diff --git a/Makefile b/Makefile index 381b283bac..86d978a96c 100644 --- a/Makefile +++ b/Makefile @@ -266,6 +266,9 @@ K8S_SLEEP_DURATION_FOR_WAIT_COMMAND ?= 5 K8S_KUBECTL_VERSION ?= $(eval K8S_KUBECTL_VERSION := $(shell kubectl version --short))$(K8S_KUBECTL_VERSION) K8S_SERVER_VERSION ?= $(eval K8S_SERVER_VERSION := $(shell echo "$(K8S_KUBECTL_VERSION)" | sed -e "s/.*Server.*\(v[0-9]\.[0-9]*\)\..*/\1/g"))$(K8S_SERVER_VERSION) +# values file to use when deploying sample vald cluster with make k8s/vald/deploy +HELM_VALUES ?= charts/vald/values/dev.yaml + COMMA := , SHELL = bash diff --git a/Makefile.d/k8s.mk b/Makefile.d/k8s.mk index 14bd1ff390..a2a33afd24 100644 --- a/Makefile.d/k8s.mk +++ b/Makefile.d/k8s.mk @@ -17,17 +17,17 @@ ## clean k8s manifests k8s/manifest/clean: rm -rf \ - k8s/agent \ - k8s/discoverer \ - k8s/gateway \ - k8s/manager + k8s/agent \ + k8s/discoverer \ + k8s/gateway \ + k8s/manager .PHONY: k8s/manifest/update ## update k8s manifests using helm templates k8s/manifest/update: \ k8s/manifest/clean helm template \ - --values charts/vald/values/dev.yaml \ + --values $(HELM_VALUES) \ --output-dir $(TEMP_DIR) \ charts/vald mkdir -p k8s/gateway @@ -61,7 +61,7 @@ k8s/manifest/helm-operator/update: \ ## deploy vald sample cluster to k8s k8s/vald/deploy: helm template \ - --values charts/vald/values/dev.yaml \ + --values $(HELM_VALUES) \ --set defaults.image.tag=$(VERSION) \ --set agent.image.repository=$(CRORG)/$(AGENT_IMAGE) \ --set agent.sidecar.image.repository=$(CRORG)/$(AGENT_SIDECAR_IMAGE) \ @@ -71,6 +71,7 @@ k8s/vald/deploy: --set manager.index.image.repository=$(CRORG)/$(MANAGER_INDEX_IMAGE) \ --output-dir $(TEMP_DIR) \ charts/vald + @echo "Permitting error because there's nothing to apply when network policy is disabled" kubectl apply -f $(TEMP_DIR)/vald/templates/manager/index kubectl apply -f $(TEMP_DIR)/vald/templates/agent kubectl apply -f $(TEMP_DIR)/vald/templates/discoverer @@ -82,7 +83,7 @@ k8s/vald/deploy: ## delete vald sample cluster from k8s k8s/vald/delete: helm template \ - --values charts/vald/values/dev.yaml \ + --values $(HELM_VALUES) \ --set defaults.image.tag=$(VERSION) \ --set agent.image.repository=$(CRORG)/$(AGENT_IMAGE) \ --set agent.sidecar.image.repository=$(CRORG)/$(AGENT_SIDECAR_IMAGE) \ @@ -132,7 +133,7 @@ k8s/vr/deploy: \ k8s/metrics/metrics-server/deploy yq eval \ '{"apiVersion": "vald.vdaas.org/v1", "kind": "ValdRelease", "metadata":{"name":"vald-cluster"}, "spec": .}' \ - charts/vald/values/dev.yaml \ + $(HELM_VALUES) \ | kubectl apply -f - .PHONY: k8s/vr/delete diff --git a/charts/vald/templates/agent/networkpolicy.yaml b/charts/vald/templates/agent/networkpolicy.yaml new file mode 100644 index 0000000000..94820e4b26 --- /dev/null +++ b/charts/vald/templates/agent/networkpolicy.yaml @@ -0,0 +1,47 @@ +# +# Copyright (C) 2019-2023 vdaas.org vald team +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- $agent := .Values.agent -}} +{{- $lb := .Values.gateway.lb -}} +{{- $index := .Values.manager.index -}} +{{- if .Values.defaults.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: agent-allow +spec: + podSelector: + matchLabels: + app: {{ $agent.name }} + policyTypes: + - Ingress + # Deny all egress traffic by default + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $lb.name }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $index.name }} +{{- end }} diff --git a/charts/vald/templates/discoverer/networkpolicy.yaml b/charts/vald/templates/discoverer/networkpolicy.yaml new file mode 100644 index 0000000000..4622ecf182 --- /dev/null +++ b/charts/vald/templates/discoverer/networkpolicy.yaml @@ -0,0 +1,54 @@ +# +# Copyright (C) 2019-2023 vdaas.org vald team +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- $discoverer := .Values.discoverer -}} +{{- $lb := .Values.gateway.lb -}} +{{- $index := .Values.manager.index -}} +{{- if .Values.defaults.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: discoverer-allow +spec: + podSelector: + matchLabels: + app: {{ $discoverer.name }} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $lb.name }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $index.name }} + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system +{{- end }} diff --git a/charts/vald/templates/gateway/filter/networkpolicy.yaml b/charts/vald/templates/gateway/filter/networkpolicy.yaml new file mode 100644 index 0000000000..1dc420b225 --- /dev/null +++ b/charts/vald/templates/gateway/filter/networkpolicy.yaml @@ -0,0 +1,33 @@ +# +# Copyright (C) 2019-2023 vdaas.org vald team +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- $lb := .Values.gateway.lb -}} +{{- $filter := .Values.gateway.filter -}} +{{- if .Values.defaults.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: filter-allow +spec: + podSelector: + matchLabels: + app: {{ $filter.name }} + policyTypes: + - Egress + egress: + # allow all the egress to communicate with user-defined filters + - {} +{{- end }} diff --git a/charts/vald/templates/gateway/lb/networkpolicy.yaml b/charts/vald/templates/gateway/lb/networkpolicy.yaml new file mode 100644 index 0000000000..6f9172564e --- /dev/null +++ b/charts/vald/templates/gateway/lb/networkpolicy.yaml @@ -0,0 +1,61 @@ +# +# Copyright (C) 2019-2023 vdaas.org vald team +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- $agent := .Values.agent -}} +{{- $lb := .Values.gateway.lb -}} +{{- $filter := .Values.gateway.filter -}} +{{- $discoverer := .Values.discoverer -}} +{{- if .Values.defaults.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: lb-allow +spec: + podSelector: + matchLabels: + app: {{ $lb.name }} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $filter.name }} + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $agent.name }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $discoverer.name }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system +{{- end }} diff --git a/charts/vald/templates/manager/index/networkpolicy.yaml b/charts/vald/templates/manager/index/networkpolicy.yaml new file mode 100644 index 0000000000..aa0fd6fa1a --- /dev/null +++ b/charts/vald/templates/manager/index/networkpolicy.yaml @@ -0,0 +1,54 @@ +# +# Copyright (C) 2019-2023 vdaas.org vald team +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{- $agent := .Values.agent -}} +{{- $discoverer := .Values.discoverer -}} +{{- $index := .Values.manager.index -}} +{{- if .Values.defaults.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: index-allow +spec: + podSelector: + matchLabels: + app: {{ $index.name }} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $agent.name }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + podSelector: + matchLabels: + app: {{ $discoverer.name }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system +{{- end }} diff --git a/charts/vald/values.yaml b/charts/vald/values.yaml index 00eb253be8..fcdd68b327 100644 --- a/charts/vald/values.yaml +++ b/charts/vald/values.yaml @@ -830,6 +830,13 @@ defaults: # @schema {"name": "defaults.observability.trace.enabled", "type": "boolean"} # defaults.observability.trace.enabled -- trace enabled enabled: false + # @schema {"name": "defaults.networkPolicy", "type": "object", "anchor": "networkPolicy"} + networkPolicy: + # @schema {"name": "defaults.networkPolicy.enabled", "type": "boolean"} + # defaults.networkPolicy.enabled -- if network policy enabled + # TODO: Change this to true after implementing user custom network policy parser + enabled: false + # @schema {"name": "gateway", "type": "object"} gateway: # @schema {"name": "gateway.lb", "type": "object"}