Skip to content

Commit 0ea5ff4

Browse files
andrewazoresandrewazores
committed
feat(network): enable optional egress network policy
1 parent 82465ca commit 0ea5ff4

File tree

5 files changed

+147
-17
lines changed

5 files changed

+147
-17
lines changed

charts/cryostat/README.md

Lines changed: 18 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -296,18 +296,21 @@ certificate issuance and rotation.
296296

297297
### Other Parameters
298298

299-
| Name | Description | Value |
300-
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
301-
| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` |
302-
| `nameOverride` | Overrides the name of this Chart | `""` |
303-
| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` |
304-
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
305-
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
306-
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
307-
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
308-
| `podAnnotations` | Annotations to be applied to the various Pods | `{}` |
309-
| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` |
310-
| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods | `true` |
311-
| `nodeSelector` | default Node Selector for the various Pods. Any Pod which does not have an individual nodeSelector setting will default to this. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
312-
| `tolerations` | default Tolerations for the various Pods. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` |
313-
| `affinity` | default Affinity for the various Pods. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
299+
| Name | Description | Value |
300+
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
301+
| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` |
302+
| `nameOverride` | Overrides the name of this Chart | `""` |
303+
| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` |
304+
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
305+
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
306+
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
307+
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
308+
| `podAnnotations` | Annotations to be applied to the various Pods | `{}` |
309+
| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` |
310+
| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' inbound traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. | `true` |
311+
| `networkPolicy.egress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' outbound traffic is installed. This prevents Cryostat's component Pods from opening connections to unexpected destinations. The policy will allow Cryostat's Pods to communicate with each other, to the cluster API server, and to any target namespaces (core.discovery.kubernetes.namespaces). This is off by default since some cluster network plugins cause JDBC connectivity issues between Cryostat and its database when this policy is activated. When enabled, Cryostat users will not be able to define Custom Targets that are located outside of the target namespaces defined at installation time. | `false` |
312+
| `nodeSelector` | default Node Selector for the various Pods. Any Pod which does not have an individual nodeSelector setting will default to this. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
313+
| `tolerations` | default Tolerations for the various Pods. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` |
314+
| `affinity` | default Affinity for the various Pods. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
315+
316+
>>>>>>> 8ca4149 (feat(network): enable optional egress network policy)

charts/cryostat/templates/networkpolicy_egress.yaml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
{{- if ((.Values.networkPolicy.egress).enabled) }}
2+
apiVersion: networking.k8s.io/v1
3+
kind: NetworkPolicy
4+
metadata:
5+
name: {{ .Release.Name }}-internal-egress
6+
namespace: {{ .Release.Namespace }}
7+
spec:
8+
policyTypes:
9+
- Egress
10+
podSelector:
11+
matchLabels:
12+
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
13+
app.kubernetes.io/component: cryostat
14+
egress:
15+
- to:
16+
- namespaceSelector:
17+
matchLabels:
18+
kubernetes.io/metadata.name: {{ .Release.Namespace }}
19+
{{- if .Values.authentication.openshift.enabled }}
20+
{{- $kubernetesEndpoint := lookup "v1" "Endpoints" "default" "kubernetes" }}
21+
{{- $kubernetesAddress := (first $kubernetesEndpoint.subsets).addresses }}
22+
{{- $kubernetesIP := (first $kubernetesAddress).ip }}
23+
- to:
24+
- ipBlock:
25+
cidr: {{ $kubernetesIP }}/32
26+
{{- end }}
27+
- to:
28+
- namespaceSelector:
29+
matchExpressions:
30+
- key: kubernetes.io/metadata.name
31+
operator: In
32+
values:
33+
- default
34+
- kube-system
35+
- openshift
36+
- {{ .Release.Namespace }}
37+
{{- range .Values.core.discovery.kubernetes.namespaces }}
38+
- {{ . }}
39+
{{- end }}
40+
{{- end }}

charts/cryostat/tests/networkpolicy_egress_test.yaml

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
suite: test networkpolicy_egress.yaml
2+
templates:
3+
- networkpolicy_egress.yaml
4+
5+
tests:
6+
- it: should be disabled by default
7+
asserts:
8+
- hasDocuments:
9+
count: 0
10+
11+
- it: should create an internal-access policy
12+
set:
13+
networkPolicy.egress.enabled: true
14+
asserts:
15+
- equal:
16+
path: kind
17+
value: NetworkPolicy
18+
- equal:
19+
path: metadata.name
20+
value: RELEASE-NAME-internal-egress
21+
- equal:
22+
path: metadata.namespace
23+
value: NAMESPACE
24+
- equal:
25+
path: spec.podSelector
26+
value:
27+
matchLabels:
28+
app.kubernetes.io/instance: RELEASE-NAME
29+
app.kubernetes.io/name: cryostat
30+
app.kubernetes.io/component: cryostat
31+
- equal:
32+
path: spec.egress
33+
value:
34+
- to:
35+
- namespaceSelector:
36+
matchLabels:
37+
kubernetes.io/metadata.name: NAMESPACE
38+
- to:
39+
- namespaceSelector:
40+
matchExpressions:
41+
- key: kubernetes.io/metadata.name
42+
operator: In
43+
values:
44+
- default
45+
- kube-system
46+
- openshift
47+
- NAMESPACE
48+
49+
- it: should allow additional egress to target namespaces
50+
set:
51+
networkPolicy.egress.enabled: true
52+
core.discovery.kubernetes.namespaces:
53+
- apps1
54+
- apps2
55+
asserts:
56+
- equal:
57+
path: spec.egress
58+
value:
59+
- to:
60+
- namespaceSelector:
61+
matchLabels:
62+
kubernetes.io/metadata.name: NAMESPACE
63+
- to:
64+
- namespaceSelector:
65+
matchExpressions:
66+
- key: kubernetes.io/metadata.name
67+
operator: In
68+
values:
69+
- default
70+
- kube-system
71+
- openshift
72+
- NAMESPACE
73+
- apps1
74+
- apps2

0 commit comments

Comments
 (0)