From 95a6a2e875a613ff2b06d407f6da5ecb607e125f Mon Sep 17 00:00:00 2001
From: Mike Pham <tp6510@att.com>
Date: Wed, 31 Oct 2018 11:00:48 -0400
Subject: [PATCH] Enable Egress policy enforcement

This PS is enable the Egress policies
and enforces them in Openstack-helm.

Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
---
 cinder/values.yaml                            | 15 +++++++++
 glance/values.yaml                            | 18 ++++++++++
 heat/values.yaml                              | 29 ++++++++++++++++
 horizon/values.yaml                           | 13 ++++++++
 keystone/values.yaml                          | 22 +++++++++++++
 neutron/values.yaml                           | 15 +++++++++
 nova/values.yaml                              | 33 +++++++++++++++++++
 .../deployment/developer/ceph/150-libvirt.sh  | 10 +-----
 .../developer/common/140-openvswitch.sh       | 11 +------
 tools/deployment/developer/nfs/150-libvirt.sh | 10 +-----
 10 files changed, 148 insertions(+), 28 deletions(-)

diff --git a/cinder/values.yaml b/cinder/values.yaml
index cd3eb1a261..63689c5881 100644
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@@ -1243,11 +1243,26 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 network_policy:
   cinder:
     ingress:
       - {}
+    egress:
+      - {}
 
 manifests:
   configmap_bin: true
diff --git a/glance/values.yaml b/glance/values.yaml
index 5ae9863601..ac64f09fae 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -112,6 +112,8 @@ network_policy:
           port: 9191
         - protocol: TCP
           port: 9292
+    egress:
+      - {}
 
 conf:
   rally_tests:
@@ -758,6 +760,21 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+      http:
+        default: 80
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 pod:
   user:
@@ -926,3 +943,4 @@ manifests:
   service_ingress_registry: false
   service_api: true
   service_registry: false
+
diff --git a/heat/values.yaml b/heat/values.yaml
index 5d37081bc6..a3c257235f 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -935,6 +935,21 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+      http:
+        default: 80
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 pod:
   user:
@@ -1138,6 +1153,20 @@ network_policy:
           port: 8003
         - protocol: TCP
           port: 8004
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              application: neutron
+        - podSelector:
+            matchLabels:
+              application: nova
+        - podSelector:
+            matchLabels:
+              application: glance
+        - podSelector:
+            matchLabels:
+              application: cinder
 
 manifests:
   configmap_bin: true
diff --git a/horizon/values.yaml b/horizon/values.yaml
index f6806cc725..4c0d5d4bfd 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -2060,6 +2060,19 @@ endpoints:
     port:
       mysql:
         default: 3306
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 network_policy:
   horizon:
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 6a824ea0fa..440c16c1f3 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -404,6 +404,15 @@ network_policy:
           port: 5000
         - protocol: TCP
           port: 35357
+    egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: ceph
+      - to:
+        - podSelector:
+            matchLabels:
+              application: ceph
 
 conf:
   keystone:
@@ -1114,6 +1123,19 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 manifests:
   configmap_bin: true
diff --git a/neutron/values.yaml b/neutron/values.yaml
index 6534590e15..5c16c51629 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -1857,12 +1857,27 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 network_policy:
   neutron:
     # TODO(lamt): Need to tighten this ingress for security.
     ingress:
       - {}
+    egress:
+      - {}
 
 manifests:
   configmap_bin: true
diff --git a/nova/values.yaml b/nova/values.yaml
index 6b25205f30..8abe711f47 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -1982,6 +1982,19 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public
 
 pod:
   user:
@@ -2238,10 +2251,30 @@ network_policy:
     # TODO(lamt): Need to tighten this ingress for security.
     ingress:
       - {}
+    egress:
+      - {}
+      - to:
+        - podSelector:
+            matchLabels:
+              application: ceph
+        - podSelector:
+            matchLabels:
+              application: ingress
+        - podSelector:
+            matchLabels:
+              application: openvswitch
+        - podSelector:
+            matchLabels:
+              application: libvirt
+        - podSelector:
+            matchLabels:
+              application: cinder
   placement:
     # TODO(lamt): Need to tighten this ingress for security.
     ingress:
       - {}
+    egress:
+      - {}
 
 manifests:
   configmap_bin: true
diff --git a/tools/deployment/developer/ceph/150-libvirt.sh b/tools/deployment/developer/ceph/150-libvirt.sh
index bc4a097802..3484fc5b27 100755
--- a/tools/deployment/developer/ceph/150-libvirt.sh
+++ b/tools/deployment/developer/ceph/150-libvirt.sh
@@ -19,19 +19,11 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} libvirt
 
-tee /tmp/libvirt.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  libvirt:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
   --namespace=openstack \
+  --set manifests.network_policy=true \
   --values=/tmp/libvirt.yaml \
   ${OSH_EXTRA_HELM_ARGS} \
   ${OSH_EXTRA_HELM_ARGS_LIBVIRT}
diff --git a/tools/deployment/developer/common/140-openvswitch.sh b/tools/deployment/developer/common/140-openvswitch.sh
index a7ef48c85d..51c7abf866 100755
--- a/tools/deployment/developer/common/140-openvswitch.sh
+++ b/tools/deployment/developer/common/140-openvswitch.sh
@@ -19,20 +19,11 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} openvswitch
 
-tee /tmp/openvswitch.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  openvswitch:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install openvswitch ${OSH_INFRA_PATH}/openvswitch \
   --namespace=openstack \
-  --values=/tmp/openvswitch.yaml \
+  --set manifests.network_policy=true \
   ${OSH_EXTRA_HELM_ARGS} \
   ${OSH_EXTRA_HELM_ARGS_OPENVSWITCH}
 
diff --git a/tools/deployment/developer/nfs/150-libvirt.sh b/tools/deployment/developer/nfs/150-libvirt.sh
index db7240fb7e..f59d728f99 100755
--- a/tools/deployment/developer/nfs/150-libvirt.sh
+++ b/tools/deployment/developer/nfs/150-libvirt.sh
@@ -19,20 +19,12 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} libvirt
 
-tee /tmp/libvirt.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  libvirt:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
   --namespace=openstack \
   --set conf.ceph.enabled=false \
+  --set manifests.network_policy=true \
   --values=/tmp/libvirt.yaml \
   ${OSH_EXTRA_HELM_ARGS} \
   ${OSH_EXTRA_HELM_ARGS_LIBVIRT}