diff --git a/assets/alertmanager-user-workload/network-policy-downstream.yaml b/assets/alertmanager-user-workload/network-policy-downstream.yaml new file mode 100644 index 0000000000..6150049a79 --- /dev/null +++ b/assets/alertmanager-user-workload/network-policy-downstream.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: alertmanager-user-workload + namespace: openshift-user-workload-monitoring +spec: + egress: + - {} + ingress: + - ports: + - port: tenancy + protocol: TCP + - port: metrics + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress + - Egress diff --git a/assets/cluster-monitoring-operator/network-policy-default-deny-user-workload.yaml b/assets/cluster-monitoring-operator/network-policy-default-deny-user-workload.yaml new file mode 100644 index 0000000000..93ce1f2d03 --- /dev/null +++ b/assets/cluster-monitoring-operator/network-policy-default-deny-user-workload.yaml @@ -0,0 +1,13 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: default-deny-user-workload + namespace: openshift-user-workload-monitoring +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/assets/prometheus-operator-user-workload/network-policy-downstream.yaml b/assets/prometheus-operator-user-workload/network-policy-downstream.yaml new file mode 100644 index 0000000000..f9033efb53 --- /dev/null +++ b/assets/prometheus-operator-user-workload/network-policy-downstream.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: prometheus-operator-user-workload + namespace: openshift-user-workload-monitoring +spec: + egress: + - {} + ingress: + - ports: + - port: https + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus-operator + policyTypes: + - Ingress + - Egress diff --git a/assets/prometheus-user-workload/network-policy-downstream.yaml b/assets/prometheus-user-workload/network-policy-downstream.yaml new file mode 100644 index 0000000000..2e3e94d7df --- /dev/null +++ b/assets/prometheus-user-workload/network-policy-downstream.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: prometheus-user-workload + namespace: openshift-user-workload-monitoring +spec: + egress: + - {} + ingress: + - ports: + - port: metrics + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + policyTypes: + - Ingress + - Egress diff --git a/assets/thanos-ruler/network-policy-downstream.yaml b/assets/thanos-ruler/network-policy-downstream.yaml new file mode 100644 index 0000000000..62be045e01 --- /dev/null +++ b/assets/thanos-ruler/network-policy-downstream.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: thanos-ruler + namespace: openshift-user-workload-monitoring +spec: + egress: + - {} + ingress: + - ports: + - port: metrics + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: thanos-ruler + policyTypes: + - Ingress + - Egress diff --git a/jsonnet/components/alertmanager-user-workload.libsonnet b/jsonnet/components/alertmanager-user-workload.libsonnet index c137c41a35..d572c7392d 100644 --- a/jsonnet/components/alertmanager-user-workload.libsonnet +++ b/jsonnet/components/alertmanager-user-workload.libsonnet @@ -417,4 +417,43 @@ function(params) ], }, }, + networkPolicyDownstream: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: { + name: 'alertmanager-user-workload', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'alertmanager', + }, + }, + policyTypes: [ + 'Ingress', + 'Egress', + ], + ingress: [ + { + ports: [ + // allow access to the Alertmanager endpoints restricted to a given project, + // port number 9092(port name: tenancy) + { + port: 'tenancy', + protocol: 'TCP', + }, + // allow prometheus to scrape user workload alertmanager 9097(port name: metrics) port + { + port: 'metrics', + protocol: 'TCP', + }, + ], + }, + ], + egress: [ + {}, + ], + }, + }, } diff --git a/jsonnet/components/cluster-monitoring-operator.libsonnet b/jsonnet/components/cluster-monitoring-operator.libsonnet index 1172fbb352..496c0bf232 100644 --- a/jsonnet/components/cluster-monitoring-operator.libsonnet +++ b/jsonnet/components/cluster-monitoring-operator.libsonnet @@ -572,7 +572,7 @@ function(params) { }], }, - // Default deny all pods traffic + // Default deny all pods traffic for in-cluster monitoring networkPolicyDefaultDeny: { apiVersion: 'networking.k8s.io/v1', kind: 'NetworkPolicy', @@ -589,4 +589,21 @@ function(params) { ], }, }, + // Default deny all pods traffic for user workload monitoring + networkPolicyDefaultDenyUserWorkload: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: { + name: 'default-deny-user-workload', + namespace: 'openshift-user-workload-monitoring', + }, + spec: { + podSelector: { + }, + policyTypes: [ + 'Ingress', + 'Egress', + ], + }, + }, } diff --git a/jsonnet/components/prometheus-operator-user-workload.libsonnet b/jsonnet/components/prometheus-operator-user-workload.libsonnet index 049b057c2e..49db2b31f8 100644 --- a/jsonnet/components/prometheus-operator-user-workload.libsonnet +++ b/jsonnet/components/prometheus-operator-user-workload.libsonnet @@ -196,4 +196,39 @@ function(params) ], }, }, + + networkPolicyDownstream: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: { + name: 'prometheus-operator-user-workload', + namespace: 'openshift-user-workload-monitoring', + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus-operator', + }, + }, + policyTypes: [ + 'Ingress', + 'Egress', + ], + ingress: [ + { + ports: [ + // allow prometheus-operator to to watch resources and allow prometheus + // to scrape prometheus-operator endpoint, 8443(port name: https) port + { + port: 'https', + protocol: 'TCP', + }, + ], + }, + ], + egress: [ + {}, + ], + }, + }, } diff --git a/jsonnet/components/prometheus-user-workload.libsonnet b/jsonnet/components/prometheus-user-workload.libsonnet index 66600278eb..65ba45e476 100644 --- a/jsonnet/components/prometheus-user-workload.libsonnet +++ b/jsonnet/components/prometheus-user-workload.libsonnet @@ -600,4 +600,37 @@ function(params) automountServiceAccountToken: false, }, + networkPolicyDownstream: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: { + name: 'prometheus-user-workload', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, + }, + policyTypes: [ + 'Ingress', + 'Egress', + ], + ingress: [ + { + ports: [ + // allow prometheus to scrape user workload prometheus endpoint, 9091(port name: metrics) port + { + port: 'metrics', + protocol: 'TCP', + }, + ], + }, + ], + egress: [ + {}, + ], + }, + }, } diff --git a/jsonnet/components/prometheus.libsonnet b/jsonnet/components/prometheus.libsonnet index 75412c31b0..5feba48522 100644 --- a/jsonnet/components/prometheus.libsonnet +++ b/jsonnet/components/prometheus.libsonnet @@ -601,8 +601,6 @@ function(params) ], }, }, - // Allow access to prometheus 9091(port name: web)/9092(port name: metrics) ports - // and 10901(port name: grpc)/10903(port name: thanos-proxy) ports networkPolicyDownstream: { apiVersion: 'networking.k8s.io/v1', kind: 'NetworkPolicy', diff --git a/jsonnet/components/thanos-ruler.libsonnet b/jsonnet/components/thanos-ruler.libsonnet index 25457df563..36c1accc86 100644 --- a/jsonnet/components/thanos-ruler.libsonnet +++ b/jsonnet/components/thanos-ruler.libsonnet @@ -569,4 +569,37 @@ function(params) statefulSet:: {}, + networkPolicyDownstream: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: { + name: 'thanos-ruler', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-ruler', + }, + }, + policyTypes: [ + 'Ingress', + 'Egress', + ], + ingress: [ + { + ports: [ + // allow prometheus to scrape thanos-ruler endpoint, 9092(port name: metrics) port + { + port: 'metrics', + protocol: 'TCP', + }, + ], + }, + ], + egress: [ + {}, + ], + }, + }, } diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go index 73be27901c..13a2ffbea6 100644 --- a/pkg/manifests/manifests.go +++ b/pkg/manifests/manifests.go @@ -110,6 +110,7 @@ var ( AlertmanagerUserWorkloadTrustedCABundle = "alertmanager-user-workload/trusted-ca-bundle.yaml" AlertmanagerUserWorkloadPodDisruptionBudget = "alertmanager-user-workload/pod-disruption-budget.yaml" AlertmanagerUserWorkloadServiceMonitor = "alertmanager-user-workload/service-monitor.yaml" + AlertmanagerUserWorkloadNetworkPolicy = "alertmanager-user-workload/network-policy-downstream.yaml" KubeStateMetricsClusterRoleBinding = "kube-state-metrics/cluster-role-binding.yaml" KubeStateMetricsClusterRole = "kube-state-metrics/cluster-role.yaml" @@ -193,6 +194,7 @@ var ( PrometheusUserWorkloadPodDisruptionBudget = "prometheus-user-workload/pod-disruption-budget.yaml" PrometheusUserWorkloadConfigMap = "prometheus-user-workload/config-map.yaml" PrometheusUserWorkloadFederateRoute = "prometheus-user-workload/federate-route.yaml" + PrometheusUserWorkloadNetworkPolicy = "prometheus-user-workload/network-policy-downstream.yaml" MetricsServerAPIService = "metrics-server/api-service.yaml" MetricsServerServiceAccount = "metrics-server/service-account.yaml" @@ -232,6 +234,7 @@ var ( PrometheusOperatorUserWorkloadDeployment = "prometheus-operator-user-workload/deployment.yaml" PrometheusOperatorUserWorkloadServiceMonitor = "prometheus-operator-user-workload/service-monitor.yaml" PrometheusOperatorUserWorkloadKubeRbacProxySecret = "prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml" + PrometheusOperatorUserWorkloadNetworkPolicy = "prometheus-operator-user-workload/network-policy-downstream.yaml" ClusterMonitoringOperatorServiceMonitor = "cluster-monitoring-operator/service-monitor.yaml" ClusterMonitoringClusterRoleView = "cluster-monitoring-operator/cluster-role-view.yaml" @@ -301,6 +304,7 @@ var ( ThanosRulerPrometheusRule = "thanos-ruler/thanos-ruler-prometheus-rule.yaml" ThanosRulerAlertmanagerRoleBinding = "thanos-ruler/alertmanager-role-binding.yaml" ThanosRulerPodDisruptionBudget = "thanos-ruler/pod-disruption-budget.yaml" + ThanosRulerNetworkPolicy = "thanos-ruler/network-policy-downstream.yaml" TelemeterTrustedCABundle = "telemeter-client/trusted-ca-bundle.yaml" @@ -315,6 +319,8 @@ var ( MonitoringPluginService = "monitoring-plugin/service.yaml" MonitoringPluginPodDisruptionBudget = "monitoring-plugin/pod-disruption-budget.yaml" MonitoringPluginNetworkPolicy = "monitoring-plugin/network-policy-downstream.yaml" + + UserWorkloadMonitoringDenyAllTraffic = "cluster-monitoring-operator/network-policy-default-deny-user-workload.yaml" ) var ( @@ -438,6 +444,10 @@ func (f *Factory) AlertmanagerUserWorkloadServiceMonitor() (*monv1.ServiceMonito return f.NewServiceMonitor(f.assets.MustNewAssetSlice(AlertmanagerUserWorkloadServiceMonitor)) } +func (f *Factory) AlertmanagerUserWorkloadNetworkPolicy() (*networkingv1.NetworkPolicy, error) { + return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(AlertmanagerUserWorkloadNetworkPolicy)) +} + func (f *Factory) AlertmanagerTrustedCABundle() (*v1.ConfigMap, error) { return f.NewConfigMap(f.assets.MustNewAssetSlice(AlertmanagerTrustedCABundle)) } @@ -1130,6 +1140,10 @@ func (f *Factory) PrometheusUserWorkloadFederateRoute() (*routev1.Route, error) return f.NewRoute(f.assets.MustNewAssetSlice(PrometheusUserWorkloadFederateRoute)) } +func (f *Factory) PrometheusUserWorkloadNetworkPolicy() (*networkingv1.NetworkPolicy, error) { + return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(PrometheusUserWorkloadNetworkPolicy)) +} + func (f *Factory) PrometheusK8sPrometheusRule() (*monv1.PrometheusRule, error) { return f.NewPrometheusRule(f.assets.MustNewAssetSlice(PrometheusK8sPrometheusRule)) } @@ -2152,6 +2166,10 @@ func (f *Factory) PrometheusOperatorUserWorkloadCRBACProxySecret() (*v1.Secret, return f.NewSecret(f.assets.MustNewAssetSlice(PrometheusOperatorUserWorkloadKubeRbacProxySecret)) } +func (f *Factory) PrometheusOperatorUserWorkloadNetworkPolicy() (*networkingv1.NetworkPolicy, error) { + return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(PrometheusOperatorUserWorkloadNetworkPolicy)) +} + func (f *Factory) PrometheusOperatorClusterRole() (*rbacv1.ClusterRole, error) { return f.NewClusterRole(f.assets.MustNewAssetSlice(PrometheusOperatorClusterRole)) } @@ -2451,6 +2469,10 @@ func (f *Factory) ThanosRulerPodDisruptionBudget() (*policyv1.PodDisruptionBudge return f.NewPodDisruptionBudget(f.assets.MustNewAssetSlice(ThanosRulerPodDisruptionBudget)) } +func (f *Factory) ThanosRulerNetworkPolicy() (*networkingv1.NetworkPolicy, error) { + return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(ThanosRulerNetworkPolicy)) +} + func (f *Factory) PrometheusUserWorkloadService() (*v1.Service, error) { return f.NewService(f.assets.MustNewAssetSlice(PrometheusUserWorkloadService)) } @@ -2523,6 +2545,10 @@ func (f *Factory) ClusterMonitoringDenyAllTraffic() (*networkingv1.NetworkPolicy return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(ClusterMonitoringDenyAllTraffic)) } +func (f *Factory) UserWorkloadMonitoringDenyAllTraffic() (*networkingv1.NetworkPolicy, error) { + return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(UserWorkloadMonitoringDenyAllTraffic)) +} + func (f *Factory) ControlPlanePrometheusRule() (*monv1.PrometheusRule, error) { r, err := f.NewPrometheusRule(f.assets.MustNewAssetSlice(ControlPlanePrometheusRule)) if err != nil { diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 8531c645df..f74a41d782 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -826,6 +826,7 @@ func (o *Operator) sync(ctx context.Context, key string) error { []*tasks.TaskSpec{ newTaskSpec("ConfigurationSharing", tasks.NewConfigSharingTask(o.client, factory, config)), newTaskSpec("DefaultDenyNetworkPolicy", tasks.NewDefaultDenyNetworkPolicyTask(o.client, factory, config)), + newUWMTaskSpec("DefaultDenyUserWorkloadNetworkPolicy", tasks.NewDefaultDenyUserWorkloadNetworkPolicyTask(o.client, factory, config)), }, ), ) diff --git a/pkg/tasks/alertmanager_user_workload.go b/pkg/tasks/alertmanager_user_workload.go index c5cb88a86b..dc718ec648 100644 --- a/pkg/tasks/alertmanager_user_workload.go +++ b/pkg/tasks/alertmanager_user_workload.go @@ -53,6 +53,18 @@ func (t *AlertmanagerUserWorkloadTask) Run(ctx context.Context) error { } func (t *AlertmanagerUserWorkloadTask) create(ctx context.Context) error { + netpol, err := t.factory.AlertmanagerUserWorkloadNetworkPolicy() + if err != nil { + return fmt.Errorf("initializing Alertmanager User Workload NetworkPolicy failed: %w", err) + } + + if netpol != nil { + err = t.client.CreateOrUpdateNetworkPolicy(ctx, netpol) + if err != nil { + return fmt.Errorf("reconciling Alertmanager User Workload NetworkPolicy failed: %w", err) + } + } + s, err := t.factory.AlertmanagerUserWorkloadSecret() if err != nil { return fmt.Errorf("initializing Alertmanager User Workload configuration Secret failed: %w", err) @@ -197,6 +209,16 @@ func (t *AlertmanagerUserWorkloadTask) create(ctx context.Context) error { } func (t *AlertmanagerUserWorkloadTask) destroy(ctx context.Context) error { + netpol, err := t.factory.AlertmanagerUserWorkloadNetworkPolicy() + if err != nil { + return fmt.Errorf("initializing Alertmanager User Workload NetworkPolicy object failed: %w", err) + } + + err = t.client.DeleteNetworkPolicy(ctx, netpol) + if err != nil { + return fmt.Errorf("deleting Alertmanager User Workload NetworkPolicy object failed: %w", err) + } + s, err := t.factory.AlertmanagerUserWorkloadSecret() if err != nil { return fmt.Errorf("initializing Alertmanager User Workload configuration Secret failed: %w", err) diff --git a/pkg/tasks/defaultdeny_netpol.go b/pkg/tasks/defaultdeny_netpol.go index a7d1939e29..6c22bc4f1f 100644 --- a/pkg/tasks/defaultdeny_netpol.go +++ b/pkg/tasks/defaultdeny_netpol.go @@ -49,3 +49,43 @@ func (t *DefaultDenyNetworkPolicyTask) Run(ctx context.Context) error { return nil } + +type DefaultDenyUserWorkloadNetworkPolicyTask struct { + client *client.Client + factory *manifests.Factory + config *manifests.Config +} + +func NewDefaultDenyUserWorkloadNetworkPolicyTask(client *client.Client, factory *manifests.Factory, config *manifests.Config) *DefaultDenyUserWorkloadNetworkPolicyTask { + return &DefaultDenyUserWorkloadNetworkPolicyTask{ + client: client, + factory: factory, + config: config, + } +} + +func (t *DefaultDenyUserWorkloadNetworkPolicyTask) Run(ctx context.Context) error { + if *t.config.ClusterMonitoringConfiguration.UserWorkloadEnabled { + denyNetpol, err := t.factory.UserWorkloadMonitoringDenyAllTraffic() + if err != nil { + return fmt.Errorf("initializing deny all pods traffic NetworkPolicy for User Workload failed: %w", err) + } + + err = t.client.CreateOrUpdateNetworkPolicy(ctx, denyNetpol) + if err != nil { + return fmt.Errorf("reconciling deny all pods traffic NetworkPolicy for User Workload failed: %w", err) + } + } + + denyNetpol, err := t.factory.UserWorkloadMonitoringDenyAllTraffic() + if err != nil { + return fmt.Errorf("initializing deny all pods traffic NetworkPolicy for User Workload failed: %w", err) + } + + err = t.client.DeleteNetworkPolicy(ctx, denyNetpol) + if err != nil { + return fmt.Errorf("deleting deny all pods traffic NetworkPolicy for User Workload failed: %w", err) + } + + return nil +} diff --git a/pkg/tasks/prometheus_user_workload.go b/pkg/tasks/prometheus_user_workload.go index ddda8061d8..5e6cd79391 100644 --- a/pkg/tasks/prometheus_user_workload.go +++ b/pkg/tasks/prometheus_user_workload.go @@ -49,6 +49,16 @@ func (t *PrometheusUserWorkloadTask) Run(ctx context.Context) error { } func (t *PrometheusUserWorkloadTask) create(ctx context.Context) error { + netpol, err := t.factory.PrometheusUserWorkloadNetworkPolicy() + if err != nil { + return fmt.Errorf("initializing Prometheus User Workload NetworkPolicy failed: %w", err) + } + + err = t.client.CreateOrUpdateNetworkPolicy(ctx, netpol) + if err != nil { + return fmt.Errorf("reconciling Prometheus User Workload NetworkPolicy failed: %w", err) + } + cacm, err := t.factory.PrometheusUserWorkloadServingCertsCABundle() if err != nil { return fmt.Errorf("initializing UserWorkload serving certs CA Bundle ConfigMap failed: %w", err) @@ -317,6 +327,16 @@ func (t *PrometheusUserWorkloadTask) create(ctx context.Context) error { } func (t *PrometheusUserWorkloadTask) destroy(ctx context.Context) error { + netpol, err := t.factory.PrometheusUserWorkloadNetworkPolicy() + if err != nil { + return fmt.Errorf("initializing Prometheus User Workload NetworkPolicy failed: %w", err) + } + + err = t.client.DeleteNetworkPolicy(ctx, netpol) + if err != nil { + return fmt.Errorf("deleting Prometheus User Workload NetworkPolicy failed: %w", err) + } + smt, err := t.factory.PrometheusUserWorkloadThanosSidecarServiceMonitor() if err != nil { return fmt.Errorf("initializing UserWorkload Thanos sidecar ServiceMonitor failed: %w", err) diff --git a/pkg/tasks/prometheusoperator_user_workload.go b/pkg/tasks/prometheusoperator_user_workload.go index 6bfc970ac7..262a816ee8 100644 --- a/pkg/tasks/prometheusoperator_user_workload.go +++ b/pkg/tasks/prometheusoperator_user_workload.go @@ -48,6 +48,16 @@ func (t *PrometheusOperatorUserWorkloadTask) Run(ctx context.Context) error { } func (t *PrometheusOperatorUserWorkloadTask) create(ctx context.Context) error { + netpol, err := t.factory.PrometheusOperatorUserWorkloadNetworkPolicy() + if err != nil { + return fmt.Errorf("initializing UserWorkload Prometheus Operator NetworkPolicy failed: %w", err) + } + + err = t.client.CreateOrUpdateNetworkPolicy(ctx, netpol) + if err != nil { + return fmt.Errorf("reconciling UserWorkload Prometheus Operator NetworkPolicy failed: %w", err) + } + sa, err := t.factory.PrometheusOperatorUserWorkloadServiceAccount() if err != nil { return fmt.Errorf("initializing UserWorkload Prometheus Operator ServiceAccount failed: %w", err) @@ -153,6 +163,16 @@ func (t *PrometheusOperatorUserWorkloadTask) create(ctx context.Context) error { } func (t *PrometheusOperatorUserWorkloadTask) destroy(ctx context.Context) error { + netpol, err := t.factory.PrometheusOperatorUserWorkloadNetworkPolicy() + if err != nil { + return fmt.Errorf("initializing UserWorkload Prometheus Operator NetworkPolicy failed: %w", err) + } + + err = t.client.DeleteNetworkPolicy(ctx, netpol) + if err != nil { + return fmt.Errorf("deleting UserWorkload Prometheus Operator NetworkPolicy failed: %w", err) + } + dep, err := t.factory.PrometheusOperatorUserWorkloadDeployment() if err != nil { return fmt.Errorf("initializing UserWorkload Prometheus Operator Deployment failed: %w", err) diff --git a/pkg/tasks/thanos_ruler_user_workload.go b/pkg/tasks/thanos_ruler_user_workload.go index 8956509b06..7c79986f86 100644 --- a/pkg/tasks/thanos_ruler_user_workload.go +++ b/pkg/tasks/thanos_ruler_user_workload.go @@ -48,6 +48,16 @@ func (t *ThanosRulerUserWorkloadTask) Run(ctx context.Context) error { } func (t *ThanosRulerUserWorkloadTask) create(ctx context.Context) error { + netpol, err := t.factory.ThanosRulerNetworkPolicy() + if err != nil { + return fmt.Errorf("initializing Thanos Ruler NetworkPolicy failed: %w", err) + } + + err = t.client.CreateOrUpdateNetworkPolicy(ctx, netpol) + if err != nil { + return fmt.Errorf("reconciling Thanos Ruler NetworkPolicy failed: %w", err) + } + svc, err := t.factory.ThanosRulerService() if err != nil { return fmt.Errorf("initializing Thanos Ruler Service failed: %w", err) @@ -282,6 +292,16 @@ func (t *ThanosRulerUserWorkloadTask) create(ctx context.Context) error { } func (t *ThanosRulerUserWorkloadTask) destroy(ctx context.Context) error { + netpol, err := t.factory.ThanosRulerNetworkPolicy() + if err != nil { + return fmt.Errorf("initializing Thanos Ruler NetworkPolicy failed: %w", err) + } + + err = t.client.DeleteNetworkPolicy(ctx, netpol) + if err != nil { + return fmt.Errorf("deleting Thanos Ruler NetworkPolicy failed: %w", err) + } + prmrl, err := t.factory.ThanosRulerPrometheusRule() if err != nil { return fmt.Errorf("initializing Thanos Ruler PrometheusRule failed: %w", err) diff --git a/test/e2e/alertmanager_user_workload_test.go b/test/e2e/alertmanager_user_workload_test.go index 59c54a8bfa..2efcf5d0bb 100644 --- a/test/e2e/alertmanager_user_workload_test.go +++ b/test/e2e/alertmanager_user_workload_test.go @@ -37,6 +37,7 @@ func TestUserWorkloadAlertmanager(t *testing.T) { f.AssertStatefulSetExistsAndRollout("alertmanager-user-workload", f.UserWorkloadMonitoringNs)(t) f.AssertServiceExists("alertmanager-user-workload", f.UserWorkloadMonitoringNs)(t) + f.AssertNetworkPolicyExists("alertmanager-user-workload", f.UserWorkloadMonitoringNs)(t) for _, scenario := range []struct { name string diff --git a/test/e2e/user_workload_monitoring_test.go b/test/e2e/user_workload_monitoring_test.go index a5be0cd610..49d71e3fd8 100644 --- a/test/e2e/user_workload_monitoring_test.go +++ b/test/e2e/user_workload_monitoring_test.go @@ -1559,6 +1559,37 @@ func assertServiceMonitorOptOut(t *testing.T) { }) } +// assertUserWorkloadNetworkPolicyExists ensures that the NetworkPolicies +// are deployed under openshift-user-workload-monitoring namespace +func assertUserWorkloadNetworkPolicyExists(t *testing.T) { + ctx := context.Background() + networkPolicyNames := []string{ + "default-deny-user-workload", + "prometheus-operator-user-workload", + "prometheus-user-workload", + "thanos-ruler", + } + + t.Run("check user workload monitoring NetworkPolicies", func(t *testing.T) { + for _, name := range networkPolicyNames { + t.Run(fmt.Sprintf("assert %s networkpolicy exists", name), func(t *testing.T) { + f.AssertNetworkPolicyExists(name, f.UserWorkloadMonitoringNs) + }) + } + }) + + // check the total count of deployed NetworkPolicies is equal to len(networkPolicyNames) + t.Run("assert total deployed NetworkPolicies count matches", func(t *testing.T) { + npList, err := f.KubeClient.NetworkingV1().NetworkPolicies(f.UserWorkloadMonitoringNs).List(ctx, metav1.ListOptions{}) + if err != nil { + t.Fatalf("failed to list NetworkPolicies: %v", err) + } + if len(npList.Items) != len(networkPolicyNames) { + t.Errorf("NetworkPolicies count = %d, want %d", len(npList.Items), len(networkPolicyNames)) + } + }) +} + // TestPrometheusUserWorkloadEndpointSliceDiscovery verifies that // prometheus-user-workload can discover and scrape targets using endpoint slices. func TestPrometheusUserWorkloadEndpointSliceDiscovery(t *testing.T) {