Enable Egress policy enforcement

This PS is enable the Egress policies
and enforces them in Openstack-helm.

Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975

cinder/values.yaml

@@ -1243,11 +1243,26 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 network_policy:
   cinder:
     ingress:
       - {}
+    egress:
+      - {}
 
 manifests:
   configmap_bin: true

glance/values.yaml

@@ -112,6 +112,8 @@ network_policy:
           port: 9191
         - protocol: TCP
           port: 9292
+    egress:
+      - {}
 
 conf:
   rally_tests:
@@ -758,6 +760,21 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+      http:
+        default: 80
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 pod:
   user:
@@ -926,3 +943,4 @@ manifests:
   service_ingress_registry: false
   service_api: true
   service_registry: false
+

heat/values.yaml

@@ -935,6 +935,21 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+      http:
+        default: 80
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 pod:
   user:
@@ -1138,6 +1153,20 @@ network_policy:
           port: 8003
         - protocol: TCP
           port: 8004
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              application: neutron
+        - podSelector:
+            matchLabels:
+              application: nova
+        - podSelector:
+            matchLabels:
+              application: glance
+        - podSelector:
+            matchLabels:
+              application: cinder
 
 manifests:
   configmap_bin: true

horizon/values.yaml

@@ -2060,6 +2060,19 @@ endpoints:
     port:
       mysql:
         default: 3306
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 network_policy:
   horizon:

keystone/values.yaml

@@ -404,6 +404,15 @@ network_policy:
           port: 5000
         - protocol: TCP
           port: 35357
+    egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: ceph
+      - to:
+        - podSelector:
+            matchLabels:
+              application: ceph
 
 conf:
   keystone:
@@ -1114,6 +1123,19 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 manifests:
   configmap_bin: true

neutron/values.yaml

@@ -1857,12 +1857,27 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 network_policy:
   neutron:
     # TODO(lamt): Need to tighten this ingress for security.
     ingress:
       - {}
+    egress:
+      - {}
 
 manifests:
   configmap_bin: true

nova/values.yaml

@@ -1982,6 +1982,19 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 pod:
   user:
@@ -2238,10 +2251,30 @@ network_policy:
     # TODO(lamt): Need to tighten this ingress for security.
     ingress:
       - {}
+    egress:
+      - {}
+      - to:
+        - podSelector:
+            matchLabels:
+              application: ceph
+        - podSelector:
+            matchLabels:
+              application: ingress
+        - podSelector:
+            matchLabels:
+              application: openvswitch
+        - podSelector:
+            matchLabels:
+              application: libvirt
+        - podSelector:
+            matchLabels:
+              application: cinder
   placement:
     # TODO(lamt): Need to tighten this ingress for security.
     ingress:
       - {}
+    egress:
+      - {}
 
 manifests:
   configmap_bin: true

tools/deployment/developer/ceph/150-libvirt.sh

@@ -19,19 +19,11 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} libvirt
 
-tee /tmp/libvirt.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  libvirt:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
   --namespace=openstack \
+  --set manifests.network_policy=true \
   --values=/tmp/libvirt.yaml \
   ${OSH_EXTRA_HELM_ARGS} \
   ${OSH_EXTRA_HELM_ARGS_LIBVIRT}

tools/deployment/developer/common/140-openvswitch.sh

@@ -19,20 +19,11 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} openvswitch
 
-tee /tmp/openvswitch.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  openvswitch:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install openvswitch ${OSH_INFRA_PATH}/openvswitch \
   --namespace=openstack \
-  --values=/tmp/openvswitch.yaml \
+  --set manifests.network_policy=true \
   ${OSH_EXTRA_HELM_ARGS} \
   ${OSH_EXTRA_HELM_ARGS_OPENVSWITCH}
 

tools/deployment/developer/nfs/150-libvirt.sh

@@ -19,20 +19,12 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} libvirt
 
-tee /tmp/libvirt.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  libvirt:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
   --namespace=openstack \
   --set conf.ceph.enabled=false \
+  --set manifests.network_policy=true \
   --values=/tmp/libvirt.yaml \
   ${OSH_EXTRA_HELM_ARGS} \
   ${OSH_EXTRA_HELM_ARGS_LIBVIRT}