Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add default kubernetes network policy support #2536

Merged
merged 4 commits into from
Oct 27, 2021
Merged

Add default kubernetes network policy support #2536

merged 4 commits into from
Oct 27, 2021

Conversation

smlx
Copy link
Member

@smlx smlx commented Feb 23, 2021
edited
Loading

Checklist

  • Affected Issues have been mentioned in the Closing issues section
  • Documentation has been written/updated See Document new feature flags #2541.
  • PR title is ready for changelog and subsystem label(s) applied

This PR adds a network policy which is applied to Lagoon environment namespaces. It is disabled by default and controlled via a feature flag as documented in #2541.

The default policy currently implements namespace isolation by filtering Ingress traffic. Egress traffic is not filtered.

Because Egress traffic is not filtered, internal cluster services can still be consumed by Lagoon project workloads with this network policy applied. This is required for logging to application-logs.lagoon.svc, and is also common in dedicated Lagoon clusters (e.g. shared Elasticsearch).

Network policies only affects internal cluster traffic. Traffic which routes between Lagoon projects via a public URL (e.g. via an ingress) is not affected. This is the case with e.g. decoupled projects where a frontend consumes a backend API via a public URL.

Similarly to #2481, this depends on uselagoon/lagoon-charts#235. Once that lands, we can remove 83be81f from this PR.

Closing issues

n/a

@smlx smlx added the 9-security Security subsystem label Feb 23, 2021
@Schnitzel
Copy link
Contributor

I think we also need to allow traffic from all monitoring namespaces? (not exactly sure how we could select them, but at least lagoon-monitoring namespaces should probably allow traffic?)

@smlx
Copy link
Member Author

smlx commented Feb 24, 2021
edited
Loading

Yes, there are likely to be other exceptions. I'm going to do an audit to check for more.

As the namespace selection relies on labels, we'll have to add a similar name: <name> label to any namespaces that need to be targeted.

edit: we now simply disallow traffic between Lagoon environment namespaces. Other namespaces are not affected.

@smlx smlx force-pushed the network-policies branch 3 times, most recently from 2c2b303 to c566e79 Compare February 25, 2021 02:58
smlx added a commit that referenced this pull request Feb 25, 2021
@smlx
chore: document new feature flags
0b37c64 
This documents the feature flags introduced in #2481 and #2536, and
depends on those PR.
@smlx smlx mentioned this pull request Feb 25, 2021
Merged
3 tasks
smlx added a commit that referenced this pull request Feb 25, 2021
@smlx
chore: document new feature flags
d28662d 
This documents the feature flags introduced in #2481 and #2536, and
depends on those PR.
smlx added a commit that referenced this pull request Feb 25, 2021
@smlx
chore: document new feature flags
4038a60 
This documents the feature flags introduced in #2481 and #2536, and
depends on those PR.
smlx added a commit that referenced this pull request Feb 25, 2021
@smlx
chore: document new feature flags
aea4e2f 
This documents the feature flags introduced in #2481 and #2536, and
depends on those PR.
@smlx smlx force-pushed the network-policies branch 2 times, most recently from 38804c3 to 66d43a8 Compare March 3, 2021 13:07
@smlx smlx force-pushed the network-policies branch from 66d43a8 to 09491bc Compare March 8, 2021 14:30
smlx added a commit to uselagoon/remote-controller that referenced this pull request Mar 8, 2021
@smlx
feat: add feature flags for new Lagoon features
1b974df 
These feature flags integrate with these Lagoon PRs:

* uselagoon/lagoon#2523
* uselagoon/lagoon#2536
@smlx smlx mentioned this pull request Mar 10, 2021
Merged
smlx added a commit to uselagoon/remote-controller that referenced this pull request Mar 10, 2021
@smlx
feat: add feature flags for new Lagoon features
43605da 
These feature flags integrate with these Lagoon PRs:

* uselagoon/lagoon#2523
* uselagoon/lagoon#2536
@smlx smlx force-pushed the network-policies branch from 09491bc to 85a74e4 Compare March 12, 2021 06:35
smlx added a commit that referenced this pull request Mar 12, 2021
@smlx
chore: document new feature flags
c313e91 
This documents the feature flags introduced in #2481 and #2536.
smlx added a commit that referenced this pull request Mar 12, 2021
@smlx
chore: document new feature flags
e4e269d 
This documents the feature flags introduced in #2481 and #2536.
smlx added a commit that referenced this pull request Mar 12, 2021
@smlx
chore: document new feature flags
f0ae158 
This documents the feature flags introduced in #2481 and #2536.
smlx added a commit that referenced this pull request Mar 12, 2021
@smlx
chore: document new feature flags
9dcf357 
This documents the feature flags introduced in #2481 and #2536.
@smlx smlx force-pushed the network-policies branch from 85a74e4 to a11179f Compare March 12, 2021 07:05
@smlx smlx marked this pull request as ready for review March 12, 2021 07:13
smlx added a commit to uselagoon/remote-controller that referenced this pull request Mar 12, 2021
@smlx
feat: add feature flags for new Lagoon features
385dc53 
These feature flags integrate with these Lagoon PRs:

* uselagoon/lagoon#2523
* uselagoon/lagoon#2536
@smlx smlx force-pushed the network-policies branch from a11179f to d8f857f Compare April 1, 2021 06:21
@smlx
chore: add function to extract feature flag variables
392c0e3 
This function extracts feature flag variables from either the build
environment, or the Lagoon project/environment env-vars.
@smlx smlx force-pushed the network-policies branch 2 times, most recently from 508799d to 6ba9d45 Compare October 20, 2021 13:55
@smlx smlx force-pushed the network-policies branch from 6178720 to 5e7fd47 Compare October 20, 2021 15:05
@tobybellwood
Copy link
Member

Confirmed working in local branch.

[ci-active-standby-control-k8s]master-a@nginx:/app$ nc -zvw 5 nginx.ci-active-standby-control-k8s-master-a.svc 8080
nginx.ci-active-standby-control-k8s-master-a.svc (10.96.129.20:8080) open
[ci-active-standby-control-k8s]master-a@nginx:/app$ nc -zvw 5 nginx.ci-active-standby-control-k8s-master-b.svc 8080
nc: nginx.ci-active-standby-control-k8s-master-b.svc (10.96.246.9:8080): Operation timed out
[ci-active-standby-control-k8s]master-a@nginx:/app$ nc -zvw 5 lagoon-core-api.lagoon.svc 80
lagoon-core-api.lagoon.svc (10.96.116.69:80) open
[ci-active-standby-control-k8s]master-a@nginx:/app$ nc -zvw 5 minio.minio.svc 9000
minio.minio.svc (10.96.149.208:9000) open
[ci-active-standby-control-k8s]master-a@nginx:/app$ nc -zvw 5 registry-harbor-portal.registry.svc 80
registry-harbor-portal.registry.svc (10.96.226.103:80) open

Have also pushed a testing/network-policies branch with Calico CNI enabled for local/CI testing. Test to be developed.

@tobybellwood tobybellwood merged commit d16b93a into main Oct 27, 2021
@tobybellwood tobybellwood deleted the network-policies branch October 27, 2021 22:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Schnitzel Schnitzel Schnitzel approved these changes

Assignees
No one assigned
Labels
9-security Security subsystem
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smlx @Schnitzel @tobybellwood