From 61b47ecce323c4dbaf9c747c8a48c34f6ac5008b Mon Sep 17 00:00:00 2001 From: Anik Bhattacharjee Date: Wed, 14 May 2025 15:35:15 -0400 Subject: [PATCH 1/6] Introduce NetworkPolicy for core component workloads. [RFC](https://docs.google.com/document/d/10MZ4t2XgRydGa-NRs4uXFNVoTHH9SPKd7mV9IwT_i7M/edit?usp=sharing) Signed-off-by: Per G. da Silva --- .../0000_50_olm_01-networkpolicies.yaml | 102 ++++++++++++++++++ ...0_olm_02-olm-operator.serviceaccount.yaml} | 0 ...fig.yaml => 0000_50_olm_03-olmconfig.yaml} | 0 ...ices.yaml => 0000_50_olm_03-services.yaml} | 0 4 files changed, 102 insertions(+) create mode 100644 deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml rename deploy/chart/templates/{0000_50_olm_01-olm-operator.serviceaccount.yaml => 0000_50_olm_02-olm-operator.serviceaccount.yaml} (100%) rename deploy/chart/templates/{0000_50_olm_02-olmconfig.yaml => 0000_50_olm_03-olmconfig.yaml} (100%) rename deploy/chart/templates/{0000_50_olm_02-services.yaml => 0000_50_olm_03-services.yaml} (100%) diff --git a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml new file mode 100644 index 0000000000..bba2133152 --- /dev/null +++ b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml @@ -0,0 +1,102 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all-traffic + namespace: {{ .Values.namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: olm-operator + namespace: {{ .Values.namespace }} +spec: + podSelector: + matchLabels: + app: olm-operator + ingress: + - ports: + - protocol: TCP + port: 8080 + egress: + - ports: + - protocol: TCP + port: 6443 # kube-api service + - protocol: TCP + port: 53 # DNS + - protocol: UDP + port: 53 # DNS + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: catalog-operator + namespace: {{ .Values.namespace }} +spec: + podSelector: + matchLabels: + app: catalog-operator + ingress: + - ports: + - protocol: TCP + port: metrics + egress: + - ports: + - protocol: TCP + port: 6443 # kube-api server + - protocol: TCP + port: 50051 # catalog service + - protocol: TCP + port: 53 # DNS + - protocol: UDP + port: 53 # DNS + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: packageserver + namespace: {{ .Values.namespace }} +spec: + podSelector: + matchLabels: + app: packageserver + ingress: + - ports: + - protocol: TCP + port: {{ .Values.package.service.internalPort }} + egress: + - ports: + - protocol: TCP + port: 50051 # catalog service + - protocol: TCP + port: 53 # DNS + - protocol: UDP + port: 53 # DNS + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ .Values.operator_namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - {} + egress: + - {} diff --git a/deploy/chart/templates/0000_50_olm_01-olm-operator.serviceaccount.yaml b/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml similarity index 100% rename from deploy/chart/templates/0000_50_olm_01-olm-operator.serviceaccount.yaml rename to deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml diff --git a/deploy/chart/templates/0000_50_olm_02-olmconfig.yaml b/deploy/chart/templates/0000_50_olm_03-olmconfig.yaml similarity index 100% rename from deploy/chart/templates/0000_50_olm_02-olmconfig.yaml rename to deploy/chart/templates/0000_50_olm_03-olmconfig.yaml diff --git a/deploy/chart/templates/0000_50_olm_02-services.yaml b/deploy/chart/templates/0000_50_olm_03-services.yaml similarity index 100% rename from deploy/chart/templates/0000_50_olm_02-services.yaml rename to deploy/chart/templates/0000_50_olm_03-services.yaml From 416021fe72b404a28fe4f20fd88f3579c4ca7410 Mon Sep 17 00:00:00 2001 From: Anik Bhattacharjee Date: Thu, 15 May 2025 15:04:49 -0400 Subject: [PATCH 2/6] specify namespace with selectors --- .../0000_50_olm_01-networkpolicies.yaml | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml index bba2133152..de0d013d4a 100644 --- a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml +++ b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml @@ -52,7 +52,7 @@ spec: - protocol: TCP port: 6443 # kube-api server - protocol: TCP - port: 50051 # catalog service + port: 50051 # registry pods' service port - protocol: TCP port: 53 # DNS - protocol: UDP @@ -75,13 +75,22 @@ spec: - protocol: TCP port: {{ .Values.package.service.internalPort }} egress: - - ports: - - protocol: TCP - port: 50051 # catalog service - - protocol: TCP - port: 53 # DNS - - protocol: UDP - port: 53 # DNS + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Values.catalog_namespace }} # For registry resolution + ports: + - protocol: TCP + port: 50051 # registry pods' service port + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system # For DNS resolution (CoreDNS runs here) + ports: + - protocol: UDP + port: 53 # DNS + - protocol: TCP + port: 53 # DNS policyTypes: - Ingress - Egress From afa6f9bd27ba6a69ef1d2e9f3a8b37dcbd645efa Mon Sep 17 00:00:00 2001 From: "Per G. da Silva" Date: Fri, 16 May 2025 09:08:47 +0100 Subject: [PATCH 3/6] Fix formatting Signed-off-by: Per G. da Silva --- .../0000_50_olm_01-networkpolicies.yaml | 139 ++++++++---------- 1 file changed, 65 insertions(+), 74 deletions(-) diff --git a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml index de0d013d4a..cf2b482f95 100644 --- a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml +++ b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml @@ -1,99 +1,90 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: default-deny-all-traffic - namespace: {{ .Values.namespace }} + name: default-deny-all-traffic + namespace: {{ .Values.namespace }} spec: - podSelector: {} - policyTypes: - - Ingress - - Egress + podSelector: { } + policyTypes: + - Ingress + - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: olm-operator - namespace: {{ .Values.namespace }} + name: olm-operator + namespace: {{ .Values.namespace }} spec: - podSelector: - matchLabels: - app: olm-operator - ingress: - - ports: - - protocol: TCP - port: 8080 - egress: - - ports: - - protocol: TCP - port: 6443 # kube-api service - - protocol: TCP - port: 53 # DNS - - protocol: UDP - port: 53 # DNS - policyTypes: - - Ingress - - Egress + podSelector: + matchLabels: + app: olm-operator + ingress: + - ports: + - protocol: TCP + port: 8080 + egress: + - ports: + - protocol: TCP + port: 6443 # kube-api service + - protocol: TCP + port: 53 # DNS + - protocol: UDP + port: 53 # DNS + policyTypes: + - Ingress + - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: catalog-operator - namespace: {{ .Values.namespace }} + name: catalog-operator + namespace: {{ .Values.namespace }} spec: - podSelector: - matchLabels: - app: catalog-operator - ingress: - - ports: - - protocol: TCP - port: metrics - egress: - - ports: - - protocol: TCP - port: 6443 # kube-api server - - protocol: TCP - port: 50051 # registry pods' service port - - protocol: TCP - port: 53 # DNS - - protocol: UDP - port: 53 # DNS - policyTypes: - - Ingress - - Egress + podSelector: + matchLabels: + app: catalog-operator + ingress: + - ports: + - protocol: TCP + port: metrics + egress: + - ports: + - protocol: TCP + port: 6443 # kube-api server + - protocol: TCP + port: 50051 # registry pods' service port + - protocol: TCP + port: 53 # DNS + - protocol: UDP + port: 53 # DNS + policyTypes: + - Ingress + - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: packageserver - namespace: {{ .Values.namespace }} + name: packageserver + namespace: {{ .Values.namespace }} spec: - podSelector: - matchLabels: - app: packageserver - ingress: - - ports: - - protocol: TCP - port: {{ .Values.package.service.internalPort }} - egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Values.catalog_namespace }} # For registry resolution - ports: + podSelector: + matchLabels: + app: packageserver + ingress: + - ports: + - protocol: TCP + port: {{ .Values.package.service.internalPort }} + egress: + - ports: - protocol: TCP port: 50051 # registry pods' service port - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system # For DNS resolution (CoreDNS runs here) - ports: - protocol: UDP port: 53 # DNS - protocol: TCP port: 53 # DNS - policyTypes: - - Ingress - - Egress + policyTypes: + - Ingress + - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -101,11 +92,11 @@ metadata: name: default-allow-all namespace: {{ .Values.operator_namespace }} spec: - podSelector: {} + podSelector: { } policyTypes: - Ingress - Egress ingress: - - {} + - { } egress: - - {} + - { } From 90300eb2f82645257c6fa23d9dffe26b11a0826d Mon Sep 17 00:00:00 2001 From: "Per G. da Silva" Date: Fri, 16 May 2025 10:00:56 +0100 Subject: [PATCH 4/6] template network policy Signed-off-by: Per G. da Silva --- .../0000_50_olm_01-networkpolicies.yaml | 36 ++++++------------- deploy/chart/values.yaml | 18 ++++++++++ 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml index cf2b482f95..3ec5196952 100644 --- a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml +++ b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml @@ -19,17 +19,10 @@ spec: matchLabels: app: olm-operator ingress: - - ports: - - protocol: TCP - port: 8080 + - {{ .Values.networkPolicy.metrics | toYaml | nindent 6 | trimSuffix "\n" }} egress: - - ports: - - protocol: TCP - port: 6443 # kube-api service - - protocol: TCP - port: 53 # DNS - - protocol: UDP - port: 53 # DNS + - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }} + - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }} policyTypes: - Ingress - Egress @@ -44,19 +37,13 @@ spec: matchLabels: app: catalog-operator ingress: - - ports: - - protocol: TCP - port: metrics + - {{ .Values.networkPolicy.metrics | toYaml | nindent 6 | trimSuffix "\n" }} egress: - - ports: - - protocol: TCP - port: 6443 # kube-api server + - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }} + - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }} + - ports: # This is another distinct rule in the egress list - protocol: TCP - port: 50051 # registry pods' service port - - protocol: TCP - port: 53 # DNS - - protocol: UDP - port: 53 # DNS + port: {{ .Values.catalogGrpcServicePort }} policyTypes: - Ingress - Egress @@ -75,13 +62,10 @@ spec: - protocol: TCP port: {{ .Values.package.service.internalPort }} egress: + - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }} - ports: - protocol: TCP - port: 50051 # registry pods' service port - - protocol: UDP - port: 53 # DNS - - protocol: TCP - port: 53 # DNS + port: {{ .Values.catalogGrpcServicePort }} policyTypes: - Ingress - Egress diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml index ffb5891842..e4dea97a46 100644 --- a/deploy/chart/values.yaml +++ b/deploy/chart/values.yaml @@ -19,6 +19,8 @@ writeStatusName: '""' imagestream: false debug: false installType: upstream +catalogGrpcServicePort: 50051 + olm: replicaCount: 1 image: @@ -75,3 +77,19 @@ package: monitoring: enabled: false namespace: monitoring + +networkPolicy: + dns: + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 + kubeAPIServer: + ports: + - protocol: TCP + port: 6443 + metrics: + ports: + - protocol: TCP + port: metrics From 717e8714feb83aa51f14ef2cc31b508a09d3e788 Mon Sep 17 00:00:00 2001 From: "Per G. da Silva" Date: Fri, 16 May 2025 13:46:04 +0100 Subject: [PATCH 5/6] restrict kube-apiserver and dns traffic Signed-off-by: Per G. da Silva --- deploy/chart/values.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml index e4dea97a46..b628bda616 100644 --- a/deploy/chart/values.yaml +++ b/deploy/chart/values.yaml @@ -85,10 +85,24 @@ networkPolicy: port: 53 - protocol: UDP port: 53 + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns kubeAPIServer: ports: - protocol: TCP port: 6443 + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + component: kube-apiserver metrics: ports: - protocol: TCP From 7e013e0e4d16ac00a1f6bbdbea29e72d9d858bd9 Mon Sep 17 00:00:00 2001 From: "Per G. da Silva" Date: Fri, 16 May 2025 14:02:00 +0100 Subject: [PATCH 6/6] Address reviewer comments Signed-off-by: Per G. da Silva --- .../0000_50_olm_01-networkpolicies.yaml | 4 ++-- deploy/chart/values.yaml | 16 +--------------- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml index 3ec5196952..8a389d93a4 100644 --- a/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml +++ b/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml @@ -43,7 +43,7 @@ spec: - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }} - ports: # This is another distinct rule in the egress list - protocol: TCP - port: {{ .Values.catalogGrpcServicePort }} + port: {{ .Values.catalogGrpcPodPort }} policyTypes: - Ingress - Egress @@ -65,7 +65,7 @@ spec: - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }} - ports: - protocol: TCP - port: {{ .Values.catalogGrpcServicePort }} + port: {{ .Values.catalogGrpcPodPort }} policyTypes: - Ingress - Egress diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml index b628bda616..4e4ee726b8 100644 --- a/deploy/chart/values.yaml +++ b/deploy/chart/values.yaml @@ -19,7 +19,7 @@ writeStatusName: '""' imagestream: false debug: false installType: upstream -catalogGrpcServicePort: 50051 +catalogGrpcPodPort: 50051 olm: replicaCount: 1 @@ -85,24 +85,10 @@ networkPolicy: port: 53 - protocol: UDP port: 53 - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - k8s-app: kube-dns kubeAPIServer: ports: - protocol: TCP port: 6443 - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - component: kube-apiserver metrics: ports: - protocol: TCP