From 3121fc24c5a35550eda6ce4d07207802cd6ec75d Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Tue, 3 Sep 2019 14:59:59 -0500 Subject: [PATCH] Update egress HTK method This patch set places logic to generate kubernetes egress network policy rule based on the dependencies specified in values.yaml. This also sets up the necessary default network policy for the OSH gate. Change-Id: I1ac649cc9debb5d1f4ea0a32f506dcda4d8b8536 Signed-off-by: Tin Lam --- ceph-rgw/templates/network_policy.yaml | 2 +- ceph-rgw/values.yaml | 20 ++- ceph-rgw/values_overrides/netpol.yaml | 20 +++ .../templates/manifests/_network_policy.tpl | 165 ++++++++++++++---- mariadb/values_overrides/netpol.yaml | 9 + memcached/values_overrides/netpol.yaml | 9 + rabbitmq/values_overrides/netpol.yaml | 24 +++ 7 files changed, 216 insertions(+), 33 deletions(-) create mode 100644 ceph-rgw/values_overrides/netpol.yaml diff --git a/ceph-rgw/templates/network_policy.yaml b/ceph-rgw/templates/network_policy.yaml index 4de0402c3..be11d4166 100644 --- a/ceph-rgw/templates/network_policy.yaml +++ b/ceph-rgw/templates/network_policy.yaml @@ -13,6 +13,6 @@ # limitations under the License. {{- if .Values.manifests.network_policy -}} -{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" -}} +{{- $netpol_opts := dict "envAll" . "key" "rgw" "labels" (dict "application" "ceph" "component" "rgw") -}} {{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{- end -}} diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml index 76c0b0f25..2deb6f26d 100644 --- a/ceph-rgw/values.yaml +++ b/ceph-rgw/values.yaml @@ -157,9 +157,11 @@ pod: cpu: "2000m" network_policy: - ceph: + rgw: ingress: - {} + egress: + - {} ceph_client: configmap: ceph-etc @@ -532,6 +534,22 @@ endpoints: port: mon: default: 6789 + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP manifests: configmap_ceph_templates: true diff --git a/ceph-rgw/values_overrides/netpol.yaml b/ceph-rgw/values_overrides/netpol.yaml new file mode 100644 index 000000000..4c0973818 --- /dev/null +++ b/ceph-rgw/values_overrides/netpol.yaml @@ -0,0 +1,20 @@ +manifests: + network_policy: true +network_policy: + rgw: + egress: + - to: + - ipBlock: + cidr: 172.17.0.1/16 + - to: + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/helm-toolkit/templates/manifests/_network_policy.tpl b/helm-toolkit/templates/manifests/_network_policy.tpl index 645676586..405197ab7 100644 --- a/helm-toolkit/templates/manifests/_network_policy.tpl +++ b/helm-toolkit/templates/manifests/_network_policy.tpl @@ -16,6 +16,23 @@ limitations under the License. abstract: | Creates a network policy manifest for services. values: | + endpoints: + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP network_policy: myLabel: podSelector: @@ -30,19 +47,21 @@ values: | - protocol: TCP port: 80 egress: - - ports: - - port: 53 - protocol: UDP - to: + - to: - namespaceSelector: matchLabels: - name: kube-system - podSelector: + name: default + - namespaceSelector: matchLabels: - application: kubernetes - component: coredns + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 usage: | {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} + {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}} return: | --- apiVersion: networking.k8s.io/v1 @@ -67,21 +86,60 @@ return: | - protocol: TCP port: 80 egress: - - ports: - - port: 53 - protocol: UDP - to: - - namespaceSelector: {} - podSelector: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myApp + component: myComp + ingress: + - from: + - podSelector: matchLabels: - application: kubernetes - component: coredns + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 */}} {{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} {{- $envAll := index . "envAll" -}} {{- $name := index . "name" -}} -{{- $label := index . "label" -}} +{{- $labels := index . "labels" | default nil -}} +{{- $label := index . "key" | default (index . "label") -}} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -92,27 +150,33 @@ spec: {{- if hasKey (index $envAll.Values "network_policy") $label }} policyTypes: {{- $is_egress := false -}} -{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} -{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") }} -{{ $is_egress = true }} -{{- end }} -{{- end }} -{{ if or $is_egress (index $envAll.Values.network_policy $label "egress") }} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}} +{{- $is_egress = true -}} +{{- end -}} +{{- end -}} +{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }} - Egress -{{- end }} +{{ end -}} {{- $is_ingress := false -}} -{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} -{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") }} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}} {{- $is_ingress = true -}} -{{- end }} -{{- end }} -{{ if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} +{{- end -}} +{{- end -}} +{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} - Ingress -{{- end }} +{{ end -}} {{- end }} podSelector: matchLabels: +{{- if empty $labels }} {{ $name }}: {{ $label }} +{{- else }} +{{ range $k, $v := $labels }} + {{ $k }}: {{ $v }} +{{- end }} +{{- end }} {{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }} {{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }} @@ -121,8 +185,47 @@ spec: {{ end }} {{ end }} {{- if hasKey (index $envAll.Values "network_policy") $label }} -{{- if index $envAll.Values.network_policy $label "egress" }} egress: +{{- range $key, $value := $envAll.Values.endpoints }} +{{- if kindIs "map" $value }} +{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }} + - to: +{{- if index $value "namespace" }} + - namespaceSelector: + matchLabels: + name: {{ index $value "namespace" }} +{{- else if index $value "hosts" }} +{{- $defaultValue := index $value "hosts" "internal" }} +{{- if hasKey (index $value "hosts") "internal" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- else }} +{{- $defaultValue := index $value "hosts" "default" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- end }} +{{- end }} +{{- if index $value "port" }} + ports: +{{- range $k, $v := index $value "port" }} +{{- if $k }} +{{- range $pk, $pv := $v }} +{{- if and $pv (ne $pk "protocol") }} + - port: {{ $pv }} + protocol: {{ $v.protocol | default "TCP" }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- if index $envAll.Values.network_policy $label "egress" }} {{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} {{- end }} {{- end }} diff --git a/mariadb/values_overrides/netpol.yaml b/mariadb/values_overrides/netpol.yaml index 7a8575320..f5ae02ebf 100644 --- a/mariadb/values_overrides/netpol.yaml +++ b/mariadb/values_overrides/netpol.yaml @@ -1,2 +1,11 @@ manifests: network_policy: true +network_policy: + mariadb: + egress: + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/memcached/values_overrides/netpol.yaml b/memcached/values_overrides/netpol.yaml index 7a8575320..204e64cce 100644 --- a/memcached/values_overrides/netpol.yaml +++ b/memcached/values_overrides/netpol.yaml @@ -1,2 +1,11 @@ manifests: network_policy: true +network_policy: + memcached: + egress: + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/rabbitmq/values_overrides/netpol.yaml b/rabbitmq/values_overrides/netpol.yaml index e7341221e..497955842 100644 --- a/rabbitmq/values_overrides/netpol.yaml +++ b/rabbitmq/values_overrides/netpol.yaml @@ -82,3 +82,27 @@ manifests: prometheus: network_policy_exporter: true network_policy: true +network_policy: + rabbitmq: + egress: + - to: + - podSelector: + matchLabels: + application: rabbitmq + ports: + # Erlang port mapper daemon (epmd) + - protocol: TCP + port: 4369 + # Rabbit clustering port AMQP + 20000 + - protocol: TCP + port: 25672 + # NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must + # permit traffic in this range to pass between clustered nodes. + # - protocol: TCP + # port: 35197 + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT