8.5 Securing NFS

You must secure the NFS shared directories from external access. This section provides one method for ensuring security while maintaining access to master and worker nodes in the cluster. However, you can use a different approach to adequately secure NFS.

  1. Log in to the master node as root.

  2. Remove the firewall definition for all NFS ports:

    NFS_PORTS=('111/tcp' '111/udp' '2049/tcp' '20048/tcp')

    for port in "${NFS_PORTS[@]}"; do firewall-cmd --permanent --remove-port $port; done;

  3. (Conditional) If you have installed Identity Intelligence by using scripts, remove all rich rules:

    firewall-cmd --list-rich-rules |xargs -I '{}' firewall-cmd --permanent --remove-rich-rule '{}'

  4. Reload the new firewall configuration:

    firewall-cmd --reload

  5. Restart the nginx pod to apply the new firewall configuration:

    SUITE_NAMESPACE=$(kubectl get namespaces |grep arcsight|cut -d ' ' -f1)

    kubectl delete pod --namespace=$SUITE_NAMESPACE -l app=nginx-ingress-lb

  6. (Conditional) If you want to expose NFS shares to other hosts such as other master and worker node:

    1. Execute the command:

      firewall-cmd --add-source="<IP_address or CIDR expression of host or hosts>" --zone="trusted" --permanent

    2. Reload the new firewall configuration:

      firewall-cmd --reload

    3. Restart the nginx pod to apply the new firewall configuration:

      SUITE_NAMESPACE=$(kubectl get namespaces |grep arcsight|cut -d ' ' -f1)

      kubectl delete pod --namespace=$SUITE_NAMESPACE -l app=nginx-ingress-lb