From 987181f6ff3a2d6530d3fae5e3f8604487a38170 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 14:16:09 -0500 Subject: [PATCH] split policies for each service --- .../templates/networkpolicy_ingress.yaml | 71 ++++++++++- .../tests/networkpolicy_ingress_test.yaml | 119 ++++++++++++++++-- 2 files changed, 180 insertions(+), 10 deletions(-) diff --git a/charts/cryostat/templates/networkpolicy_ingress.yaml b/charts/cryostat/templates/networkpolicy_ingress.yaml index 7e90b29..b827a8e 100644 --- a/charts/cryostat/templates/networkpolicy_ingress.yaml +++ b/charts/cryostat/templates/networkpolicy_ingress.yaml @@ -2,21 +2,86 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ .Release.Name }}-internal-ingress + name: {{ .Release.Name }}-cryostat-internal-ingress spec: podSelector: matchLabels: {{- include "cryostat.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: cryostat + ingress: + - from: + - namespaceSelector: {} + ports: + - protocol: TCP + port: 4180 + - protocol: TCP + port: 8443 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Release.Name }}-reports-internal-ingress +spec: + podSelector: + matchLabels: + {{- include "cryostat.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: reports ingress: - from: - podSelector: matchLabels: {{- include "cryostat.selectorLabels" $ | nindent 12 }} + app.kubernetes.io/component: cryostat namespaceSelector: matchLabels: kubernetes.io/metadata.name: {{ .Release.Namespace }} + ports: + - protocol: TCP + port: 4180 + - protocol: TCP + port: 8443 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Release.Name }}-db-internal-ingress +spec: + podSelector: + matchLabels: + {{- include "cryostat.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: db + ingress: - from: - - namespaceSelector: + - podSelector: matchLabels: - policy-group.network.openshift.io/ingress: "" + {{- include "cryostat.selectorLabels" $ | nindent 12 }} + app.kubernetes.io/component: cryostat + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + ports: + - protocol: TCP + port: 5432 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Release.Name }}-storage-internal-ingress +spec: + podSelector: + matchLabels: + {{- include "cryostat.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: storage + ingress: + - from: + - podSelector: + matchLabels: + {{- include "cryostat.selectorLabels" $ | nindent 12 }} + app.kubernetes.io/component: cryostat + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + ports: + - protocol: TCP + port: 8333 {{- end }} diff --git a/charts/cryostat/tests/networkpolicy_ingress_test.yaml b/charts/cryostat/tests/networkpolicy_ingress_test.yaml index 2aeadba..22c7a2b 100644 --- a/charts/cryostat/tests/networkpolicy_ingress_test.yaml +++ b/charts/cryostat/tests/networkpolicy_ingress_test.yaml @@ -10,14 +10,20 @@ tests: - hasDocuments: count: 0 - - it: should create an internal-access policy + - it: should create policy objects + asserts: + - hasDocuments: + count: 4 + + - it: should create a Cryostat access policy + documentIndex: 0 asserts: - equal: path: kind value: NetworkPolicy - equal: path: metadata.name - value: RELEASE-NAME-internal-ingress + value: RELEASE-NAME-cryostat-internal-ingress - equal: path: spec.podSelector value: @@ -25,19 +31,118 @@ tests: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: cryostat app.kubernetes.io/part-of: cryostat + app.kubernetes.io/component: cryostat - equal: path: spec.ingress value: - from: - - podSelector: + - namespaceSelector: {} + ports: + - protocol: TCP + port: 4180 + - protocol: TCP + port: 8443 + + - it: should create a report generator access policy + documentIndex: 1 + asserts: + - equal: + path: kind + value: NetworkPolicy + - equal: + path: metadata.name + value: RELEASE-NAME-reports-internal-ingress + - equal: + path: spec.podSelector + value: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/component: reports + - equal: + path: spec.ingress + value: + - from: + - namespaceSelector: matchLabels: - app.kubernetes.io/part-of: cryostat - app.kubernetes.io/name: cryostat + kubernetes.io/metadata.name: NAMESPACE + podSelector: + matchLabels: + app.kubernetes.io/component: cryostat app.kubernetes.io/instance: RELEASE-NAME - namespaceSelector: + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + ports: + - protocol: TCP + port: 4180 + - protocol: TCP + port: 8443 + + - it: should create a database access policy + documentIndex: 2 + asserts: + - equal: + path: kind + value: NetworkPolicy + - equal: + path: metadata.name + value: RELEASE-NAME-db-internal-ingress + - equal: + path: spec.podSelector + value: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/component: db + - equal: + path: spec.ingress + value: + - from: + - namespaceSelector: matchLabels: kubernetes.io/metadata.name: NAMESPACE + podSelector: + matchLabels: + app.kubernetes.io/component: cryostat + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + ports: + - protocol: TCP + port: 5432 + + - it: should create a storage access policy + documentIndex: 3 + asserts: + - equal: + path: kind + value: NetworkPolicy + - equal: + path: metadata.name + value: RELEASE-NAME-storage-internal-ingress + - equal: + path: spec.podSelector + value: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/component: storage + - equal: + path: spec.ingress + value: - from: - namespaceSelector: matchLabels: - policy-group.network.openshift.io/ingress: "" + kubernetes.io/metadata.name: NAMESPACE + podSelector: + matchLabels: + app.kubernetes.io/component: cryostat + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + ports: + - protocol: TCP + port: 8333