split policies for each service

cryostatio · Nov 22, 2024 · 987181f · 987181f
1 parent 735dd80
commit 987181f
Show file tree

Hide file tree

Showing 2 changed files with 180 additions and 10 deletions.
diff --git a/charts/cryostat/templates/networkpolicy_ingress.yaml b/charts/cryostat/templates/networkpolicy_ingress.yaml
@@ -2,21 +2,86 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ .Release.Name }}-internal-ingress
+  name: {{ .Release.Name }}-cryostat-internal-ingress
 spec:
   podSelector:
     matchLabels:
       {{- include "cryostat.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: cryostat
+  ingress:
+    - from:
+      - namespaceSelector: {}
+      ports:
+        - protocol: TCP
+          port: 4180
+        - protocol: TCP
+          port: 8443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-reports-internal-ingress
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "cryostat.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: reports
   ingress:
     - from:
       - podSelector:
           matchLabels:
             {{- include "cryostat.selectorLabels" $ | nindent 12 }}
+            app.kubernetes.io/component: cryostat
         namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      ports:
+        - protocol: TCP
+          port: 4180
+        - protocol: TCP
+          port: 8443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-db-internal-ingress
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "cryostat.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: db
+  ingress:
     - from:
-      - namespaceSelector:
+      - podSelector:
           matchLabels:
-            policy-group.network.openshift.io/ingress: ""
+            {{- include "cryostat.selectorLabels" $ | nindent 12 }}
+            app.kubernetes.io/component: cryostat
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      ports:
+        - protocol: TCP
+          port: 5432
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-storage-internal-ingress
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "cryostat.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: storage
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            {{- include "cryostat.selectorLabels" $ | nindent 12 }}
+            app.kubernetes.io/component: cryostat
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      ports:
+        - protocol: TCP
+          port: 8333
 {{- end }}
diff --git a/charts/cryostat/tests/networkpolicy_ingress_test.yaml b/charts/cryostat/tests/networkpolicy_ingress_test.yaml
@@ -10,34 +10,139 @@ tests:
       - hasDocuments:
           count: 0
 
-  - it: should create an internal-access policy
+  - it: should create policy objects
+    asserts:
+      - hasDocuments:
+          count: 4
+
+  - it: should create a Cryostat access policy
+    documentIndex: 0
     asserts:
       - equal:
           path: kind
           value: NetworkPolicy
       - equal:
           path: metadata.name
-          value: RELEASE-NAME-internal-ingress
+          value: RELEASE-NAME-cryostat-internal-ingress
       - equal:
           path: spec.podSelector
           value:
             matchLabels:
               app.kubernetes.io/instance: RELEASE-NAME
               app.kubernetes.io/name: cryostat
               app.kubernetes.io/part-of: cryostat
+              app.kubernetes.io/component: cryostat
       - equal:
           path: spec.ingress
           value:
             - from:
-              - podSelector:
+              - namespaceSelector: {}
+              ports:
+                - protocol: TCP
+                  port: 4180
+                - protocol: TCP
+                  port: 8443
+
+  - it: should create a report generator access policy
+    documentIndex: 1
+    asserts:
+      - equal:
+          path: kind
+          value: NetworkPolicy
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-reports-internal-ingress
+      - equal:
+          path: spec.podSelector
+          value:
+            matchLabels:
+              app.kubernetes.io/instance: RELEASE-NAME
+              app.kubernetes.io/name: cryostat
+              app.kubernetes.io/part-of: cryostat
+              app.kubernetes.io/component: reports
+      - equal:
+          path: spec.ingress
+          value:
+            - from:
+              - namespaceSelector:
                   matchLabels:
-                    app.kubernetes.io/part-of: cryostat
-                    app.kubernetes.io/name: cryostat
+                    kubernetes.io/metadata.name: NAMESPACE
+                podSelector:
+                  matchLabels:
+                    app.kubernetes.io/component: cryostat
                     app.kubernetes.io/instance: RELEASE-NAME
-                namespaceSelector:
+                    app.kubernetes.io/name: cryostat
+                    app.kubernetes.io/part-of: cryostat
+              ports:
+                - protocol: TCP
+                  port: 4180
+                - protocol: TCP
+                  port: 8443
+
+  - it: should create a database access policy
+    documentIndex: 2
+    asserts:
+      - equal:
+          path: kind
+          value: NetworkPolicy
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-db-internal-ingress
+      - equal:
+          path: spec.podSelector
+          value:
+            matchLabels:
+              app.kubernetes.io/instance: RELEASE-NAME
+              app.kubernetes.io/name: cryostat
+              app.kubernetes.io/part-of: cryostat
+              app.kubernetes.io/component: db
+      - equal:
+          path: spec.ingress
+          value:
+            - from:
+              - namespaceSelector:
                   matchLabels:
                     kubernetes.io/metadata.name: NAMESPACE
+                podSelector:
+                  matchLabels:
+                    app.kubernetes.io/component: cryostat
+                    app.kubernetes.io/instance: RELEASE-NAME
+                    app.kubernetes.io/name: cryostat
+                    app.kubernetes.io/part-of: cryostat
+              ports:
+                - protocol: TCP
+                  port: 5432
+
+  - it: should create a storage access policy
+    documentIndex: 3
+    asserts:
+      - equal:
+          path: kind
+          value: NetworkPolicy
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-storage-internal-ingress
+      - equal:
+          path: spec.podSelector
+          value:
+            matchLabels:
+              app.kubernetes.io/instance: RELEASE-NAME
+              app.kubernetes.io/name: cryostat
+              app.kubernetes.io/part-of: cryostat
+              app.kubernetes.io/component: storage
+      - equal:
+          path: spec.ingress
+          value:
             - from:
               - namespaceSelector:
                   matchLabels:
-                    policy-group.network.openshift.io/ingress: ""
+                    kubernetes.io/metadata.name: NAMESPACE
+                podSelector:
+                  matchLabels:
+                    app.kubernetes.io/component: cryostat
+                    app.kubernetes.io/instance: RELEASE-NAME
+                    app.kubernetes.io/name: cryostat
+                    app.kubernetes.io/part-of: cryostat
+              ports:
+                - protocol: TCP
+                  port: 8333