Merge "Add east-west ingress network policy to Prometheus"

2019-03-07 04:44:10 +00:00 · 2019-03-07 04:44:10 +00:00 · e836707ad0
commit e836707ad0
parent 6f6783bf23 243f6c7608
3 changed files with 16 additions and 9 deletions
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@ -211,6 +211,11 @@ network:
      enabled: false
      port: 30900

+network_policy:
+  prometheus:
+    ingress:
+      - {}
+
 secrets:
  tls:
    monitoring:
@ -234,7 +239,7 @@ manifests:
  ingress: true
  helm_tests: true
  job_image_repo_sync: true
-  network_policy: false
+  network_policy: true
  secret_ingress_tls: true
  secret_prometheus: true
  service_ingress: true
@ -1195,7 +1200,7 @@ conf:
              description: Prometheus failed to scrape API server(s), or all API servers have disappeared from service discovery.
              summary: API server unreachable
          - alert: K8SApiServerLatency
-            expr: histogram_quantile(0.99, sum(apiserver_request_latencies_bucket{verb!~"CONNECT|WATCHLIST|WATCH|PROXY|DELETECOLLECTION"}) WITHOUT (instance, resource)) / 1e+06 > 1
+            expr: histogram_quantile(0.99, sum(apiserver_request_latencies_bucket{verb!~"CONNECT|WATCHLIST|WATCH|PROXY"}) WITHOUT (instance, resource)) / 1e+06 > 1
            for: 10m
            labels:
              severity: warning
--- a/tools/deployment/network-policy/050-prometheus.sh
+++ b/tools/deployment/network-policy/050-prometheus.sh
@ -19,7 +19,7 @@ set -xe
 #NOTE: Lint and package chart
 make prometheus

-tee /tmp/prometheus.yaml <<EOF
+tee /tmp/prometheus.yaml << EOF
 manifests:
  network_policy: true
 network_policy:
@ -43,19 +43,20 @@ network_policy:
              application: nagios
        - podSelector:
            matchLabels:
-              application: fluentd-exporter
-        - podSelector:
-            matchLabels:
-              application: fluentd
+              application: ingress
        ports:
        - protocol: TCP
          port: 9093
+        - protocol: TCP
+          port: 9090
        - protocol: TCP
          port: 6783
        - protocol: TCP
          port: 9108
        - protocol: TCP
          port: 80
+        - protocol: TCP
+          port: 443
 EOF

 #NOTE: Deploy command
@ -67,4 +68,4 @@ helm upgrade --install prometheus ./prometheus \
 ./tools/deployment/common/wait-for-pods.sh osh-infra

 #NOTE: Validate Deployment info
-helm status prometheus
+helm status prometheus
--- a/tools/deployment/network-policy/901-test-networkpolicy.sh
+++ b/tools/deployment/network-policy/901-test-networkpolicy.sh
@ -48,6 +48,7 @@ function test_netpol {
    fi
  fi
 }
+
 # Doing negative tests
 test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local fail
 test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
@ -55,4 +56,4 @@ test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
 test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail

 # Doing positive tests
-test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
+test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success