[patch] [MASCORE-3232] network policy

ibm-mas · Aug 7, 2024 · e1f666a · e1f666a
1 parent 0456f81
commit e1f666a
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 86 deletions.
diff --git a/instance-applications/130-ibm-mas-suite/templates/05-postsync-add-label_Job.yaml b/instance-applications/130-ibm-mas-suite/templates/05-postsync-add-label_Job.yaml
@@ -38,57 +38,11 @@ metadata:
 {{ .Values.custom_labels | toYaml | indent 4 }}
 {{- end }}
 
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: mas-route-prereq-role-{{ .Values.instance_id }}
-  annotations:
-    argocd.argoproj.io/sync-wave: "140"
-{{- if .Values.custom_labels }}
-  labels:
-{{ .Values.custom_labels | toYaml | indent 4 }}
-{{- end }}
-rules:
-  - verbs:
-      - get
-      - patch
-      - create
-      - update
-    apiGroups:
-      - ""
-    resources:
-      - secrets
-  - verbs:
-      - get
-      - patch
-      - create
-      - update
-    apiGroups:
-      - "route.openshift.io"
-    resources:
-      - routes
-  - verbs:
-      - get
-      - list
-      - patch
-      - update
-    apiGroups:
-      - ''
-      - suites.core.mas.ibm.com
-      - assistworkspaces.apps.mas.ibm.com
-      - healthextworkspaces.apps.mas.ibm.com
-      - healthworkspaces.apps.mas.ibm.com
-      - iotworkspaces.iot.ibm.com
-      - manageworkspaces.apps.mas.ibm.com
-      - visualinspectionappworkspaces.apps.mas.ibm.com
-    resources:
-      - customresourcedefinitions
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: sync-mas-route-prereq-rb-{{ .Values.instance_id }}
+  name: mas-route-prereq-rb-{{ .Values.instance_id }}
   annotations:
     argocd.argoproj.io/sync-wave: "141"
 
@@ -103,7 +57,7 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: mas-route-prereq-role-{{ .Values.instance_id }}
+  name: cluster-admin
 
 ---
 apiVersion: batch/v1
@@ -153,16 +107,13 @@ spec:
               echo
 
               echo "Wait for Suite Routes to be ready"
-              echo "oc get Suite -n $SUITE_NAMESPACE -o NAME"
-              `oc get Suite -n $SUITE_NAMESPACE -o NAME`
               wait_period=0
               while true; do
                 wait_period=$(($wait_period+60))
                 if [ $wait_period -gt 3600 ]; then
                   echo "Suite Routes is not ready after 20 minutes of waiting. exiting..."
                   exit 1
                 else
-                  echo "sleep for 1 minute"
                   sleep 60
                 fi
 

diff --git a/...ce-applications/510-550-ibm-mas-suite-app-config/templates/04-postsync-add-label_Job.yaml b/...ce-applications/510-550-ibm-mas-suite-app-config/templates/04-postsync-add-label_Job.yaml
@@ -1,68 +1,61 @@
 {{- if .Values.ingress }}
 
 {{ $ns               :=  .Values.mas_app_namespace }}
+
+{{ $job_label :=  "mas-app-route-patch" }}
 ---
-# Service account that is authorized to read k8s secrets (needed by the job)
-apiVersion: v1
-kind: ServiceAccount
+# Permit outbound communication by the Job pods
+# (Needed to communicate with the K8S HTTP API and AWS SM)
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
 metadata:
-  name: mas-route-sa-{{ .Values.instance_id }}-{{ .Values.mas_app_id }}
+  name: mas-app-route-np
   namespace: {{ $ns }}
   annotations:
     argocd.argoproj.io/sync-wave: "100"
-    argocd.argoproj.io/hook: PostSync
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
 {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $job_label }}
+  egress:
+    - {}
+  policyTypes:
+    - Egress
+
 
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+# Service account that is authorized to read k8s secrets (needed by the job)
+apiVersion: v1
+kind: ServiceAccount
 metadata:
-  name: sync-mas-route-prereq-role-{{ .Values.instance_id }}-{{ .Values.mas_app_id }}
+  name: mas-app-route-sa
+  namespace: {{ $ns }}
   annotations:
     argocd.argoproj.io/sync-wave: "100"
-    argocd.argoproj.io/hook: PostSync
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
 {{- end }}
-rules:
-  - verbs:
-      - get
-      - patch
-      - create
-      - update
-    apiGroups:
-      - ""
-    resources:
-      - secrets
-  - verbs:
-      - get
-      - patch
-      - create
-      - update
-    apiGroups:
-      - "route.openshift.io"
-    resources:
-      - routes
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: sync-mas-route-prereq-rb-{{ .Values.instance_id }}-{{ .Values.mas_app_id }}
+  name: mas-route-prereq-rb-{{ .Values.instance_id }}-{{ .Values.mas_app_id }}
   annotations:
     argocd.argoproj.io/sync-wave: "101"
-    argocd.argoproj.io/hook: PostSync
 
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
 {{- end }}
 subjects:
   - kind: ServiceAccount
-    name: mas-route-sa-{{ .Values.instance_id }}-{{ .Values.mas_app_id }}
+    name: mas-app-route-sa
     namespace: {{ $ns }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -73,20 +66,20 @@ roleRef:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: "mas-route-patch-{{ .Values.instance_id }}-{{ .Values.mas_app_id }}-v1-{{ .Values | toYaml | adler32sum }}"
+  name: "mas-app-route-patch-v1-{{ .Values | toYaml | adler32sum }}"
   namespace: {{ $ns }}
   annotations:
     argocd.argoproj.io/sync-wave: "102"
-    argocd.argoproj.io/hook: PostSync
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
 {{- end }}
 spec:
   template:
-{{- if .Values.custom_labels }}
     metadata:
       labels:
+        app: {{ $job_label }}
+{{- if .Values.custom_labels }}
 {{ .Values.custom_labels | toYaml | indent 8 }}
 {{- end }}
     spec:
@@ -164,7 +157,7 @@ spec:
               fi
 
       restartPolicy: Never
-      serviceAccountName: "mas-route-sa-{{ .Values.instance_id }}-{{ .Values.mas_app_id }}"
+      serviceAccountName: "mas-app-route-sa"
   backoffLimit: 4
 
 {{- end }}