From de100d4b0a18ac8f684ac57b824ff8116b0a9e1f Mon Sep 17 00:00:00 2001 From: Nick Kammerdiener Date: Tue, 1 Jun 2021 23:03:25 -0400 Subject: [PATCH 01/14] Adding initial network policies --- .../networkpolicies/default-deny-all.yaml | 15 +++++++++++++++ .../bigbang/networkpolicies/es-allow.yaml | 18 ++++++++++++++++++ .../networkpolicies/namespace-allow.yaml | 18 ++++++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/default-deny-all.yaml create mode 100644 chart/templates/bigbang/networkpolicies/es-allow.yaml create mode 100644 chart/templates/bigbang/networkpolicies/namespace-allow.yaml diff --git a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml new file mode 100644 index 0000000..76bcb1b --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml @@ -0,0 +1,15 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + egress: + - to: + - namespaceSelector: {} +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/es-allow.yaml b/chart/templates/bigbang/networkpolicies/es-allow.yaml new file mode 100644 index 0000000..ed83c11 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/es-allow.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + name: es-communication + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 9200 + protocol: TCP + podSelector: {} + policyTypes: + - Egress +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/namespace-allow.yaml b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml new file mode 100644 index 0000000..97a841c --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} -- GitLab From d96bfe0b25e6eb13c68fca0bc2663581a658559b Mon Sep 17 00:00:00 2001 From: Nick Kammerdiener Date: Wed, 2 Jun 2021 11:03:12 -0400 Subject: [PATCH 02/14] Adding in values and istio policy --- .../bigbang/networkpolicies/istio.yaml | 19 +++++++++++++++++++ chart/values.yaml | 6 ++++++ 2 files changed, 25 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/istio.yaml diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml new file mode 100644 index 0000000..8ee2636 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-istio-ingressgateway + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index a2d3aae..ffd7e24 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -257,3 +257,9 @@ sso: # Role mappings for SSO groups must be set up and SSO enabled before doing this kibanaBasicAuth: enabled: true + +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway \ No newline at end of file -- GitLab From 9b1628c9fe2e0496f62382e3b14c3e38e39d6b2a Mon Sep 17 00:00:00 2001 From: Nick Kammerdiener Date: Wed, 2 Jun 2021 13:56:34 -0400 Subject: [PATCH 03/14] Adding additional selectors and updating tests --- .../bigbang/networkpolicies/dns-allow.yaml | 19 +++++++++++++++++++ .../bigbang/networkpolicies/es-allow.yaml | 1 - .../bigbang/networkpolicies/istio.yaml | 6 ++++++ tests/test-values.yml | 3 +++ 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 chart/templates/bigbang/networkpolicies/dns-allow.yaml diff --git a/chart/templates/bigbang/networkpolicies/dns-allow.yaml b/chart/templates/bigbang/networkpolicies/dns-allow.yaml new file mode 100644 index 0000000..d04332c --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/dns-allow.yaml @@ -0,0 +1,19 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: dns-egress + namespace: {{ .Release.Namespace }} +spec: + egress: + - to: + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + ports: + - port: 53 + protocol: UDP + podSelector: {} + policyTypes: + - Egress +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/es-allow.yaml b/chart/templates/bigbang/networkpolicies/es-allow.yaml index ed83c11..e737a9e 100644 --- a/chart/templates/bigbang/networkpolicies/es-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/es-allow.yaml @@ -2,7 +2,6 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - labels: name: es-communication namespace: {{ .Release.Namespace }} spec: diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index 8ee2636..734e50d 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -16,4 +16,10 @@ spec: podSelector: matchLabels: {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: 5601 + protocol: TCP + podSelector: + matchLabels: + common.k8s.elastic.co/type: kibana {{- end }} diff --git a/tests/test-values.yml b/tests/test-values.yml index 59a9bc2..16d3e02 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -27,6 +27,9 @@ elasticsearch: istio: enabled: true +networkPolicies: + enabled: true + bbtests: cypress: artifacts: true -- GitLab From 57b41ff6e1fa7459cec0e46e50c602f1678279c0 Mon Sep 17 00:00:00 2001 From: Nick Kammerdiener Date: Wed, 2 Jun 2021 15:09:18 -0400 Subject: [PATCH 04/14] Fixing DNS network policy --- chart/templates/bigbang/networkpolicies/dns-allow.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/dns-allow.yaml b/chart/templates/bigbang/networkpolicies/dns-allow.yaml index d04332c..5a9d9ab 100644 --- a/chart/templates/bigbang/networkpolicies/dns-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/dns-allow.yaml @@ -6,11 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: egress: - - to: - podSelector: - matchLabels: - common.k8s.elastic.co/type: elasticsearch - ports: + - ports: - port: 53 protocol: UDP podSelector: {} -- GitLab From 8f9ad8c6f571b0cfc56bc71a5084302e48569844 Mon Sep 17 00:00:00 2001 From: Nick Kammerdiener Date: Wed, 2 Jun 2021 16:22:10 -0400 Subject: [PATCH 05/14] Updating match label --- chart/templates/bigbang/networkpolicies/istio.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index 734e50d..e98791a 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -21,5 +21,5 @@ spec: protocol: TCP podSelector: matchLabels: - common.k8s.elastic.co/type: kibana + app.kubernetes.io/name: {{ .Release.Name }} {{- end }} -- GitLab From f9d57c4d6fb037ce36cfb6977483c189081f7dcf Mon Sep 17 00:00:00 2001 From: Nick Kammerdiener Date: Thu, 3 Jun 2021 11:10:15 -0400 Subject: [PATCH 06/14] Trying to fix Istio --- chart/templates/bigbang/networkpolicies/istio.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index e98791a..eaa2a18 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -19,7 +19,7 @@ spec: ports: - port: 5601 protocol: TCP - podSelector: - matchLabels: - app.kubernetes.io/name: {{ .Release.Name }} + # podSelector: + # matchLabels: + # app.kubernetes.io/name: {{ .Release.Name }} {{- end }} -- GitLab From dfdd0f176884e8e3dc8becf15138118c9c582f55 Mon Sep 17 00:00:00 2001 From: Nick Kammerdiener Date: Thu, 3 Jun 2021 11:26:12 -0400 Subject: [PATCH 07/14] Kibana specific pod selector --- chart/templates/bigbang/networkpolicies/istio.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml index eaa2a18..734e50d 100644 --- a/chart/templates/bigbang/networkpolicies/istio.yaml +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -19,7 +19,7 @@ spec: ports: - port: 5601 protocol: TCP - # podSelector: - # matchLabels: - # app.kubernetes.io/name: {{ .Release.Name }} + podSelector: + matchLabels: + common.k8s.elastic.co/type: kibana {{- end }} -- GitLab From beecf34d34c6d606af92153697b14800d6aa0988 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 10:31:01 -0600 Subject: [PATCH 08/14] feat: Syntax in policies and adding istiod-egress policy --- .../networkpolicies/allow-istiod-egress.yaml | 21 +++++++++++++++++++ .../networkpolicies/default-deny-all.yaml | 5 ++--- .../bigbang/networkpolicies/dns-allow.yaml | 4 +++- 3 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml diff --git a/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml new file mode 100644 index 0000000..f5d9665 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istiod-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: istiod + ports: + - port: 15012 +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml index 76bcb1b..302f51a 100644 --- a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml +++ b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml @@ -9,7 +9,6 @@ spec: policyTypes: - Ingress - Egress - egress: - - to: - - namespaceSelector: {} + egress: [] + ingress: [] {{- end }} diff --git a/chart/templates/bigbang/networkpolicies/dns-allow.yaml b/chart/templates/bigbang/networkpolicies/dns-allow.yaml index 5a9d9ab..f0054ad 100644 --- a/chart/templates/bigbang/networkpolicies/dns-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/dns-allow.yaml @@ -6,7 +6,9 @@ metadata: namespace: {{ .Release.Namespace }} spec: egress: - - ports: + - to: + - namespaceSelector: {} + ports: - port: 53 protocol: UDP podSelector: {} -- GitLab From 462f08a7fd38448c2347101d9cedc2b9d225c6c1 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 11:02:18 -0600 Subject: [PATCH 09/14] feat: Ingress to ES from jaeger --- chart/templates/bigbang/networkpolicies/es-allow.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/es-allow.yaml b/chart/templates/bigbang/networkpolicies/es-allow.yaml index e737a9e..efa4c05 100644 --- a/chart/templates/bigbang/networkpolicies/es-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/es-allow.yaml @@ -2,16 +2,21 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: es-communication + name: es-communication-jaeger namespace: {{ .Release.Namespace }} spec: ingress: - from: - - namespaceSelector: {} + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: jaeger + podSelector: + matchLabels: + app.kubernetes.io/name: jaeger ports: - port: 9200 protocol: TCP podSelector: {} policyTypes: - - Egress + - Ingress {{- end }} -- GitLab From 1e2a8b827f95293bceb3009f2b993e5d5e2e8c43 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 11:27:08 -0600 Subject: [PATCH 10/14] feat: Ingress to ES from eck-operator --- .../bigbang/networkpolicies/es-allow.yaml | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/es-allow.yaml b/chart/templates/bigbang/networkpolicies/es-allow.yaml index efa4c05..15ae79d 100644 --- a/chart/templates/bigbang/networkpolicies/es-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/es-allow.yaml @@ -16,7 +16,32 @@ spec: ports: - port: 9200 protocol: TCP - podSelector: {} + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: es-communication-eck-operator + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: eck-operator + podSelector: + matchLabels: + app.kubernetes.io/name: elastic-operator + ports: + - port: 9200 + protocol: TCP + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch policyTypes: - Ingress {{- end }} -- GitLab From 8ff517950b23e9da23de00f098c3625a907b8a41 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 11:31:21 -0600 Subject: [PATCH 11/14] feat: Ingress to ES from eck-operator 2 --- chart/templates/bigbang/networkpolicies/es-allow.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/chart/templates/bigbang/networkpolicies/es-allow.yaml b/chart/templates/bigbang/networkpolicies/es-allow.yaml index 15ae79d..b5c4452 100644 --- a/chart/templates/bigbang/networkpolicies/es-allow.yaml +++ b/chart/templates/bigbang/networkpolicies/es-allow.yaml @@ -30,9 +30,7 @@ metadata: spec: ingress: - from: - - namespaceSelector: - matchLabels: - app.kubernetes.io/name: eck-operator + - namespaceSelector: {} podSelector: matchLabels: app.kubernetes.io/name: elastic-operator -- GitLab From e4ceff39d47a1adb3522ca5933a968c98fa997a9 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 11:46:19 -0600 Subject: [PATCH 12/14] feat: bbtests egress to cluster policy for artifacts --- .../networkpolicies/helm-test-egress.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 chart/templates/bigbang/networkpolicies/helm-test-egress.yaml diff --git a/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml b/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml new file mode 100644 index 0000000..fe0e9ce --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml @@ -0,0 +1,21 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $cypress := $bbtests.cypress | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- $artifacts := (hasKey $cypress "artifacts") -}} +{{- if and $enabled $artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.cypress.artifacts }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-helm-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - {} +{{- end }} +{{- end }} -- GitLab From 40eee06c6097c81efdd9b5293fb0cceb86c7b6cf Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 11:56:02 -0600 Subject: [PATCH 13/14] feat: bbtests egress to cluster policy for artifacts 2 --- chart/templates/bigbang/networkpolicies/helm-test-egress.yaml | 2 +- tests/test-values.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml b/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml index fe0e9ce..2364497 100644 --- a/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml @@ -3,7 +3,7 @@ {{- $enabled := (hasKey $bbtests "enabled") -}} {{- $artifacts := (hasKey $cypress "artifacts") -}} {{- if and $enabled $artifacts }} -{{- if and .Values.networkPolicies.enabled .Values.bbtests.cypress.artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/tests/test-values.yml b/tests/test-values.yml index 16d3e02..94fcb2a 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -31,6 +31,7 @@ networkPolicies: enabled: true bbtests: + enabled: true cypress: artifacts: true envs: -- GitLab From 73887a31c18e6de10b46dbad7515279d959473bc Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Thu, 3 Jun 2021 12:05:42 -0600 Subject: [PATCH 14/14] Bumping chart version and CHANGELOG --- CHANGELOG.md | 4 ++++ chart/Chart.yaml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d02f4d7..af22947 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.1.12-bb.0] - 2021-06-03 +### Added +- Network Policy templates. Allow cluster ingress, egress to kube-dns, istiod, ingress from istio-ingressgateway, and ingress from jager pods & eck-operator pods. + ## [0.1.11-bb.0] - 2021-05-17 ### Changed - Updating Kibana and Elasticsearch versions to 7.10 diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 33798cc..6eac252 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: logging -version: 0.1.11-bb.0 +version: 0.1.12-bb.0 appVersion: 7.10.0 dependencies: - name: bb-test-lib -- GitLab