openstack/openstack-helm-infra
Code Issues Proposed changes

Update egress HTK method

Browse Source 
This patch set places logic to generate kubernetes egress network policy
rule based on the dependencies specified in values.yaml. This also sets
up the necessary default network policy for the OSH gate.

Change-Id: I1ac649cc9debb5d1f4ea0a32f506dcda4d8b8536
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2019-09-03 14:59:59 -05:00
parent 092709d875
commit 3121fc24c5
7 changed files with 216 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ceph-rgw/templates/network_policy.yaml
View File

@ -13,6 +13,6 @@
# limitations under the License. # limitations under the License.
{{- if .Values.manifests.network_policy -}} {{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" -}} {{- $netpol_opts := dict "envAll" . "key" "rgw" "labels" (dict "application" "ceph" "component" "rgw") -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}} {{- end -}}

20
ceph-rgw/values.yaml
View File

@ -157,9 +157,11 @@ pod:
cpu: "2000m" cpu: "2000m"
network_policy: network_policy:
ceph: rgw:
ingress: ingress:
- {} - {}
egress:
- {}
ceph_client: ceph_client:
configmap: ceph-etc configmap: ceph-etc
@ -532,6 +534,22 @@ endpoints:
port: port:
mon: mon:
default: 6789 default: 6789
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
manifests: manifests:
configmap_ceph_templates: true configmap_ceph_templates: true

20
ceph-rgw/values_overrides/netpol.yaml Normal file
View File

@ -0,0 +1,20 @@
manifests:
network_policy: true
network_policy:
rgw:
egress:
- to:
- ipBlock:
cidr: 172.17.0.1/16
- to:
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

165
helm-toolkit/templates/manifests/_network_policy.tpl
View File

@ -16,6 +16,23 @@ limitations under the License.
abstract: | abstract: |
Creates a network policy manifest for services. Creates a network policy manifest for services.
values: | values: |
endpoints:
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy: network_policy:
myLabel: myLabel:
podSelector: podSelector:
@ -30,19 +47,21 @@ values: |
- protocol: TCP - protocol: TCP
port: 80 port: 80
egress: egress:
- ports: - to:
- port: 53
protocol: UDP
to:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
name: kube-system name: default
podSelector: - namespaceSelector:
matchLabels: matchLabels:
application: kubernetes name: kube-public
component: coredns ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
usage: | usage: |
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
return: | return: |
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
@ -67,21 +86,60 @@ return: |
- protocol: TCP - protocol: TCP
port: 80 port: 80
egress: egress:
- ports: - to:
- port: 53 - podSelector:
protocol: UDP matchLabels:
to: name: default
- namespaceSelector: {} - namespaceSelector:
podSelector: matchLabels:
name: kube-public
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: RELEASE-NAME
namespace: NAMESPACE
spec:
policyTypes:
- Ingress
- Egress
podSelector:
matchLabels:
application: myApp
component: myComp
ingress:
- from:
- podSelector:
matchLabels: matchLabels:
application: kubernetes application: keystone
component: coredns ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
name: default
- namespaceSelector:
matchLabels:
name: kube-public
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
*/}} */}}
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} {{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
{{- $envAll := index . "envAll" -}} {{- $envAll := index . "envAll" -}}
{{- $name := index . "name" -}} {{- $name := index . "name" -}}
{{- $label := index . "label" -}} {{- $labels := index . "labels" | default nil -}}
{{- $label := index . "key" | default (index . "label") -}}
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
@ -92,27 +150,33 @@ spec:
{{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if hasKey (index $envAll.Values "network_policy") $label }}
policyTypes: policyTypes:
{{- $is_egress := false -}} {{- $is_egress := false -}}
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} {{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") }} {{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
{{ $is_egress = true }} {{- $is_egress = true -}}
{{- end }} {{- end -}}
{{- end }} {{- end -}}
{{ if or $is_egress (index $envAll.Values.network_policy $label "egress") }} {{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
- Egress - Egress
{{- end }} {{ end -}}
{{- $is_ingress := false -}} {{- $is_ingress := false -}}
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} {{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") }} {{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
{{- $is_ingress = true -}} {{- $is_ingress = true -}}
{{- end }} {{- end -}}
{{- end }} {{- end -}}
{{ if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} {{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
- Ingress - Ingress
{{- end }} {{ end -}}
{{- end }} {{- end }}
podSelector: podSelector:
matchLabels: matchLabels:
{{- if empty $labels }}
{{ $name }}: {{ $label }} {{ $name }}: {{ $label }}
{{- else }}
{{ range $k, $v := $labels }}
{{ $k }}: {{ $v }}
{{- end }}
{{- end }}
{{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if hasKey (index $envAll.Values "network_policy") $label }}
{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }} {{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }} {{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
@ -121,8 +185,47 @@ spec:
{{ end }} {{ end }}
{{ end }} {{ end }}
{{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if hasKey (index $envAll.Values "network_policy") $label }}
{{- if index $envAll.Values.network_policy $label "egress" }}
egress: egress:
{{- range $key, $value := $envAll.Values.endpoints }}
{{- if kindIs "map" $value }}
{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
- to:
{{- if index $value "namespace" }}
- namespaceSelector:
matchLabels:
name: {{ index $value "namespace" }}
{{- else if index $value "hosts" }}
{{- $defaultValue := index $value "hosts" "internal" }}
{{- if hasKey (index $value "hosts") "internal" }}
{{- $a := split "-" $defaultValue }}
- podSelector:
matchLabels:
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
{{- else }}
{{- $defaultValue := index $value "hosts" "default" }}
{{- $a := split "-" $defaultValue }}
- podSelector:
matchLabels:
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
{{- end }}
{{- end }}
{{- if index $value "port" }}
ports:
{{- range $k, $v := index $value "port" }}
{{- if $k }}
{{- range $pk, $pv := $v }}
{{- if and $pv (ne $pk "protocol") }}
- port: {{ $pv }}
protocol: {{ $v.protocol | default "TCP" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if index $envAll.Values.network_policy $label "egress" }}
{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} {{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

9
mariadb/values_overrides/netpol.yaml
View File

@ -1,2 +1,11 @@
manifests: manifests:
network_policy: true network_policy: true
network_policy:
mariadb:
egress:
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

9
memcached/values_overrides/netpol.yaml
View File

@ -1,2 +1,11 @@
manifests: manifests:
network_policy: true network_policy: true
network_policy:
memcached:
egress:
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

24
rabbitmq/values_overrides/netpol.yaml
View File

@ -82,3 +82,27 @@ manifests:
prometheus: prometheus:
network_policy_exporter: true network_policy_exporter: true
network_policy: true network_policy: true
network_policy:
rabbitmq:
egress:
- to:
- podSelector:
matchLabels:
application: rabbitmq
ports:
# Erlang port mapper daemon (epmd)
- protocol: TCP
port: 4369
# Rabbit clustering port AMQP + 20000
- protocol: TCP
port: 25672
# NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
# permit traffic in this range to pass between clustered nodes.
# - protocol: TCP
# port: 35197
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT