Skip to content

ESO-222:Adds the metrics configuration in network-policy #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

ESO-222:Adds the metrics configuration in network-policy #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 0 additions & 27 deletions config/network-policy/allow-metrics-traffic.yaml
View file
Open in desktop

This file was deleted.

5 changes: 4 additions & 1 deletion config/network-policy/allow-network-traffic.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,12 @@ spec:
port: 6443 # Required: Kubernetes API server
ingress:
# Optional: expose metrics (8443 and 8080 based on user configuration)
- from:
- namespaceSelector:
matchLabels:
name: openshift-monitoring
- ports:
- protocol: TCP
port: 8443
- ports:
- protocol: TCP
port: 8080
Comment on lines +19 to 27
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Ingress rules split incorrectly: results in overly permissive access; also 8080 still open and namespace label likely wrong

  • A rule with only from allows all ports from openshift-monitoring.
  • A rule with only ports allows 8443/8080 from anywhere.
  • Combined, this is broader than intended. Also, 8080 is still exposed despite the PR description/summary. Finally, namespaces don’t have a default name label; use kubernetes.io/metadata.name.

Fix by combining from and ports into a single rule, dropping 8080, and using the stable namespace label:

   ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: openshift-monitoring
-    - ports:
-        - protocol: TCP
-          port: 8443
-        - protocol: TCP
-          port: 8080
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-monitoring
+      ports:
+        - protocol: TCP
+          port: 8443

Please confirm:

  • 8080 should indeed be removed.
  • The target namespace is openshift-monitoring (or adjust the selector accordingly).

🏁 Script executed:

#!/bin/bash
sed -n '15,40p' config/network-policy/allow-network-traffic.yaml

Length of output: 374

Combine ingress rules into one, correct namespaceSelector label, and remove port 8080

  • Separate from and ports entries result in all ports allowed from the monitoring namespace and 8443/8080 open globally.
  • Merge into a single ingress block with:
    matchLabels: kubernetes.io/metadata.name: openshift-monitoring
    ports:
    - protocol: TCP
    port: 8443

Confirm whether port 8080 should remain exposed.

🤖 Prompt for AI Agents 
In config/network-policy/allow-network-traffic.yaml around lines 19 to 27, the
NetworkPolicy currently has separate from and ports entries causing ports to be
applied globally and uses the wrong namespace label; merge into a single ingress
rule that uses namespaceSelector.matchLabels: kubernetes.io/metadata.name:
openshift-monitoring and include only the ports list with protocol: TCP and
port: 8443 (remove port 8080), and if 8080 is required re-add it only after
confirmation scoped under the same ingress/namespaceSelector.

1 change: 0 additions & 1 deletion config/network-policy/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
resources:
- allow-metrics-traffic.yaml
- allow-network-traffic.yaml
- deny-all.yaml