Skip to content

feat(network): enable internal ingress network policy #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Apr 7, 2025
Merged

feat(network): enable internal ingress network policy #208

merged 10 commits into from
Apr 7, 2025

Conversation

@andrewazores
Copy link
Member

@andrewazores andrewazores commented Nov 13, 2024
edited
Loading

Related to #205

To test on OpenShift:

  1. helm install --set core.route.enabled=true --set authentication.openshift.enabled=true cryostat ./charts/cryostat
  2. Wait for the deployment to become ready.
  3. oc run runner --image=registry.access.redhat.com/ubi8/ubi --rm -it /bin/bash. This runs an additional Pod in the same installation namespace, but one which is not part of Cryostat and does not have the same selector labels. Once this comes up and you have a shell, curl -v http://cryostat:8181 or curl -v http://cryostat-storage:8333. These should time out.
  4. Open Route (echo https://$(oc get route -n cryostat cryostat -o jsonpath="{.status.ingress[0].host}")) and ensure Cryostat UI behaves as usual. Create a localhost:0 custom target, start and archive a recording, etc.
  5. helm uninstall cryostat
  6. helm install --set core.route.enabled=true --set authentication.openshift.enabled=true --set networkPolicy.ingress.enabled=false cryostat ./charts/cryostat
  7. Wait for the deployment to become ready.
  8. oc run runner --image=registry.access.redhat.com/ubi8/ubi --rm -it /bin/bash. Once this comes up and you have a shell, curl -v http://cryostat:8181 or curl -v http://cryostat-storage:8333. These should succeed and return HTTP responses quickly.
  9. Repeat the test from step 4 to ensure Cryostat is working as expected from the user's POV.

Similar testing on other types of cluster (kind, minikube) should also work, with the usual adjustments (don't use core.route.enabled or authentication.openshift.enabled, etc.).

I also spent some time trying to define Egress policies. I thought this would be interesting along the same lines as cryostatio/cryostat-agent#242 and cryostatio/cryostat#323 - we could add network-level restrictions (firewall rules) to prevent Cryostat from being made to open network connections to unexpected destinations, ie. namespaces outside of the admin's chosen list of target namespaces. However, I ran into issues where this interrupted Cryostat's ability to connect to its own database deployment, and I was also not completely sure the right approach to allow Cryostat and the openshift-oauth-proxy to have traffic egress to the k8s API server (for doing RBAC checks, or Endpoints discovery). I'm holding off on that idea for now, but it may be worth following up with again later.

@mergify mergify bot added the safe-to-test label Nov 13, 2024
@andrewazores andrewazores added the feat New feature or request label Nov 13, 2024
@andrewazores andrewazores marked this pull request as ready for review November 13, 2024 17:23
@andrewazores andrewazores mentioned this pull request Nov 13, 2024
Open
ebaron
ebaron reviewed Nov 21, 2024
View reviewed changes
Copy link
Member

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When testing on OpenShift, I seem to be getting 503 errors when trying to access Cryostat through its Route. When the Network Policy is disabled, the route works fine. Not sure why

tthvo
tthvo reviewed Nov 22, 2024
View reviewed changes
tthvo
tthvo reviewed Nov 22, 2024
View reviewed changes
This was referenced Jan 14, 2025
Open
Merged
@andrewazores andrewazores merged commit c7fb4f2 into cryostatio:main Apr 7, 2025
12 checks passed
@andrewazores andrewazores deleted the network-policies branch April 7, 2025 14:18
mergify bot pushed a commit that referenced this pull request Apr 7, 2025
@andrewazores @mergify
feat(network): enable internal ingress network policy (#208)
d332a13 
(cherry picked from commit c7fb4f2)
@mergify mergify bot mentioned this pull request Apr 7, 2025
Merged
andrewazores added a commit that referenced this pull request Apr 7, 2025
@mergify @andrewazores
feat(network): enable internal ingress network policy (#208) (#233)
3f395f7 
(cherry picked from commit c7fb4f2)

Co-authored-by: Andrew Azores <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ebaron ebaron ebaron approved these changes

@Josh-Matsuoka Josh-Matsuoka Awaiting requested review from Josh-Matsuoka

+1 more reviewer

@tthvo tthvo tthvo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport feat New feature or request safe-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewazores @ebaron @tthvo