cryostatio · andrewazores · Nov 12, 2024 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md
diff --git a/charts/cryostat/templates/networkpolicy_egress.yaml b/charts/cryostat/templates/networkpolicy_egress.yaml
@@ -0,0 +1,40 @@
+{{- if ((.Values.networkPolicy.egress).enabled) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-internal-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  policyTypes:
+    - Egress
+  podSelector:
+    matchLabels:
+      {{- include "cryostat.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: cryostat
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+{{- if .Values.authentication.openshift.enabled }}
+{{- $kubernetesEndpoint := lookup "v1" "Endpoints" "default" "kubernetes" }}
+{{- $kubernetesAddress := (first $kubernetesEndpoint.subsets).addresses }}
+{{- $kubernetesIP := (first $kubernetesAddress).ip }}
+    - to:
+      - ipBlock:
+          cidr: {{ $kubernetesIP }}/32
+{{- end }}
+    - to:
+      - namespaceSelector:
+          matchExpressions:
+            - key: kubernetes.io/metadata.name
+              operator: In
+              values:
+                - default
+                - kube-system
+                - openshift
+                - {{ .Release.Namespace }}
+                {{- range .Values.core.discovery.kubernetes.namespaces }}
+                - {{ . }}
+                {{- end }}
+{{- end }}
diff --git a/charts/cryostat/templates/networkpolicy_ingress.yaml b/charts/cryostat/templates/networkpolicy_ingress.yaml
@@ -0,0 +1,19 @@
+{{- if ((.Values.networkPolicy.ingress).enabled) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-internal-ingress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "cryostat.selectorLabels" $ | nindent 6 }}
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            {{- include "cryostat.selectorLabels" $ | nindent 12 }}
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/cryostat/tests/networkpolicy_egress_test.yaml b/charts/cryostat/tests/networkpolicy_egress_test.yaml
@@ -0,0 +1,74 @@
+suite: test networkpolicy_egress.yaml
+templates:
+  - networkpolicy_egress.yaml
+
+tests:
+  - it: should be disabled by default
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create an internal-access policy
+    set:
+      networkPolicy.egress.enabled: true
+    asserts:
+      - equal:
+          path: kind
+          value: NetworkPolicy
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-internal-egress
+      - equal:
+          path: metadata.namespace
+          value: NAMESPACE
+      - equal:
+          path: spec.podSelector
+          value:
+            matchLabels:
+              app.kubernetes.io/instance: RELEASE-NAME
+              app.kubernetes.io/name: cryostat
+              app.kubernetes.io/component: cryostat
+      - equal:
+          path: spec.egress
+          value:
+            - to:
+              - namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: NAMESPACE
+            - to:
+              - namespaceSelector:
+                  matchExpressions:
+                    - key: kubernetes.io/metadata.name
+                      operator: In
+                      values:
+                        - default
+                        - kube-system
+                        - openshift
+                        - NAMESPACE
+
+  - it: should allow additional egress to target namespaces
+    set:
+      networkPolicy.egress.enabled: true
+      core.discovery.kubernetes.namespaces:
+        - apps1
+        - apps2
+    asserts:
+      - equal:
+          path: spec.egress
+          value:
+            - to:
+              - namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: NAMESPACE
+            - to:
+              - namespaceSelector:
+                  matchExpressions:
+                    - key: kubernetes.io/metadata.name
+                      operator: In
+                      values:
+                        - default
+                        - kube-system
+                        - openshift
+                        - NAMESPACE
+                        - apps1
+                        - apps2
diff --git a/charts/cryostat/tests/networkpolicy_ingress_test.yaml b/charts/cryostat/tests/networkpolicy_ingress_test.yaml
@@ -0,0 +1,40 @@
+suite: test networkpolicy_ingress.yaml
+templates:
+  - networkpolicy_ingress.yaml
+
+tests:
+  - it: should do nothing if disabled
+    set:
+      networkPolicy.ingress.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create an internal-access policy
+    asserts:
+      - equal:
+          path: kind
+          value: NetworkPolicy
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-internal-ingress
+      - equal:
+          path: metadata.namespace
+          value: NAMESPACE
+      - equal:
+          path: spec.podSelector
+          value:
+            matchLabels:
+              app.kubernetes.io/instance: RELEASE-NAME
+              app.kubernetes.io/name: cryostat
+      - equal:
+          path: spec.ingress
+          value:
+            - from:
+              - podSelector:
+                  matchLabels:
+                    app.kubernetes.io/instance: RELEASE-NAME
+                    app.kubernetes.io/name: cryostat
+                namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: NAMESPACE
diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json
@@ -987,6 +987,31 @@
                 }
             }
         },
+        "networkPolicy": {
+            "type": "object",
+            "properties": {
+                "ingress": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "whether a NetworkPolicy for restricting Cryostat component Pods' inbound traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods.",
+                            "default": true
+                        }
+                    }
+                },
+                "egress": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "whether a NetworkPolicy for restricting Cryostat component Pods' outbound traffic is installed. This prevents Cryostat's component Pods from opening connections to unexpected destinations. The policy will allow Cryostat's Pods to communicate with each other, to the cluster API server, and to any target namespaces (core.discovery.kubernetes.namespaces). This is off by default since some cluster network plugins cause JDBC connectivity issues between Cryostat and its database when this policy is activated. When enabled, Cryostat users will not be able to define Custom Targets that are located outside of the target namespaces defined at installation time.",
+                            "default": false
+                        }
+                    }
+                }
+            }
+        },
         "tolerations": {
             "type": "array",
             "description": "Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling)",

diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml
@@ -356,6 +356,14 @@ podSecurityContext:
   seccompProfile:
     type: RuntimeDefault
 
+networkPolicy:
+  ingress:
+    ## @param networkPolicy.ingress.enabled whether a NetworkPolicy for restricting Cryostat component Pods' inbound traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods.
+    enabled: true
+  egress:
+    ## @param networkPolicy.egress.enabled whether a NetworkPolicy for restricting Cryostat component Pods' outbound traffic is installed. This prevents Cryostat's component Pods from opening connections to unexpected destinations. The policy will allow Cryostat's Pods to communicate with each other, to the cluster API server, and to any target namespaces (core.discovery.kubernetes.namespaces). This is off by default since some cluster network plugins cause JDBC connectivity issues between Cryostat and its database when this policy is activated. When enabled, Cryostat users will not be able to define Custom Targets that are located outside of the target namespaces defined at installation time.
+    enabled: false
+
 ## @param nodeSelector [object] Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling)
 nodeSelector: {}