You must secure the NFS shared directories from external access. This section provides one method for ensuring security while maintaining access to master and worker nodes in the cluster. However, you can use a different approach to adequately secure NFS.
Log in to the master node as root.
Remove the firewall definition for all NFS ports:
NFS_PORTS=('111/tcp' '111/udp' '2049/tcp' '20048/tcp')
for port in "${NFS_PORTS[@]}"; do firewall-cmd --permanent --remove-port $port; done;
(Conditional) If you have installed Fusion by using scripts, remove all rich rules:
firewall-cmd --list-rich-rules |xargs -I '{}' firewall-cmd --permanent --remove-rich-rule '{}'
Reload the new firewall configuration:
firewall-cmd --reload
Restart the nginx pod to apply the new firewall configuration:
SUITE_NAMESPACE=$(kubectl get namespaces |grep arcsight|cut -d ' ' -f1)
kubectl delete pod --namespace=$SUITE_NAMESPACE -l app=nginx-ingress-lb
(Conditional) To expose NFS shares to other hosts such as other master and worker node, complete the following steps:
Execute the command:
firewall-cmd --add-source="<IP_address or CIDR expression of host or hosts>" --zone="trusted" --permanent
Reload the new firewall configuration:
firewall-cmd --reload
Restart the nginx pod to apply the new firewall configuration:
SUITE_NAMESPACE=$(kubectl get namespaces |grep arcsight|cut -d ' ' -f1)
kubectl delete pod --namespace=$SUITE_NAMESPACE -l app=nginx-ingress-lb