Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add exception to egress policy for port 8080 #924

Merged
merged 1 commit into from
Aug 20, 2024
Merged

add exception to egress policy for port 8080 #924

merged 1 commit into from
Aug 20, 2024

Conversation

nhudson
Copy link
Collaborator

@nhudson nhudson commented Aug 20, 2024

There needs to be an exception to the allow-system-egress policy to allow for access to new Internal load balancer for the tembo-ai gateway.

We should allow access to 10.0.0.0/8 on port 8080. This will allow the ai-proxy pods access to the load balancer for the inference-gateway on all clusters.

@nhudson nhudson self-assigned this Aug 20, 2024
sjmiller609
sjmiller609 suggested changes Aug 20, 2024
View reviewed changes
Copy link
Contributor

@sjmiller609 sjmiller609 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This network policy is too permissive, as it grants wide IP range access to all workloads in a customer namespace. We need to carefully sandbox the network for customer-controlled workloads. I think it would be OK to apply a policy like this on the other network policy that applies only to the ai-proxy

@nhudson nhudson force-pushed the nhudson/add_internallb_netpol branch from 9407c16 to 9ec818b Compare August 20, 2024 16:18
@nhudson
Copy link
Collaborator Author

nhudson commented Aug 20, 2024

This network policy is too permissive, as it grants wide IP range access to all workloads in a customer namespace. We need to carefully sandbox the network for customer-controlled workloads. I think it would be OK to apply a policy like this on the other network policy that applies only to the ai-proxy

Yes thanks. I missed that specific policy. I just updated it and it should be good now, hopefully.

sjmiller609
sjmiller609 reviewed Aug 20, 2024
View reviewed changes
tembo-operator/src/network_policies.rs Outdated
Comment on lines 295 to 303
"namespaceSelector": {
"matchLabels": {
"kubernetes.io/metadata.name": "tembo-ai"
}
},
"podSelector": {
"matchLabels": {
"app.kubernetes.io/name": "tembo-ai-gateway"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does removing this block break the path to connect via cluster IP within the same cluster to the tembo-ai services?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does. I can add it back if needed to allow for both

sjmiller609
sjmiller609 approved these changes Aug 20, 2024
View reviewed changes
Copy link
Contributor

@sjmiller609 sjmiller609 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure that all these statements work together in a single network policy, it might have to be separate network policies. I would try applying kind of configuration this manually in dev by disabling the reconcile on an instance, then apply this configuration, then see if it works. I think there is a pretty good chance this does not work because I recall there might be issues with specifying both ports and / or IP ranges in the same policy as namespace-selector based policies.

@nhudson nhudson force-pushed the nhudson/add_internallb_netpol branch from c6beebe to 6fcf307 Compare August 20, 2024 17:31
@nhudson
Copy link
Collaborator Author

nhudson commented Aug 20, 2024

I am not sure that all these statements work together in a single network policy, it might have to be separate network policies. I would try applying kind of configuration this manually in dev by disabling the reconcile on an instance, then apply this configuration, then see if it works. I think there is a pretty good chance this does not work because I recall there might be issues with specifying both ports and / or IP ranges in the same policy as namespace-selector based policies.

Ah yeah that is correct. I have created a new policy with what worked when testing.

@nhudson nhudson merged commit ec42853 into main Aug 20, 2024
9 checks passed
@nhudson nhudson deleted the nhudson/add_internallb_netpol branch August 20, 2024 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChuckHend ChuckHend ChuckHend approved these changes

@sjmiller609 sjmiller609 sjmiller609 approved these changes

@ianstanton ianstanton Awaiting requested review from ianstanton ianstanton is a code owner

Assignees

@nhudson nhudson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nhudson @sjmiller609 @ChuckHend