OCPBUGS-66180: create networkpolicy settings for user workload monitoring

assets/alertmanager-user-workload/network-policy-downstream.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: alertmanager-user-workload
+  namespace: openshift-user-workload-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: tenancy
+      protocol: TCP
+    - port: metrics
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: alertmanager
+  policyTypes:
+  - Ingress
+  - Egress

assets/cluster-monitoring-operator/network-policy-default-deny-user-workload.yaml

@@ -0,0 +1,13 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: default-deny-user-workload
+  namespace: openshift-user-workload-monitoring
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

assets/prometheus-operator-user-workload/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: prometheus-operator-user-workload
+  namespace: openshift-user-workload-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus-operator
+  policyTypes:
+  - Ingress
+  - Egress

assets/prometheus-user-workload/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: prometheus-user-workload
+  namespace: openshift-user-workload-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: metrics
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  policyTypes:
+  - Ingress
+  - Egress

assets/thanos-ruler/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: thanos-ruler
+  namespace: openshift-user-workload-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: metrics
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: thanos-ruler
+  policyTypes:
+  - Ingress
+  - Egress

jsonnet/components/alertmanager-user-workload.libsonnet

@@ -417,4 +417,43 @@ function(params)
         ],
       },
     },
+    networkPolicyDownstream: {
+      apiVersion: 'networking.k8s.io/v1',
+      kind: 'NetworkPolicy',
+      metadata: {
+        name: 'alertmanager-user-workload',
+        namespace: cfg.namespace,
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            'app.kubernetes.io/name': 'alertmanager',
+          },
+        },
+        policyTypes: [
+          'Ingress',
+          'Egress',
+        ],
+        ingress: [
+          {
+            ports: [
+              // allow access to the Alertmanager endpoints restricted to a given project,
+              // port number 9092(port name: tenancy)
+              {
+                port: 'tenancy',
+                protocol: 'TCP',
+              },
+              // allow prometheus to scrape user workload alertmanager 9097(port name: metrics) port
+              {
+                port: 'metrics',
+                protocol: 'TCP',
+              },
+            ],
+          },
+        ],
+        egress: [
+          {},
+        ],
+      },
+    },
   }

jsonnet/components/cluster-monitoring-operator.libsonnet

@@ -572,7 +572,7 @@ function(params) {
     }],
   },
 
-  // Default deny all pods traffic
+  // Default deny all pods traffic for in-cluster monitoring
   networkPolicyDefaultDeny: {
     apiVersion: 'networking.k8s.io/v1',
     kind: 'NetworkPolicy',
@@ -589,4 +589,21 @@ function(params) {
       ],
     },
   },
+  // Default deny all pods traffic for user workload monitoring
+  networkPolicyDefaultDenyUserWorkload: {
+    apiVersion: 'networking.k8s.io/v1',
+    kind: 'NetworkPolicy',
+    metadata: {
+      name: 'default-deny-user-workload',
+      namespace: 'openshift-user-workload-monitoring',
+    },
+    spec: {
+      podSelector: {
+      },
+      policyTypes: [
+        'Ingress',
+        'Egress',
+      ],
+    },
+  },
 }

jsonnet/components/prometheus-operator-user-workload.libsonnet

@@ -196,4 +196,39 @@ function(params)
         ],
       },
     },
+
+    networkPolicyDownstream: {
+      apiVersion: 'networking.k8s.io/v1',
+      kind: 'NetworkPolicy',
+      metadata: {
+        name: 'prometheus-operator-user-workload',
+        namespace: 'openshift-user-workload-monitoring',
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            'app.kubernetes.io/name': 'prometheus-operator',
+          },
+        },
+        policyTypes: [
+          'Ingress',
+          'Egress',
+        ],
+        ingress: [
+          {
+            ports: [
+              // allow prometheus-operator to to watch resources and allow prometheus
+              // to scrape prometheus-operator endpoint, 8443(port name: https) port
+              {
+                port: 'https',
+                protocol: 'TCP',
+              },
+            ],
+          },
+        ],
+        egress: [
+          {},
+        ],
+      },
+    },
   }

jsonnet/components/prometheus-user-workload.libsonnet

@@ -600,4 +600,37 @@ function(params)
       automountServiceAccountToken: false,
     },
 
+    networkPolicyDownstream: {
+      apiVersion: 'networking.k8s.io/v1',
+      kind: 'NetworkPolicy',
+      metadata: {
+        name: 'prometheus-user-workload',
+        namespace: cfg.namespace,
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            'app.kubernetes.io/name': 'prometheus',
+          },
+        },
+        policyTypes: [
+          'Ingress',
+          'Egress',
+        ],
+        ingress: [
+          {
+            ports: [
+              // allow prometheus to scrape user workload prometheus endpoint, 9091(port name: metrics) port
+              {
+                port: 'metrics',
+                protocol: 'TCP',
+              },
+            ],
+          },
+        ],
+        egress: [
+          {},
+        ],
+      },
+    },
   }

jsonnet/components/prometheus.libsonnet

@@ -601,8 +601,6 @@ function(params)
         ],
       },
     },
-    // Allow access to prometheus 9091(port name: web)/9092(port name: metrics) ports
-    // and 10901(port name: grpc)/10903(port name: thanos-proxy) ports
     networkPolicyDownstream: {
       apiVersion: 'networking.k8s.io/v1',
       kind: 'NetworkPolicy',

jsonnet/components/thanos-ruler.libsonnet

@@ -569,4 +569,37 @@ function(params)
 
     statefulSet:: {},
 
+    networkPolicyDownstream: {
+      apiVersion: 'networking.k8s.io/v1',
+      kind: 'NetworkPolicy',
+      metadata: {
+        name: 'thanos-ruler',
+        namespace: cfg.namespace,
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            'app.kubernetes.io/name': 'thanos-ruler',
+          },
+        },
+        policyTypes: [
+          'Ingress',
+          'Egress',
+        ],
+        ingress: [
+          {
+            ports: [
+              // allow prometheus to scrape thanos-ruler endpoint, 9092(port name: metrics) port
+              {
+                port: 'metrics',
+                protocol: 'TCP',
+              },
+            ],
+          },
+        ],
+        egress: [
+          {},
+        ],
+      },
+    },
   }

pkg/manifests/manifests.go

@@ -110,6 +110,7 @@ var (
 	AlertmanagerUserWorkloadTrustedCABundle        = "alertmanager-user-workload/trusted-ca-bundle.yaml"
 	AlertmanagerUserWorkloadPodDisruptionBudget    = "alertmanager-user-workload/pod-disruption-budget.yaml"
 	AlertmanagerUserWorkloadServiceMonitor         = "alertmanager-user-workload/service-monitor.yaml"
+	AlertmanagerUserWorkloadNetworkPolicy          = "alertmanager-user-workload/network-policy-downstream.yaml"
 
 	KubeStateMetricsClusterRoleBinding    = "kube-state-metrics/cluster-role-binding.yaml"
 	KubeStateMetricsClusterRole           = "kube-state-metrics/cluster-role.yaml"
@@ -193,6 +194,7 @@ var (
 	PrometheusUserWorkloadPodDisruptionBudget                 = "prometheus-user-workload/pod-disruption-budget.yaml"
 	PrometheusUserWorkloadConfigMap                           = "prometheus-user-workload/config-map.yaml"
 	PrometheusUserWorkloadFederateRoute                       = "prometheus-user-workload/federate-route.yaml"
+	PrometheusUserWorkloadNetworkPolicy                       = "prometheus-user-workload/network-policy-downstream.yaml"
 
 	MetricsServerAPIService                      = "metrics-server/api-service.yaml"
 	MetricsServerServiceAccount                  = "metrics-server/service-account.yaml"
@@ -232,6 +234,7 @@ var (
 	PrometheusOperatorUserWorkloadDeployment          = "prometheus-operator-user-workload/deployment.yaml"
 	PrometheusOperatorUserWorkloadServiceMonitor      = "prometheus-operator-user-workload/service-monitor.yaml"
 	PrometheusOperatorUserWorkloadKubeRbacProxySecret = "prometheus-operator-user-workload/kube-rbac-proxy-secret.yaml"
+	PrometheusOperatorUserWorkloadNetworkPolicy       = "prometheus-operator-user-workload/network-policy-downstream.yaml"
 
 	ClusterMonitoringOperatorServiceMonitor                = "cluster-monitoring-operator/service-monitor.yaml"
 	ClusterMonitoringClusterRoleView                       = "cluster-monitoring-operator/cluster-role-view.yaml"
@@ -301,6 +304,7 @@ var (
 	ThanosRulerPrometheusRule                                = "thanos-ruler/thanos-ruler-prometheus-rule.yaml"
 	ThanosRulerAlertmanagerRoleBinding                       = "thanos-ruler/alertmanager-role-binding.yaml"
 	ThanosRulerPodDisruptionBudget                           = "thanos-ruler/pod-disruption-budget.yaml"
+	ThanosRulerNetworkPolicy                                 = "thanos-ruler/network-policy-downstream.yaml"
 
 	TelemeterTrustedCABundle = "telemeter-client/trusted-ca-bundle.yaml"
 
@@ -315,6 +319,8 @@ var (
 	MonitoringPluginService             = "monitoring-plugin/service.yaml"
 	MonitoringPluginPodDisruptionBudget = "monitoring-plugin/pod-disruption-budget.yaml"
 	MonitoringPluginNetworkPolicy       = "monitoring-plugin/network-policy-downstream.yaml"
+
+	UserWorkloadMonitoringDenyAllTraffic = "cluster-monitoring-operator/network-policy-default-deny-user-workload.yaml"
 )
 
 var (
@@ -438,6 +444,10 @@ func (f *Factory) AlertmanagerUserWorkloadServiceMonitor() (*monv1.ServiceMonito
 	return f.NewServiceMonitor(f.assets.MustNewAssetSlice(AlertmanagerUserWorkloadServiceMonitor))
 }
 
+func (f *Factory) AlertmanagerUserWorkloadNetworkPolicy() (*networkingv1.NetworkPolicy, error) {
+	return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(AlertmanagerUserWorkloadNetworkPolicy))
+}
+
 func (f *Factory) AlertmanagerTrustedCABundle() (*v1.ConfigMap, error) {
 	return f.NewConfigMap(f.assets.MustNewAssetSlice(AlertmanagerTrustedCABundle))
 }
@@ -1130,6 +1140,10 @@ func (f *Factory) PrometheusUserWorkloadFederateRoute() (*routev1.Route, error)
 	return f.NewRoute(f.assets.MustNewAssetSlice(PrometheusUserWorkloadFederateRoute))
 }
 
+func (f *Factory) PrometheusUserWorkloadNetworkPolicy() (*networkingv1.NetworkPolicy, error) {
+	return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(PrometheusUserWorkloadNetworkPolicy))
+}
+
 func (f *Factory) PrometheusK8sPrometheusRule() (*monv1.PrometheusRule, error) {
 	return f.NewPrometheusRule(f.assets.MustNewAssetSlice(PrometheusK8sPrometheusRule))
 }
@@ -2152,6 +2166,10 @@ func (f *Factory) PrometheusOperatorUserWorkloadCRBACProxySecret() (*v1.Secret,
 	return f.NewSecret(f.assets.MustNewAssetSlice(PrometheusOperatorUserWorkloadKubeRbacProxySecret))
 }
 
+func (f *Factory) PrometheusOperatorUserWorkloadNetworkPolicy() (*networkingv1.NetworkPolicy, error) {
+	return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(PrometheusOperatorUserWorkloadNetworkPolicy))
+}
+
 func (f *Factory) PrometheusOperatorClusterRole() (*rbacv1.ClusterRole, error) {
 	return f.NewClusterRole(f.assets.MustNewAssetSlice(PrometheusOperatorClusterRole))
 }
@@ -2451,6 +2469,10 @@ func (f *Factory) ThanosRulerPodDisruptionBudget() (*policyv1.PodDisruptionBudge
 	return f.NewPodDisruptionBudget(f.assets.MustNewAssetSlice(ThanosRulerPodDisruptionBudget))
 }
 
+func (f *Factory) ThanosRulerNetworkPolicy() (*networkingv1.NetworkPolicy, error) {
+	return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(ThanosRulerNetworkPolicy))
+}
+
 func (f *Factory) PrometheusUserWorkloadService() (*v1.Service, error) {
 	return f.NewService(f.assets.MustNewAssetSlice(PrometheusUserWorkloadService))
 }
@@ -2523,6 +2545,10 @@ func (f *Factory) ClusterMonitoringDenyAllTraffic() (*networkingv1.NetworkPolicy
 	return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(ClusterMonitoringDenyAllTraffic))
 }
 
+func (f *Factory) UserWorkloadMonitoringDenyAllTraffic() (*networkingv1.NetworkPolicy, error) {
+	return f.NewNetworkPolicy(f.assets.MustNewAssetSlice(UserWorkloadMonitoringDenyAllTraffic))
+}
+
 func (f *Factory) ControlPlanePrometheusRule() (*monv1.PrometheusRule, error) {
 	r, err := f.NewPrometheusRule(f.assets.MustNewAssetSlice(ControlPlanePrometheusRule))
 	if err != nil {