+ - cidr: "$cidr"
+ toPorts:
+ - ports:
+ - port: "25565"
+EOF
+
+done