Global deny network policy

Author: YuryHrytsuk

charts/calico-configuration/README.md

@@ -1,4 +1,19 @@
-## Observe network traffic
+## How to add network policy (local deployment)
 
-https://docs.tigera.io/calico/latest/observability/enable-whisker
-https://docs.tigera.io/calico/3.30/observability/view-flow-logs
+How to discover ports / networks that are used by application
+* enable and observer traffic via
+  - https://docs.tigera.io/calico/3.30/observability/enable-whisker
+  - https://docs.tigera.io/calico/3.30/observability/view-flow-logs
+* add staged policies to make sure all cases are included https://docs.tigera.io/calico/3.30/network-policy/staged-network-policies
+
+Debug network policies:
+* observe traffic and check `policies` field in whisker logs
+  - https://docs.tigera.io/calico/3.30/observability/enable-whisker
+  - https://docs.tigera.io/calico/3.30/observability/view-flow-logs
+
+Warning: make sure that calico version being used support Whisker (e.g. in v3.26 whisker is not documented at all)
+
+
+## Known issues
+
+If network policy is created after pod, pod **MUST** be restarted for policy to take effect. Read more https://github.com/projectcalico/calico/issues/10753#issuecomment-3140717418

charts/calico-configuration/templates/NOTES.txt

@@ -1 +1,3 @@
 This chart configures Calico but does not deploy Calico itself. This is done via Kubespray during Kubernetes Cluster provisioning.
+
+Note: to make sure network policies are applied correctly, you may need to restart targeted application pods.

charts/calico-configuration/templates/globalpolicy.yaml

@@ -1,26 +1,30 @@
-# Source: https://docs.tigera.io/calico-enterprise/latest/network-policy/default-deny#best-practice-2-keep-the-scope-to-non-system-pods
+# Source: https://docs.tigera.io/calico/3.30/network-policy/get-started/kubernetes-default-deny
 apiVersion: projectcalico.org/v3
 kind: GlobalNetworkPolicy
 metadata:
   name: default-global-deny-network-policy
 spec:
-  # on local deployment, calico is installed in the `calico-system` namespace
-  # and the operator is in the `tigera-operator` namespace
-  namespaceSelector: kubernetes.io/metadata.name in {"adminer"}
+  # "kube-public", "kube-system", "kube-node-lease" -- system namespaces
+  # "calico-system", "calico-apiserver", "tigera-operator" -- calico namespaces (when installed via scripts [local deployment])
+  # TODO: other namespaces are to be removed from this list (once appropriate network policies are created)
+  namespaceSelector:
+    kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "simcore", "cert-manager", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage"}
   types:
-  - Ingress
-  - Egress
+    - Ingress
+    - Egress
   egress:
-   # allow all namespaces to communicate to DNS pods
-  - action: Allow
-    protocol: UDP
-    destination:
-      selector: 'k8s-app == "kube-dns"'
-      ports:
-      - 53
-  - action: Allow
-    protocol: TCP
-    destination:
-      selector: 'k8s-app == "kube-dns"'
-      ports:
-      - 53
+    # allow all namespaces to communicate to DNS pods
+    # this will also apply to pods that have network policy defined
+    # so that we don't need to define DNS policy for each pod
+    - action: Allow
+      protocol: UDP
+      destination:
+        selector: 'k8s-app == "kube-dns"'
+        ports:
+          - 53
+    - action: Allow
+      protocol: TCP
+      destination:
+        selector: 'k8s-app == "kube-dns"'
+        ports:
+          - 53

charts/portainer/templates/networkpolicy.yaml

@@ -22,7 +22,9 @@ spec:
     - action: Allow
       protocol: UDP
       destination:
-        selector: 'k8s-app == "kube-dns"'
+        # `selector: 'k8s-app == "kube-dns"'` does not work (so global policy default dns allow does not work)
+        # manually allow dns and use different selector that works.
+        selectorNamespace: kubernetes.io/metadata.name == "kube-system"
         ports:
           - 53
   ingress:
@@ -31,4 +33,4 @@ spec:
       protocol: TCP
       destination:
         ports:
-          - 9000
+          - {{ .Values.servicePort }}