From 8ca4149c9d8cfd3cf87bfb06033a4989fd10265e Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 13 Nov 2024 16:16:51 -0500 Subject: [PATCH] feat(network): enable optional egress network policy --- charts/cryostat/README.md | 43 +++++------ .../templates/networkpolicy_egress.yaml | 40 ++++++++++ .../tests/networkpolicy_egress_test.yaml | 74 +++++++++++++++++++ charts/cryostat/values.schema.json | 12 ++- charts/cryostat/values.yaml | 5 +- 5 files changed, 151 insertions(+), 23 deletions(-) create mode 100644 charts/cryostat/templates/networkpolicy_egress.yaml create mode 100644 charts/cryostat/tests/networkpolicy_egress_test.yaml diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 9e01506..9003658 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -199,25 +199,26 @@ helm install cryostat ./charts/cryostat ### Other Parameters -| Name | Description | Value | -| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` | -| `nameOverride` | Overrides the name of this Chart | `""` | -| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` | -| `rbac.create` | Specifies whether RBAC resources should be created | `true` | -| `serviceAccount.create` | Specifies whether a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` | -| `podAnnotations` | Annotations to be applied to the Cryostat Pod | `{}` | -| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` | -| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. | `true` | -| `nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | -| `tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` | -| `affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | -| `pvc.enabled` | Specify whether to use persistentVolumeClaim or EmptyDir storage | `false` | -| `pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` | -| `pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` | -| `pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` | -| `pvc.selector` | Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `{}` | -| `pvc.storageClassName` | The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `undefined` | +| Name | Description | Value | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` | +| `nameOverride` | Overrides the name of this Chart | `""` | +| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` | +| `podAnnotations` | Annotations to be applied to the Cryostat Pod | `{}` | +| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` | +| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' inbound traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. | `true` | +| `networkPolicy.egress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' outbound traffic is installed. This prevents Cryostat's component Pods from opening connections to unexpected destinations. The policy will allow Cryostat's Pods to communicate with each other, to the cluster API server, and to any target namespaces (core.discovery.kubernetes.namespaces). This is off by default since some cluster network plugins cause JDBC connectivity issues between Cryostat and its database when this policy is activated. When enabled, Cryostat users will not be able to define Custom Targets that are located outside of the target namespaces defined at installation time. | `false` | +| `nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | +| `tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` | +| `affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` | +| `pvc.enabled` | Specify whether to use persistentVolumeClaim or EmptyDir storage | `false` | +| `pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` | +| `pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` | +| `pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` | +| `pvc.selector` | Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `{}` | +| `pvc.storageClassName` | The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `undefined` | diff --git a/charts/cryostat/templates/networkpolicy_egress.yaml b/charts/cryostat/templates/networkpolicy_egress.yaml new file mode 100644 index 0000000..21869c6 --- /dev/null +++ b/charts/cryostat/templates/networkpolicy_egress.yaml @@ -0,0 +1,40 @@ +{{- if ((.Values.networkPolicy.egress).enabled) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Release.Name }}-internal-egress + namespace: {{ .Release.Namespace }} +spec: + policyTypes: + - Egress + podSelector: + matchLabels: + {{- include "cryostat.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: cryostat + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} +{{- if .Values.authentication.openshift.enabled }} +{{- $kubernetesEndpoint := lookup "v1" "Endpoints" "default" "kubernetes" }} +{{- $kubernetesAddress := (first $kubernetesEndpoint.subsets).addresses }} +{{- $kubernetesIP := (first $kubernetesAddress).ip }} + - to: + - ipBlock: + cidr: {{ $kubernetesIP }}/32 +{{- end }} + - to: + - namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - default + - kube-system + - openshift + - {{ .Release.Namespace }} + {{- range .Values.core.discovery.kubernetes.namespaces }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/charts/cryostat/tests/networkpolicy_egress_test.yaml b/charts/cryostat/tests/networkpolicy_egress_test.yaml new file mode 100644 index 0000000..96247b5 --- /dev/null +++ b/charts/cryostat/tests/networkpolicy_egress_test.yaml @@ -0,0 +1,74 @@ +suite: test networkpolicy_egress.yaml +templates: + - networkpolicy_egress.yaml + +tests: + - it: should be disabled by default + asserts: + - hasDocuments: + count: 0 + + - it: should create an internal-access policy + set: + networkPolicy.egress.enabled: true + asserts: + - equal: + path: kind + value: NetworkPolicy + - equal: + path: metadata.name + value: RELEASE-NAME-internal-egress + - equal: + path: metadata.namespace + value: NAMESPACE + - equal: + path: spec.podSelector + value: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/component: cryostat + - equal: + path: spec.egress + value: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: NAMESPACE + - to: + - namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - default + - kube-system + - openshift + - NAMESPACE + + - it: should allow additional egress to target namespaces + set: + networkPolicy.egress.enabled: true + core.discovery.kubernetes.namespaces: + - apps1 + - apps2 + asserts: + - equal: + path: spec.egress + value: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: NAMESPACE + - to: + - namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - default + - kube-system + - openshift + - NAMESPACE + - apps1 + - apps2 diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 7cc9a84..9a79ced 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -995,10 +995,20 @@ "properties": { "enabled": { "type": "boolean", - "description": "whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods.", + "description": "whether a NetworkPolicy for restricting Cryostat component Pods' inbound traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods.", "default": true } } + }, + "egress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "whether a NetworkPolicy for restricting Cryostat component Pods' outbound traffic is installed. This prevents Cryostat's component Pods from opening connections to unexpected destinations. The policy will allow Cryostat's Pods to communicate with each other, to the cluster API server, and to any target namespaces (core.discovery.kubernetes.namespaces). This is off by default since some cluster network plugins cause JDBC connectivity issues between Cryostat and its database when this policy is activated. When enabled, Cryostat users will not be able to define Custom Targets that are located outside of the target namespaces defined at installation time.", + "default": false + } + } } } }, diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index afbf7d5..6eb2c18 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -358,8 +358,11 @@ podSecurityContext: networkPolicy: ingress: - ## @param networkPolicy.ingress.enabled whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. + ## @param networkPolicy.ingress.enabled whether a NetworkPolicy for restricting Cryostat component Pods' inbound traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. enabled: true + egress: + ## @param networkPolicy.egress.enabled whether a NetworkPolicy for restricting Cryostat component Pods' outbound traffic is installed. This prevents Cryostat's component Pods from opening connections to unexpected destinations. The policy will allow Cryostat's Pods to communicate with each other, to the cluster API server, and to any target namespaces (core.discovery.kubernetes.namespaces). This is off by default since some cluster network plugins cause JDBC connectivity issues between Cryostat and its database when this policy is activated. When enabled, Cryostat users will not be able to define Custom Targets that are located outside of the target namespaces defined at installation time. + enabled: false ## @param nodeSelector [object] Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) nodeSelector: {}