Skip to content

Kubernetes: add deny all global network policy #1164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 24 commits into from
Aug 6, 2025
Merged

Kubernetes: add deny all global network policy #1164

merged 24 commits into from
Aug 6, 2025

Conversation

@YuryHrytsuk
Copy link
Collaborator

@YuryHrytsuk YuryHrytsuk commented Aug 4, 2025
edited
Loading

What do these changes do?

Add global default deny all network policy following https://docs.tigera.io/calico/latest/network-policy/get-started/kubernetes-default-deny.

This means all applications by default will only be able to talk to kube dns server (via port 53).

In order to allow other traffic, a network policy for an application needs to be explicitly specified. As example, we start with portainer and adminer applications. Other existing applications will be added after. All new applications (as long as they use their own namespace) will be restricted by global deny network policy automatically.

Implementation details

Since calico is currently installed via kubespray and has no configuration in helm, we add a separate helm chart to keep calico configuration (in this case global policy only)

Make portainer a custom chart (with dependency from portainer k8s helm chart). This lets us create a network policy for the portainer in the same chart and reuse values. It is very unfortunate that Portainer does not support extra objects, so we have to create a separate chart with dependency.

Important:

FYI @GitHK this is an example of denying network for apps that will solve https://github.com/ITISFoundation/private-issues/issues/45. Also @pcrespov may appreciate these enforced by default security measures

Related issue/s

Related PR/s

Checklist

  • I tested and it works

YuryHrytsuk and others added 10 commits July 28, 2025 09:53
@YuryHrytsuk
Kubernetes: refactor local cluster deployment
a54b73c 
Changes
* Use calico CNI for networking as we use it in master deployments
* Move local-reated targets to a seperate Makefile (keep clean main
Makefile used in master/stag/prod)
* Add delete (local) cluster target
@YuryHrytsuk
Use newer version
3b2a5c9
@YuryHrytsuk
Update install calico link
2b99236
@YuryHrytsuk
Add default global network policy
eadd4a7
@YuryHrytsuk
Merge branch 'main' into local-kubernetes-use-calico
b950879
@YuryHrytsuk
Global deny network policy
79b333a
@YuryHrytsuk
Merge branch 'local-kubernetes-use-calico' into kubernetes-add-deny-a…
3bcac1e 
…ll-global-network-policy
@YuryHrytsuk
Report progress on waiting for calico to start
f4f980d
@YuryHrytsuk
Merge branch 'local-kubernetes-use-calico' into kubernetes-add-deny-a…
c1a5ec4 
…ll-global-network-policy
@YuryHrytsuk
Merge remote-tracking branch 'upstream/main' into kubernetes-add-deny…
943e9be 
…-all-global-network-policy
@YuryHrytsuk YuryHrytsuk added this to the Voyager milestone Aug 4, 2025
@YuryHrytsuk YuryHrytsuk self-assigned this Aug 4, 2025
matusdrobuliak66
matusdrobuliak66 approved these changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@matusdrobuliak66 matusdrobuliak66 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👀

@YuryHrytsuk YuryHrytsuk mentioned this pull request Jul 31, 2025
Open
14 tasks
GitHK
GitHK reviewed Aug 4, 2025
View reviewed changes
Copy link
Contributor

@GitHK GitHK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@YuryHrytsuk YuryHrytsuk requested a review from GitHK August 5, 2025 06:20
@YuryHrytsuk YuryHrytsuk mentioned this pull request Aug 5, 2025
Open
2 tasks
mrnicegyu11
mrnicegyu11 reviewed Aug 5, 2025
View reviewed changes
mrnicegyu11
mrnicegyu11 reviewed Aug 5, 2025
View reviewed changes
mrnicegyu11
mrnicegyu11 reviewed Aug 5, 2025
View reviewed changes
mrnicegyu11
mrnicegyu11 reviewed Aug 5, 2025
View reviewed changes
mrnicegyu11
mrnicegyu11 reviewed Aug 5, 2025
View reviewed changes
mrnicegyu11
mrnicegyu11 approved these changes Aug 5, 2025
View reviewed changes
Copy link
Member

@mrnicegyu11 mrnicegyu11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deep 🛞 k8s stuff, looks good from what I can see. left a few minor comments, but no blockers found

@YuryHrytsuk
Copy link
Collaborator Author

YuryHrytsuk commented Aug 5, 2025

This won't work since we don't have Calico API server installed on master deployment (see kubernetes-sigs/kubespray#12445). Calico API server is needed to use projectcalico.org/v3 objects (e.g. network policies).

Until it is installed we cannot continue

@YuryHrytsuk
Copy link
Collaborator Author

YuryHrytsuk commented Aug 5, 2025

This won't work since we don't have Calico API server installed on master deployment (see kubernetes-sigs/kubespray#12445). Calico API server is needed to use projectcalico.org/v3 objects (e.g. network policies).

Until it is installed we cannot continue

Unblocked by https://git.speag.com/oSparc/osparc-ops-deployment-configuration/-/merge_requests/1527. Calico API server is installed now

YuryHrytsuk
YuryHrytsuk commented Aug 5, 2025
View reviewed changes
@YuryHrytsuk YuryHrytsuk merged commit af61d4a into ITISFoundation:main Aug 6, 2025
3 checks passed
YuryHrytsuk added a commit that referenced this pull request Aug 6, 2025
@YuryHrytsuk
Revert "Kubernetes: add deny all global network policy (#1164)"
567e3a8 
This reverts commit af61d4a.
@YuryHrytsuk YuryHrytsuk deleted the kubernetes-add-deny-all-global-network-policy branch August 6, 2025 07:53
@YuryHrytsuk YuryHrytsuk mentioned this pull request Aug 8, 2025
Closed
88 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GitHK GitHK GitHK approved these changes

@mrnicegyu11 mrnicegyu11 mrnicegyu11 approved these changes

@matusdrobuliak66 matusdrobuliak66 matusdrobuliak66 approved these changes

@sanderegg sanderegg Awaiting requested review from sanderegg

Assignees

@YuryHrytsuk YuryHrytsuk

Labels

SECURITY

Projects

None yet

Milestone

Voyager

Development

Successfully merging this pull request may close these issues.

4 participants

@YuryHrytsuk @GitHK @mrnicegyu11 @matusdrobuliak66