From a25eccb7cb3aa842f7ef061a1cbbc9e6c57d3121 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Sun, 29 Sep 2019 20:36:36 -0500 Subject: [PATCH] Implements egress network policy This patch set adds in the egress policy for core OpenStack Services. Depends-On: https://review.opendev.org/#/c/679853/ Change-Id: I585ddabcbd640db784520c913af8eddecaee3843 Signed-off-by: Tin Lam --- barbican/values.yaml | 24 +++++++++++ cinder/values.yaml | 33 +++++++++------ cinder/values_overrides/netpol.yaml | 15 +++++++ glance/values.yaml | 39 +++++++++++------- glance/values_overrides/netpol.yaml | 17 +++++++- heat/values.yaml | 35 ++++++++++------ heat/values_overrides/netpol.yaml | 41 +++++++++++-------- horizon/values.yaml | 33 ++++++++++----- horizon/values_overrides/netpol.yaml | 31 ++++++++++++++ keystone/values.yaml | 33 ++++++++++----- keystone/values_overrides/netpol.yaml | 21 ++++------ neutron/values.yaml | 34 +++++++++------ neutron/values_overrides/netpol.yaml | 9 ++++ nova/values.yaml | 33 ++++++++++----- nova/values_overrides/netpol.yaml | 17 ++++++++ tools/deployment/common/env-variables.sh | 16 ++++++++ .../deployment/common/get-values-overrides.sh | 10 +++-- 17 files changed, 320 insertions(+), 121 deletions(-) create mode 100644 tools/deployment/common/env-variables.sh diff --git a/barbican/values.yaml b/barbican/values.yaml index 4b7c67d920..b784bb27ad 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -662,6 +662,30 @@ endpoints: default: 24224 metrics: default: 24220 + # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress + # They are using to enable the Egress K8s network policy. + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 manifests: configmap_bin: true diff --git a/cinder/values.yaml b/cinder/values.yaml index 13776fd894..c1b85bc7d5 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1408,19 +1408,28 @@ endpoints: default: 24224 metrics: default: 24220 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - default: - namespace: default - kube_system: + kube_dns: namespace: kube-system - kube_public: - namespace: kube-public + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 network_policy: cinder: diff --git a/cinder/values_overrides/netpol.yaml b/cinder/values_overrides/netpol.yaml index 7a85753209..a8647ee542 100644 --- a/cinder/values_overrides/netpol.yaml +++ b/cinder/values_overrides/netpol.yaml @@ -1,2 +1,17 @@ manifests: network_policy: true +network_policy: + cinder: + egress: + - to: + - ipBlock: + cidr: 172.17.0.1/16 + - to: + - ipBlock: + cidr: $API_ADDR/16 + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/glance/values.yaml b/glance/values.yaml index faafe72da9..767ce35943 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -774,21 +774,6 @@ endpoints: default: 24224 metrics: default: 24220 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public dashboard: name: horizon hosts: @@ -812,6 +797,30 @@ endpoints: web: default: 80 public: 443 + # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress + # They are using to enable the Egress K8s network policy. + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 pod: security_context: diff --git a/glance/values_overrides/netpol.yaml b/glance/values_overrides/netpol.yaml index 4c6afc2b1c..871dcdf6b2 100644 --- a/glance/values_overrides/netpol.yaml +++ b/glance/values_overrides/netpol.yaml @@ -1,8 +1,8 @@ manifests: network_policy: true #NOTE(gagehugo): Test this whitelist when the netpol gate works -#network_policy: -# glance: +network_policy: + glance: # ingress: # - from: # - podSelector: @@ -33,3 +33,16 @@ manifests: # port: 9191 # - protocol: TCP # port: 9292 + egress: + - to: + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/heat/values.yaml b/heat/values.yaml index 1744729df0..819e1fcfa5 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -1002,21 +1002,30 @@ endpoints: default: 24224 metrics: default: 24220 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. + # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: + kube_dns: namespace: kube-system - kube_public: - namespace: kube-public + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 pod: security_context: diff --git a/heat/values_overrides/netpol.yaml b/heat/values_overrides/netpol.yaml index e16bc97c5e..be82a74805 100644 --- a/heat/values_overrides/netpol.yaml +++ b/heat/values_overrides/netpol.yaml @@ -1,8 +1,8 @@ manifests: network_policy: true #NOTE(gagehugo): Test these once the netpol gate works -#network_policy: -# heat: +network_policy: + heat: # ingress: # - from: # - podSelector: @@ -23,17 +23,26 @@ manifests: # port: 8003 # - protocol: TCP # port: 8004 -# egress: -# - to: -# - podSelector: -# matchLabels: -# application: neutron -# - podSelector: -# matchLabels: -# application: nova -# - podSelector: -# matchLabels: -# application: glance -# - podSelector: -# matchLabels: -# application: cinder + egress: + - to: + - podSelector: + matchLabels: + application: neutron + - to: + - podSelector: + matchLabels: + application: nova + - to: + - podSelector: + matchLabels: + application: glance + - to: + - podSelector: + matchLabels: + application: cinder + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/horizon/values.yaml b/horizon/values.yaml index 2f5a49fc47..7e30390592 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -2219,19 +2219,30 @@ endpoints: port: mysql: default: 3306 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. + # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - default: - namespace: default - kube_system: + kube_dns: namespace: kube-system - kube_public: - namespace: kube-public + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 network_policy: horizon: diff --git a/horizon/values_overrides/netpol.yaml b/horizon/values_overrides/netpol.yaml index 2ee3d3f67c..c1fb702566 100644 --- a/horizon/values_overrides/netpol.yaml +++ b/horizon/values_overrides/netpol.yaml @@ -20,3 +20,34 @@ network_policy: protocol: TCP - port: 443 protocol: TCP + egress: + - to: + - podSelector: + matchLabels: + application: neutron + - to: + - podSelector: + matchLabels: + application: nova + - to: + - podSelector: + matchLabels: + application: glance + - to: + - podSelector: + matchLabels: + application: cinder + - to: + - podSelector: + matchLabels: + application: keystone + - to: + - podSelector: + matchLabels: + application: heat + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/keystone/values.yaml b/keystone/values.yaml index 083116aa37..345ebfc6f3 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -1210,19 +1210,30 @@ endpoints: default: 24224 metrics: default: 24220 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. + # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - default: - namespace: default - kube_system: + kube_dns: namespace: kube-system - kube_public: - namespace: kube-public + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 manifests: configmap_bin: true diff --git a/keystone/values_overrides/netpol.yaml b/keystone/values_overrides/netpol.yaml index b26f9b5291..f96439d004 100644 --- a/keystone/values_overrides/netpol.yaml +++ b/keystone/values_overrides/netpol.yaml @@ -63,17 +63,10 @@ network_policy: port: 5000 - protocol: TCP port: 35357 -# egress: -# - to: -# - namespaceSelector: -# matchLabels: -# name: ceph -# - to: -# - podSelector: -# matchLabels: -# application: ceph -# - ports: -# - port: 53 -# protocol: UDP -# - port: 53 -# protocol: TCP + egress: + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/neutron/values.yaml b/neutron/values.yaml index 2c9d313cff..b4a01fb617 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -2303,20 +2303,30 @@ endpoints: api: default: 6385 public: 80 - - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. + # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - default: - namespace: default - kube_system: + kube_dns: namespace: kube-system - kube_public: - namespace: kube-public + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 network_policy: neutron: diff --git a/neutron/values_overrides/netpol.yaml b/neutron/values_overrides/netpol.yaml index 7a85753209..4099e00166 100644 --- a/neutron/values_overrides/netpol.yaml +++ b/neutron/values_overrides/netpol.yaml @@ -1,2 +1,11 @@ manifests: network_policy: true +network_policy: + neutron: + egress: + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/nova/values.yaml b/nova/values.yaml index e59faa993a..fa8669d0bc 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -2122,19 +2122,30 @@ endpoints: default: 24224 metrics: default: 24220 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. + # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - default: - namespace: default - kube_system: + kube_dns: namespace: kube-system - kube_public: - namespace: kube-public + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns: + default: 53 + protocol: UDP + ingress: + namespace: null + name: ingress + hosts: + default: ingress + port: + ingress: + default: 80 pod: user: diff --git a/nova/values_overrides/netpol.yaml b/nova/values_overrides/netpol.yaml index 7a85753209..9927207921 100644 --- a/nova/values_overrides/netpol.yaml +++ b/nova/values_overrides/netpol.yaml @@ -1,2 +1,19 @@ manifests: network_policy: true +network_policy: + nova: + egress: + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT + placement: + egress: + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/tools/deployment/common/env-variables.sh b/tools/deployment/common/env-variables.sh new file mode 100644 index 0000000000..de9a6c2d43 --- /dev/null +++ b/tools/deployment/common/env-variables.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +export API_ADDR=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].addresses[0].ip') +export API_PORT=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].ports[0].port') diff --git a/tools/deployment/common/get-values-overrides.sh b/tools/deployment/common/get-values-overrides.sh index baf604e875..32a55a8372 100755 --- a/tools/deployment/common/get-values-overrides.sh +++ b/tools/deployment/common/get-values-overrides.sh @@ -59,13 +59,15 @@ function override_file_args () { echoerr "We will attempt to use values-override files with the following paths:" for FILE in $(combination ${1//,/ } | uniq | tac); do FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml" - if [ -f "${FILE_PATH}" ]; then - OVERRIDE_ARGS+=" --values=${FILE_PATH} " - fi - echoerr "${FILE_PATH}" + if [ -f "${FILE_PATH}" ]; then + envsubst < ${FILE_PATH} > /tmp/${HELM_CHART}-${FILE}.yaml + OVERRIDE_ARGS+=" --values=/tmp/${HELM_CHART}-${FILE}.yaml " + fi + echoerr "${FILE_PATH}" done echo "${OVERRIDE_ARGS}" } echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers." +source ../openstack-helm/tools/deployment/common/env-variables.sh override_file_args "${OSH_FEATURE_MIX}"