feat: add default networkpolicies for all namespaces except istio-system and teamcity (#168)

Author: mglotov

README.md

@@ -100,6 +100,7 @@ module "test_namespace" {
     {
       name         = "allow-this-namespace"
       policy_types = ["Ingress"]
+      pod_selector = {}
       ingress = {
         from = [
           {
@@ -115,6 +116,7 @@ module "test_namespace" {
     {
       name         = "allow-from-ingress-namespace"
       policy_types = ["Ingress"]
+      pod_selector = {}
       ingress = {
         from = [
           {
@@ -130,6 +132,7 @@ module "test_namespace" {
     {
       name        = "allow-egress-to-dev"
       policy_type = ["Egress"]
+      pod_selector = {}
       egress = {
         ports = [
           {

docs/FAQ.md

@@ -13,23 +13,77 @@ locals {
   })
 }
 
+#tfsec:ignore:kubernetes-network-no-public-egress tfsec:ignore:kubernetes-network-no-public-ingress
 module "aws_load_balancer_controller_namespace" {
-  source = "../modules/kubernetes-namespace"
-  name   = "aws-load-balancer-controller"
-}
-
-resource "helm_release" "aws_loadbalancer_controller" {
   count = var.aws_loadbalancer_controller_enable ? 1 : 0
 
-  name        = "aws-load-balancer-controller"
-  chart       = local.aws-load-balancer-controller.chart
-  repository  = local.aws-load-balancer-controller.repository
-  version     = local.aws-load-balancer-controller.chart_version
-  namespace   = module.aws_load_balancer_controller_namespace.name
-  max_history = var.helm_release_history_size
-
-  values = [
-    local.alb_ingress_controller
+  source = "../modules/kubernetes-namespace"
+  name   = "aws-load-balancer-controller"
+  network_policies = [
+    {
+      name         = "default-deny"
+      policy_types = ["Ingress", "Egress"]
+      pod_selector = {}
+    },
+    {
+      name         = "allow-this-namespace"
+      policy_types = ["Ingress"]
+      pod_selector = {}
+      ingress = {
+        from = [
+          {
+            namespace_selector = {
+              match_labels = {
+                name = "aws-load-balancer-controller"
+              }
+            }
+          }
+        ]
+      }
+    },
+    {
+      name         = "allow-control-plane"
+      policy_types = ["Ingress"]
+      pod_selector = {
+        match_expressions = {
+          key      = "app.kubernetes.io/name"
+          operator = "In"
+          values   = ["aws-load-balancer-controller"]
+        }
+      }
+      ingress = {
+        ports = [
+          {
+            port     = "9443"
+            protocol = "TCP"
+          }
+        ]
+        from = [
+          {
+            ip_block = {
+              cidr = "0.0.0.0/0"
+            }
+          }
+        ]
+      }
+    },
+    {
+      name         = "allow-egress"
+      policy_types = ["Egress"]
+      pod_selector = {}
+      egress = {
+        to = [
+          {
+            ip_block = {
+              cidr = "0.0.0.0/0"
+              except = [
+                "169.254.169.254/32"
+              ]
+            }
+          }
+        ]
+      }
+    }
   ]
 }
 
@@ -249,3 +303,18 @@ module "aws_iam_aws_loadbalancer_controller" {
     ]
   })
 }
+
+resource "helm_release" "aws_loadbalancer_controller" {
+  count = var.aws_loadbalancer_controller_enable ? 1 : 0
+
+  name        = "aws-load-balancer-controller"
+  chart       = local.aws-load-balancer-controller.chart
+  repository  = local.aws-load-balancer-controller.repository
+  version     = local.aws-load-balancer-controller.chart_version
+  namespace   = module.aws_load_balancer_controller_namespace[count.index].name
+  max_history = var.helm_release_history_size
+
+  values = [
+    local.alb_ingress_controller
+  ]
+}

terraform/layer2-k8s/eks-aws-loadbalancer-controller.tf

@@ -6,9 +6,50 @@ locals {
   }
 }
 
+#tfsec:ignore:kubernetes-network-no-public-egress tfsec:ignore:kubernetes-network-no-public-ingress
 module "aws_node_termination_handler_namespace" {
   source = "../modules/kubernetes-namespace"
   name   = "aws-node-termination-handler"
+  network_policies = [
+    {
+      name         = "default-deny"
+      policy_types = ["Ingress", "Egress"]
+      pod_selector = {}
+    },
+    {
+      name         = "allow-this-namespace"
+      policy_types = ["Ingress"]
+      pod_selector = {}
+      ingress = {
+        from = [
+          {
+            namespace_selector = {
+              match_labels = {
+                name = "aws-node-termination-handler"
+              }
+            }
+          }
+        ]
+      }
+    },
+    {
+      name         = "allow-egress"
+      policy_types = ["Egress"]
+      pod_selector = {}
+      egress = {
+        to = [
+          {
+            ip_block = {
+              cidr = "0.0.0.0/0"
+              except = [
+                "169.254.169.254/32"
+              ]
+            }
+          }
+        ]
+      }
+    }
+  ]
 }
 
 resource "helm_release" "aws_node_termination_handler" {

terraform/layer2-k8s/eks-aws-node-termination-handler.tf

@@ -14,23 +14,76 @@ data "template_file" "cert_manager" {
   }
 }
 
-resource "helm_release" "cert_manager" {
-  name        = "cert-manager"
-  chart       = local.cert-manager.chart
-  repository  = local.cert-manager.repository
-  version     = local.cert-manager.chart_version
-  namespace   = module.certmanager_namespace.name
-  wait        = true
-  max_history = var.helm_release_history_size
-
-  values = [
-    data.template_file.cert_manager.rendered,
-  ]
-}
-
+#tfsec:ignore:kubernetes-network-no-public-egress tfsec:ignore:kubernetes-network-no-public-ingress
 module "certmanager_namespace" {
   source = "../modules/kubernetes-namespace"
   name   = "certmanager"
+  network_policies = [
+    {
+      name         = "default-deny"
+      policy_types = ["Ingress", "Egress"]
+      pod_selector = {}
+    },
+    {
+      name         = "allow-this-namespace"
+      policy_types = ["Ingress"]
+      pod_selector = {}
+      ingress = {
+        from = [
+          {
+            namespace_selector = {
+              match_labels = {
+                name = "certmanager"
+              }
+            }
+          }
+        ]
+      }
+    },
+    {
+      name         = "allow-control-plane"
+      policy_types = ["Ingress"]
+      pod_selector = {
+        match_expressions = {
+          key      = "app.kubernetes.io/name"
+          operator = "In"
+          values   = ["webhook"]
+        }
+      }
+      ingress = {
+        ports = [
+          {
+            port     = "10250"
+            protocol = "TCP"
+          }
+        ]
+        from = [
+          {
+            ip_block = {
+              cidr = "0.0.0.0/0"
+            }
+          }
+        ]
+      }
+    },
+    {
+      name         = "allow-egress"
+      policy_types = ["Egress"]
+      pod_selector = {}
+      egress = {
+        to = [
+          {
+            ip_block = {
+              cidr = "0.0.0.0/0"
+              except = [
+                "169.254.169.254/32"
+              ]
+            }
+          }
+        ]
+      }
+    }
+  ]
 }
 
 #tfsec:ignore:aws-iam-no-policy-wildcards
@@ -73,3 +126,17 @@ module "aws_iam_cert_manager" {
     ]
   })
 }
+
+resource "helm_release" "cert_manager" {
+  name        = "cert-manager"
+  chart       = local.cert-manager.chart
+  repository  = local.cert-manager.repository
+  version     = local.cert-manager.chart_version
+  namespace   = module.certmanager_namespace.name
+  wait        = true
+  max_history = var.helm_release_history_size
+
+  values = [
+    data.template_file.cert_manager.rendered,
+  ]
+}