Skip to content

Commit c631b5d

Browse files
authored
Add NetworkPolicy k8s resources (#1323)
This change adds a default deny NetworkPolicy for ingress and egress in the openshift-cluster-node-tuning-operator namespace. The following flows are allowed by NetworkPolicies: - access to the API server - access to NTO Metrics server - access to NTO Webhook server Resolves: PSAP-1178 Co-authored-by: Jiri Mencak <[email protected]>
1 parent 488ca89 commit c631b5d

File tree

2 files changed

+79
-0
lines changed

2 files changed

+79
-0
lines changed

assets/tuned/manifests/ds-tuned.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ spec:
2020
openshift.io/required-scc: privileged
2121
labels:
2222
openshift-app: tuned
23+
name: tuned
2324
spec:
2425
serviceAccountName: tuned
2526
containers:

manifests/55-network-policy.yaml

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
# NOTE: NetworkPolicy behaviour for hostNetwork pods (tuned) is undefined
2+
# https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-and-hostnetwork-pods
3+
# Add rules for tuned pods even though most network plugins are unable to
4+
# distinguish hostNetwork pod traffic from all other traffic.
5+
6+
# The "default" policy for a namespace which denies all ingress and egress traffic.
7+
# This ensures that even pods that aren't selected by any other NetworkPolicy will
8+
# not be allowed ingress or egress traffic.
9+
---
10+
apiVersion: networking.k8s.io/v1
11+
kind: NetworkPolicy
12+
metadata:
13+
name: default-deny-all
14+
spec:
15+
podSelector: {}
16+
policyTypes:
17+
- Ingress
18+
- Egress
19+
20+
# Allow access to the API server.
21+
---
22+
apiVersion: networking.k8s.io/v1
23+
kind: NetworkPolicy
24+
metadata:
25+
name: allow-egress-to-api-server
26+
namespace: openshift-cluster-node-tuning-operator
27+
spec:
28+
egress:
29+
- ports:
30+
- port: 6443
31+
protocol: TCP
32+
podSelector:
33+
matchExpressions:
34+
- { key: name, operator: In, values: [cluster-node-tuning-operator, tuned] }
35+
policyTypes:
36+
- Egress
37+
38+
# Allow access to the metrics server from openshift-monitoring namespace.
39+
---
40+
apiVersion: networking.k8s.io/v1
41+
kind: NetworkPolicy
42+
metadata:
43+
name: allow-metrics-traffic
44+
namespace: openshift-cluster-node-tuning-operator
45+
spec:
46+
ingress:
47+
- ports:
48+
- port: 60000
49+
protocol: TCP
50+
# In theory, only access from the openshift-monitoring namespace is needed.
51+
# However, our e2e tests access the server from ns/openshift-cluster-node-tuning-operator.
52+
# from:
53+
# - namespaceSelector:
54+
# matchLabels:
55+
# name: openshift-monitoring
56+
podSelector:
57+
matchLabels:
58+
name: cluster-node-tuning-operator
59+
policyTypes:
60+
- Ingress
61+
62+
# Allow access to the webhook server.
63+
---
64+
apiVersion: networking.k8s.io/v1
65+
kind: NetworkPolicy
66+
metadata:
67+
name: allow-webhook-traffic
68+
namespace: openshift-cluster-node-tuning-operator
69+
spec:
70+
ingress:
71+
- ports:
72+
- port: 4343
73+
protocol: TCP
74+
podSelector:
75+
matchLabels:
76+
name: cluster-node-tuning-operator
77+
policyTypes:
78+
- Ingress

0 commit comments

Comments
 (0)