From 29f32a07acde592dbd5194392338376a55d7e4ef Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Tue, 25 Sep 2018 09:16:33 -0500 Subject: [PATCH] Enable network policy enforcement This patch set updates the gate to by default uses network policy for all components and enforces them in Openstack-helm. Change-Id: I70c90b5808075797f02670f21481a4f968205325 Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8 Co-Authored-By: Mike Pham Signed-off-by: Tin Lam --- barbican/templates/network_policy.yaml | 18 ++++ barbican/values.yaml | 20 +++++ ceilometer/templates/network_policy.yaml | 18 ++++ ceilometer/values.yaml | 6 ++ cinder/templates/network_policy.yaml | 18 ++++ cinder/values.yaml | 6 ++ congress/templates/network_policy.yaml | 18 ++++ congress/values.yaml | 6 ++ glance/templates/network_policy.yaml | 18 ++++ glance/values.yaml | 31 +++++++ heat/templates/network_policy.yaml | 18 ++++ heat/values.yaml | 24 ++++++ horizon/templates/network_policy.yaml | 18 ++++ horizon/values.yaml | 15 ++++ ironic/templates/network_policy.yaml | 18 ++++ ironic/values.yaml | 6 ++ keystone/templates/network_policy.yaml | 18 ++++ keystone/values.yaml | 66 +++++++++++++++ magnum/templates/network_policy.yaml | 18 ++++ magnum/values.yaml | 24 ++++++ mistral/templates/network_policy.yaml | 18 ++++ mistral/values.yaml | 23 ++++++ neutron/templates/network_policy.yaml | 18 ++++ neutron/values.yaml | 7 ++ nova/templates/network_policy.yaml | 22 +++++ nova/values.yaml | 11 +++ senlin/templates/network_policy.yaml | 18 ++++ senlin/values.yaml | 6 ++ tools/deployment/baremetal/110-compute-kit.sh | 1 + tools/deployment/common/memcached.sh | 55 +++++++++++++ tools/deployment/common/test-networkpolicy.sh | 50 +++++++++++ tools/deployment/developer/ceph/120-glance.sh | 1 + tools/deployment/developer/ceph/130-cinder.sh | 1 + .../deployment/developer/ceph/150-libvirt.sh | 10 +++ .../developer/ceph/160-compute-kit.sh | 3 + .../developer/common/030-ingress.sh | 82 ++++++++++++++++--- .../developer/common/049-lockdown.sh | 33 ++++++++ .../developer/common/050-mariadb.sh | 62 ++++++++++++++ .../developer/common/060-rabbitmq.sh | 62 ++++++++++++++ .../developer/common/080-keystone.sh | 1 + tools/deployment/developer/common/090-heat.sh | 1 + .../developer/common/100-horizon.sh | 1 + .../developer/common/140-openvswitch.sh | 10 +++ .../deployment/developer/ldap/080-keystone.sh | 24 ++++++ tools/deployment/developer/nfs/120-glance.sh | 1 + tools/deployment/developer/nfs/150-libvirt.sh | 10 +++ .../developer/nfs/160-compute-kit.sh | 3 + tools/gate/playbooks/dev-deploy-nfs.yaml | 22 +++++ 48 files changed, 930 insertions(+), 10 deletions(-) create mode 100644 barbican/templates/network_policy.yaml create mode 100644 ceilometer/templates/network_policy.yaml create mode 100644 cinder/templates/network_policy.yaml create mode 100644 congress/templates/network_policy.yaml create mode 100644 glance/templates/network_policy.yaml create mode 100644 heat/templates/network_policy.yaml create mode 100644 horizon/templates/network_policy.yaml create mode 100644 ironic/templates/network_policy.yaml create mode 100644 keystone/templates/network_policy.yaml create mode 100644 magnum/templates/network_policy.yaml create mode 100644 mistral/templates/network_policy.yaml create mode 100644 neutron/templates/network_policy.yaml create mode 100644 nova/templates/network_policy.yaml create mode 100644 senlin/templates/network_policy.yaml create mode 100755 tools/deployment/common/test-networkpolicy.sh create mode 100755 tools/deployment/developer/common/049-lockdown.sh diff --git a/barbican/templates/network_policy.yaml b/barbican/templates/network_policy.yaml new file mode 100644 index 0000000000..985eb56a30 --- /dev/null +++ b/barbican/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "barbican" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/barbican/values.yaml b/barbican/values.yaml index 7ff18a39c9..ab1daf3228 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -177,6 +177,25 @@ network: enabled: false port: 39486 +network_policy: + barbican: + ingress: + - from: + - podSelector: + matchLabels: + application: barbican + - podSelector: + matchLabels: + application: ingress + - podSelector: + matchLabels: + application: horizon + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 9311 + bootstrap: enabled: false ks_user: barbican @@ -651,6 +670,7 @@ manifests: pdb_api: true pod_test: true secret_db: true + network_policy: false secret_ingress_tls: true secret_keystone: true secret_rabbitmq: true diff --git a/ceilometer/templates/network_policy.yaml b/ceilometer/templates/network_policy.yaml new file mode 100644 index 0000000000..c301f06cf8 --- /dev/null +++ b/ceilometer/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceilometer" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index 4e0a87b1b6..502196793f 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -2061,6 +2061,11 @@ pod: memory: "1024Mi" cpu: "2000m" +network_policy: + ceilometer: + ingress: + - {} + manifests: configmap_bin: true configmap_etc: true @@ -2082,6 +2087,7 @@ manifests: job_rabbit_init: true pdb_api: true pod_rally_test: true + network_policy: false secret_db: true secret_keystone: true secret_mongodb: true diff --git a/cinder/templates/network_policy.yaml b/cinder/templates/network_policy.yaml new file mode 100644 index 0000000000..31b0f6ecec --- /dev/null +++ b/cinder/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "cinder" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/cinder/values.yaml b/cinder/values.yaml index 19289ef589..cd3eb1a261 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1244,6 +1244,11 @@ endpoints: metrics: default: 24220 +network_policy: + cinder: + ingress: + - {} + manifests: configmap_bin: true configmap_etc: true @@ -1268,6 +1273,7 @@ manifests: pdb_api: true pod_rally_test: true pvc_backup: true + network_policy: false secret_db: true secret_ingress_tls: true secret_keystone: true diff --git a/congress/templates/network_policy.yaml b/congress/templates/network_policy.yaml new file mode 100644 index 0000000000..d3b7f4f79b --- /dev/null +++ b/congress/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "congress" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/congress/values.yaml b/congress/values.yaml index b0afb48cfb..c90d3a1bf9 100644 --- a/congress/values.yaml +++ b/congress/values.yaml @@ -343,6 +343,11 @@ policy: - nova poll_time: 120 +network_policy: + congress: + ingress: + - {} + conf: congress: DEFAULT: @@ -609,6 +614,7 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + network_policy: false secret_db: true secret_keystone: true service_api: true diff --git a/glance/templates/network_policy.yaml b/glance/templates/network_policy.yaml new file mode 100644 index 0000000000..3ad0ba8840 --- /dev/null +++ b/glance/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "glance" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/glance/values.yaml b/glance/values.yaml index 5897a2099d..5ae9863601 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -83,6 +83,36 @@ ceph_client: configmap: ceph-etc user_secret_name: pvc-ceph-client-key +network_policy: + glance: + ingress: + - from: + - podSelector: + matchLabels: + application: glance + - podSelector: + matchLabels: + application: nova + - podSelector: + matchLabels: + application: horizon + - podSelector: + matchLabels: + application: ingress + - podSelector: + matchLabels: + application: heat + - podSelector: + matchLabels: + application: ironic + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 9191 + - protocol: TCP + port: 9292 + conf: rally_tests: run_tempest: false @@ -887,6 +917,7 @@ manifests: pdb_registry: false pod_rally_test: true pvc_images: true + network_policy: false secret_db: true secret_ingress_tls: true secret_keystone: true diff --git a/heat/templates/network_policy.yaml b/heat/templates/network_policy.yaml new file mode 100644 index 0000000000..6d5b76923f --- /dev/null +++ b/heat/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "heat" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/heat/values.yaml b/heat/values.yaml index 6c19656d38..5d37081bc6 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -1116,6 +1116,29 @@ pod: memory: "1024Mi" cpu: "2000m" +network_policy: + heat: + ingress: + - from: + - podSelector: + matchLabels: + application: heat + - podSelector: + matchLabels: + application: ingress + - podSelector: + matchLabels: + application: horizon + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 8000 + - protocol: TCP + port: 8003 + - protocol: TCP + port: 8004 + manifests: configmap_bin: true configmap_etc: true @@ -1142,6 +1165,7 @@ manifests: pdb_cfn: true pdb_cloudwatch: false pod_rally_test: true + network_policy: false secret_db: true secret_ingress_tls: true secret_keystone: true diff --git a/horizon/templates/network_policy.yaml b/horizon/templates/network_policy.yaml new file mode 100644 index 0000000000..cb6110e82b --- /dev/null +++ b/horizon/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "horizon" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/horizon/values.yaml b/horizon/values.yaml index 65d93b4d59..f6806cc725 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -2061,6 +2061,20 @@ endpoints: mysql: default: 3306 +network_policy: + horizon: + ingress: + - from: + - podSelector: + matchLabels: + application: horizon + - podSelector: + matchLabels: + application: ingress + - namespaceSelector: + matchLabels: + name: kube-system + manifests: configmap_bin: true configmap_etc: true @@ -2071,6 +2085,7 @@ manifests: job_db_drop: false job_image_repo_sync: true pdb: true + network_policy: false secret_db: true secret_ingress_tls: true service_ingress: true diff --git a/ironic/templates/network_policy.yaml b/ironic/templates/network_policy.yaml new file mode 100644 index 0000000000..256b1fc660 --- /dev/null +++ b/ironic/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ironic" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/ironic/values.yaml b/ironic/values.yaml index aeb2348f58..40129b02a2 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -652,6 +652,11 @@ pod: memory: "1024Mi" cpu: "2000m" +network_policy: + ironic: + ingress: + - {} + manifests: configmap_bin: true configmap_etc: true @@ -668,6 +673,7 @@ manifests: job_manage_cleaning_network: true job_rabbit_init: true pdb_api: true + network_policy: false secret_db: true secret_keystone: true secret_rabbitmq: true diff --git a/keystone/templates/network_policy.yaml b/keystone/templates/network_policy.yaml new file mode 100644 index 0000000000..14e05ce7aa --- /dev/null +++ b/keystone/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "keystone" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/keystone/values.yaml b/keystone/values.yaml index 7ac8c928e4..6a824ea0fa 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -340,6 +340,71 @@ jobs: success: 3 failed: 1 +network_policy: + keystone: + ingress: + - from: + - podSelector: + matchLabels: + application: ceph + - podSelector: + matchLabels: + application: ingress + - podSelector: + matchLabels: + application: keystone + - podSelector: + matchLabels: + application: heat + - podSelector: + matchLabels: + application: glance + - podSelector: + matchLabels: + application: cinder + - podSelector: + matchLabels: + application: congress + - podSelector: + matchLabels: + application: barbican + - podSelector: + matchLabels: + application: ceilometer + - podSelector: + matchLabels: + application: horizon + - podSelector: + matchLabels: + application: ironic + - podSelector: + matchLabels: + application: magnum + - podSelector: + matchLabels: + application: mistral + - podSelector: + matchLabels: + application: nova + - podSelector: + matchLabels: + application: neutron + - podSelector: + matchLabels: + application: senlin + - podSelector: + matchLabels: + application: placement + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - protocol: TCP + port: 5000 + - protocol: TCP + port: 35357 + conf: keystone: DEFAULT: @@ -1068,6 +1133,7 @@ manifests: job_rabbit_init: true pdb_api: true pod_rally_test: true + network_policy: false secret_credential_keys: true secret_db: true secret_fernet_keys: true diff --git a/magnum/templates/network_policy.yaml b/magnum/templates/network_policy.yaml new file mode 100644 index 0000000000..cb39d20c27 --- /dev/null +++ b/magnum/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "magnum" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/magnum/values.yaml b/magnum/values.yaml index f6dc3376b4..aaf0712a2e 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -601,6 +601,29 @@ pod: memory: "1024Mi" cpu: "2000m" + +network_policy: + magnum: + ingress: + - from: + - podSelector: + matchLabels: + application: magnum + - podSelector: + matchLabels: + application: horizon + - podSelector: + matchLabels: + application: ingress + - podSelector: + matchLabels: + application: heat + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 9511 + manifests: configmap_bin: true configmap_etc: true @@ -617,6 +640,7 @@ manifests: job_ks_user: true job_rabbit_init: true pdb_api: true + network_policy: false secret_db: true secret_keystone: true secret_rabbitmq: true diff --git a/mistral/templates/network_policy.yaml b/mistral/templates/network_policy.yaml new file mode 100644 index 0000000000..5ce9106cff --- /dev/null +++ b/mistral/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "mistral" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/mistral/values.yaml b/mistral/values.yaml index 4a84f73fb4..9e28adb612 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -675,6 +675,28 @@ pod: memory: "1024Mi" cpu: "2000m" +network_policy: + mistral: + ingress: + - from: + - podSelector: + matchLabels: + application: mistral + - podSelector: + matchLabels: + application: horizon + - podSelector: + matchLabels: + application: ingress + - podSelector: + matchLabels: + application: heat + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 8989 + manifests: configmap_bin: true configmap_etc: true @@ -692,6 +714,7 @@ manifests: job_rabbit_init: true pdb_api: true pod_rally_test: true + network_policy: false secret_db: true secret_keystone: true secret_rabbitmq: true diff --git a/neutron/templates/network_policy.yaml b/neutron/templates/network_policy.yaml new file mode 100644 index 0000000000..34fec0f9ef --- /dev/null +++ b/neutron/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "neutron" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/neutron/values.yaml b/neutron/values.yaml index 75690a64f4..6534590e15 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -1858,6 +1858,12 @@ endpoints: metrics: default: 24220 +network_policy: + neutron: + # TODO(lamt): Need to tighten this ingress for security. + ingress: + - {} + manifests: configmap_bin: true configmap_etc: true @@ -1880,6 +1886,7 @@ manifests: job_rabbit_init: true pdb_server: true pod_rally_test: true + network_policy: false secret_db: true secret_ingress_tls: true secret_keystone: true diff --git a/nova/templates/network_policy.yaml b/nova/templates/network_policy.yaml new file mode 100644 index 0000000000..6b44ace0b8 --- /dev/null +++ b/nova/templates/network_policy.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nova" }} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "placement" }} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/nova/values.yaml b/nova/values.yaml index 2dd76cca5b..4edf5c6083 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -2234,6 +2234,16 @@ pod: memory: "1024Mi" cpu: "2000m" +network_policy: + nova: + # TODO(lamt): Need to tighten this ingress for security. + ingress: + - {} + placement: + # TODO(lamt): Need to tighten this ingress for security. + ingress: + - {} + manifests: configmap_bin: true configmap_etc: true @@ -2270,6 +2280,7 @@ manifests: pdb_placement: true pdb_osapi: true pod_rally_test: true + network_policy: false secret_db_api: true secret_db: true secret_ingress_tls: true diff --git a/senlin/templates/network_policy.yaml b/senlin/templates/network_policy.yaml new file mode 100644 index 0000000000..a4f368b64a --- /dev/null +++ b/senlin/templates/network_policy.yaml @@ -0,0 +1,18 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "senlin" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/senlin/values.yaml b/senlin/values.yaml index e6a3a0b891..faa5378ac9 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -633,6 +633,11 @@ pod: memory: "1024Mi" cpu: "2000m" +network_policy: + senlin: + ingress: + - {} + manifests: configmap_bin: true configmap_etc: true @@ -651,6 +656,7 @@ manifests: job_rabbit_init: true pdb_api: true pod_test: true + network_policy: false secret_db: true secret_keystone: true secret_rabbitmq: true diff --git a/tools/deployment/baremetal/110-compute-kit.sh b/tools/deployment/baremetal/110-compute-kit.sh index d2dc86957d..25ff2883dc 100755 --- a/tools/deployment/baremetal/110-compute-kit.sh +++ b/tools/deployment/baremetal/110-compute-kit.sh @@ -69,6 +69,7 @@ EOF helm upgrade --install neutron ./neutron \ --namespace=openstack \ --values=/tmp/neutron.yaml \ + --set manifests.network_policy=true \ ${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS_NEUTRON} diff --git a/tools/deployment/common/memcached.sh b/tools/deployment/common/memcached.sh index 5891a6a298..0aeeb59fcd 100755 --- a/tools/deployment/common/memcached.sh +++ b/tools/deployment/common/memcached.sh @@ -20,10 +20,65 @@ set -xe : ${OSH_INFRA_PATH:="../openstack-helm-infra"} make -C ${OSH_INFRA_PATH} memcached +tee /tmp/memcached.yaml <