Update egress HTK method

This patch set places logic to generate kubernetes egress network policy rule based on the dependencies specified in values.yaml. This also sets up the necessary default network policy for the OSH gate. Change-Id: I1ac649cc9debb5d1f4ea0a32f506dcda4d8b8536 Signed-off-by: Tin Lam <tin@irrational.io>
2019-09-03 14:59:59 -05:00 · 2019-09-03 14:59:59 -05:00 · 3121fc24c5
parent 092709d875
commit 3121fc24c5
7 changed files with 216 additions and 33 deletions
--- a/ceph-rgw/templates/network_policy.yaml
+++ b/ceph-rgw/templates/network_policy.yaml
@ -13,6 +13,6 @@
 # limitations under the License.

 {{- if .Values.manifests.network_policy -}}
-{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" -}}
+{{- $netpol_opts := dict "envAll" . "key" "rgw" "labels" (dict "application" "ceph" "component" "rgw") -}}
 {{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
 {{- end -}}
--- a/ceph-rgw/values.yaml
+++ b/ceph-rgw/values.yaml
@ -157,9 +157,11 @@ pod:
        cpu: "2000m"

 network_policy:
-  ceph:
+  rgw:
    ingress:
      - {}
+    egress:
+      - {}

 ceph_client:
  configmap: ceph-etc
@ -532,6 +534,22 @@ endpoints:
    port:
      mon:
        default: 6789
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns_tcp:
+        default: 53
+      dns:
+        default: 53
+        protocol: UDP

 manifests:
  configmap_ceph_templates: true
--- a/ceph-rgw/values_overrides/netpol.yaml
+++ b/ceph-rgw/values_overrides/netpol.yaml
@ -0,0 +1,20 @@
+manifests:
+  network_policy: true
+network_policy:
+  rgw:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: 172.17.0.1/16
+      - to:
+        ports:
+          - protocol: TCP
+            port: 80
+          - protocol: TCP
+            port: 443
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT
--- a/helm-toolkit/templates/manifests/_network_policy.tpl
+++ b/helm-toolkit/templates/manifests/_network_policy.tpl
@ -16,6 +16,23 @@ limitations under the License.
 abstract: |
  Creates a network policy manifest for services.
 values: |
+  endpoints:
+    kube_dns:
+      namespace: kube-system
+      name: kubernetes-dns
+      hosts:
+        default: kube-dns
+      host_fqdn_override:
+        default: null
+      path:
+        default: null
+      scheme: http
+      port:
+        dns_tcp:
+          default: 53
+        dns:
+          default: 53
+          protocol: UDP
  network_policy:
    myLabel:
      podSelector:
@ -30,19 +47,21 @@ values: |
        - protocol: TCP
          port: 80
      egress:
-      - ports:
-        - port: 53
-          protocol: UDP
-        to:
+      - to:
        - namespaceSelector:
            matchLabels:
-              name: kube-system
-          podSelector:
+              name: default
+        - namespaceSelector:
            matchLabels:
-              application: kubernetes
-              component: coredns
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
 usage: |
  {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+  {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
 return: |
  ---
  apiVersion: networking.k8s.io/v1
@ -67,21 +86,60 @@ return: |
      - protocol: TCP
        port: 80
    egress:
-    - ports:
-      - port: 53
-        protocol: UDP
-      to:
-      - namespaceSelector: {}
-        podSelector:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+  ---
+  apiVersion: networking.k8s.io/v1
+  kind: NetworkPolicy
+  metadata:
+    name: RELEASE-NAME
+    namespace: NAMESPACE
+  spec:
+    policyTypes:
+      - Ingress
+      - Egress
+    podSelector:
+      matchLabels:
+        application: myApp
+        component: myComp
+    ingress:
+    - from:
+      - podSelector:
          matchLabels:
-            application: kubernetes
-            component: coredns
+            application: keystone
+      ports:
+      - protocol: TCP
+        port: 80
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              name: default
+        - namespaceSelector:
+            matchLabels:
+              name: kube-public
+        ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
 */}}

 {{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
 {{- $envAll := index . "envAll" -}}
 {{- $name := index . "name" -}}
-{{- $label := index . "label" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@ -92,27 +150,33 @@ spec:
 {{- if hasKey (index $envAll.Values "network_policy") $label }}
  policyTypes:
 {{- $is_egress := false -}}
-{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }}
-{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") }}
-{{ $is_egress = true }}
-{{- end }}
-{{- end }}
-{{ if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
    - Egress
-{{- end }}
+{{ end -}}
 {{- $is_ingress := false -}}
-{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }}
-{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
 {{- $is_ingress = true -}}
-{{- end }}
-{{- end }}
-{{ if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
    - Ingress
-{{- end }}
+{{ end -}}
 {{- end }}
  podSelector:
    matchLabels:
+{{- if empty $labels }}
      {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+      {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
 {{- if hasKey (index $envAll.Values "network_policy") $label }}
 {{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
 {{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
@ -121,8 +185,47 @@ spec:
 {{ end }}
 {{ end }}
 {{- if hasKey (index $envAll.Values "network_policy") $label }}
-{{- if index $envAll.Values.network_policy $label "egress" }}
  egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+    - to:
+{{- if index $value "namespace" }}
+      - namespaceSelector:
+          matchLabels:
+            name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+      - podSelector:
+          matchLabels:
+            application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+      ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+      - port: {{ $pv }}
+        protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
 {{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
 {{- end }}
 {{- end }}
--- a/mariadb/values_overrides/netpol.yaml
+++ b/mariadb/values_overrides/netpol.yaml
@ -1,2 +1,11 @@
 manifests:
  network_policy: true
+network_policy:
+  mariadb:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT
--- a/memcached/values_overrides/netpol.yaml
+++ b/memcached/values_overrides/netpol.yaml
@ -1,2 +1,11 @@
 manifests:
  network_policy: true
+network_policy:
+  memcached:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT
--- a/rabbitmq/values_overrides/netpol.yaml
+++ b/rabbitmq/values_overrides/netpol.yaml
@ -82,3 +82,27 @@ manifests:
    prometheus:
      network_policy_exporter: true
  network_policy: true
+network_policy:
+  rabbitmq:
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              application: rabbitmq
+        ports:
+          # Erlang port mapper daemon (epmd)
+          - protocol: TCP
+            port: 4369
+          # Rabbit clustering port AMQP + 20000
+          - protocol: TCP
+            port: 25672
+          # NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
+          # permit traffic in this range to pass between clustered nodes.
+          # - protocol: TCP
+          #  port: 35197
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT