diff --git a/templates/NetworkPolicy.yaml b/templates/NetworkPolicy.yaml index 49fa7f5..135f677 100644 --- a/templates/NetworkPolicy.yaml +++ b/templates/NetworkPolicy.yaml @@ -1,5 +1,5 @@ -{{ range .Values.nfc_monitoring.network_policy.policies }} +{{- if .Values.nfc_monitoring.network_policy.enabled -}} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -13,10 +13,301 @@ metadata: name: {{ .name | replace "_" "-" }} namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }} spec: - {{ toYaml .policy | nindent 2 }} + - name: prometheus + policy: + egress: # ToDo: add further restrictions to egress. is variable lookup possible to obtain values???? + # - {} + - to: # Alert Manager + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: alerting + podSelector: + matchLabels: + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/component: alert-router + app.kubernetes.io/name: alertmanager + ports: + - port: 9093 + protocol: TCP + + - to: # Ceph + - ipBlock: + cidr: 172.16.10.0/24 + ports: + - port: 9283 + protocol: TCP + + - to: # Grafana + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: grafana + podSelector: + matchLabels: + app.kubernetes.io/component: graphing + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/name: grafana + ports: + - port: 3000 + protocol: TCP + + - to: # Grafana Agent + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/component: exporter + app.kubernetes.io/name: grafana-agent + ports: + - port: 12345 + protocol: TCP + + - to: # Kube DNS + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + # namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: monitoiring + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: metrics + ports: [] + + - {} # ToDo: Temp rule: Allow All. this rule MUST be removed when egress has been refactored + + ingress: + + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + # namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: monitoiring + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: metrics + ports: [] + # - port: 8080 + # protocol: TCP + # - port: 9090 + # protocol: TCP + # - port: 10901 + # protocol: TCP + + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: grafana + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: grafana + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus-adapter + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + ports: + - port: 9090 + protocol: TCP + + - from: [] + ports: [] + + policyTypes: + - Egress + - Ingress podSelector: matchLabels: - {{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 6 }} + {{ toYaml $.Values.nfc_monitoring.prometheus.labels | nindent 6 }} + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/part-of: {{ $.Chart.Name }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }} + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/part-of: {{ $.Chart.Name }} + app.kubernetes.io/version: {{ $.Chart.Version }} + name: {{ .name | replace "_" "-" }} + namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }} +spec: + - name: grafana + policy: + egress: + + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: alerting + podSelector: + matchLabels: + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/component: alert-router + app.kubernetes.io/name: alertmanager + ports: + - port: 9093 + protocol: TCP + + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: logging + podSelector: + matchLabels: + app.kubernetes.io/component: gateway + app.kubernetes.io/instance: loki + app.kubernetes.io/name: loki + ports: + - port: 80 # Service Port + protocol: TCP + - port: 8080 # Pod Port + protocol: TCP + + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/name: prometheus + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: metrics + podSelector: + matchLabels: + app.kubernetes.io/component: query-layer + app.kubernetes.io/instance: thanos-query + app.kubernetes.io/name: thanos-query + ports: + - port: 9090 + protocol: TCP + + - to: [] # Requires internet access for plugins and dashboard downloading + ports: + - port: 443 + protocol: TCP + + - to: # Kube DNS + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + + ingress: + + - from: [] + ports: + - port: 3000 + protocol: TCP + policyTypes: + - Egress + - Ingress + + podSelector: + matchLabels: + {{ toYaml $.Values.nfc_monitoring.grafana.labels | nindent 8 }} + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/part-of: {{ $.Chart.Name }} + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }} + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/part-of: {{ $.Chart.Name }} + app.kubernetes.io/version: {{ $.Chart.Version }} + name: {{ .name | replace "_" "-" }} + namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }} +spec: + - name: grafana_agent + policy: + egress: + + - to: # Logging + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: logging + podSelector: + matchLabels: + app.kubernetes.io/component: gateway + app.kubernetes.io/instance: loki + app.kubernetes.io/name: loki + ports: + - port: 80 + protocol: TCP + + - to: # Kube DNS + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + + ingress: + + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/name: prometheus + ports: + - port: 12345 + protocol: TCP + + policyTypes: + - Egress + - Ingress + + podSelector: + matchLabels: + {{ toYaml $.Values.nfc_monitoring.grafana_agent.labels | nindent 8 }} + app.kubernetes.io/instance: {{ $.Release.Name }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/part-of: {{ $.Chart.Name }} {{ end }} diff --git a/values.yaml b/values.yaml index ed1c1db..30d31c1 100644 --- a/values.yaml +++ b/values.yaml @@ -439,276 +439,6 @@ nfc_monitoring: enabled: false - # Network Policies to apply. These policies are automagically build using the values below. - # What you would find under path root.spec belongs here. - # - # Do: - # - Define 'Ingress' - # - Define 'Egress' - # - Ensure that the name matches the item name from values.yaml. i.e. nfc_monitoring.{item_name} - # for prometheus the item name is 'prometheus'. This value is used to select items pertaining to - # that item from values.yaml. for example the labels and namespace. - # Dont: - # - Define 'podSelector' as this is alreaady included using the selector labels - policies: - -### SoF Network Policy: Prometheus ### - - - name: prometheus - policy: - egress: # ToDo: add further restrictions to egress. is variable lookup possible to obtain values???? - # - {} - - to: # Alert Manager - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: alerting - podSelector: - matchLabels: - app.kubernetes.io/instance: main - app.kubernetes.io/component: alert-router - app.kubernetes.io/name: alertmanager - ports: - - port: 9093 - protocol: TCP - - - to: # Ceph - - ipBlock: - cidr: 172.16.10.0/24 - ports: - - port: 9283 - protocol: TCP - - - to: # Grafana - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: grafana - podSelector: - matchLabels: - app.kubernetes.io/component: graphing - app.kubernetes.io/instance: k8s - app.kubernetes.io/name: grafana - ports: - - port: 3000 - protocol: TCP - - - to: # Grafana Agent - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: monitoring - podSelector: - matchLabels: - app.kubernetes.io/instance: k8s - app.kubernetes.io/component: exporter - app.kubernetes.io/name: grafana-agent - ports: - - port: 12345 - protocol: TCP - - - to: # Kube DNS - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - port: 53 - protocol: TCP - - port: 53 - protocol: UDP - - - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: prometheus - # namespaceSelector: - # matchLabels: - # kubernetes.io/metadata.name: monitoiring - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: metrics - ports: [] - - - {} # ToDo: Temp rule: Allow All. this rule MUST be removed when egress has been refactored - - ingress: - - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: prometheus - # namespaceSelector: - # matchLabels: - # kubernetes.io/metadata.name: monitoiring - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: metrics - ports: [] - # - port: 8080 - # protocol: TCP - # - port: 9090 - # protocol: TCP - # - port: 10901 - # protocol: TCP - - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: grafana - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: grafana - - podSelector: - matchLabels: - app.kubernetes.io/name: prometheus-adapter - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: monitoring - ports: - - port: 9090 - protocol: TCP - - - from: [] - ports: [] - - policyTypes: - - Egress - - Ingress - -### SoF Network Policy: Grafana ### - - - name: grafana - policy: - egress: - - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: alerting - podSelector: - matchLabels: - app.kubernetes.io/instance: main - app.kubernetes.io/component: alert-router - app.kubernetes.io/name: alertmanager - ports: - - port: 9093 - protocol: TCP - - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: logging - podSelector: - matchLabels: - app.kubernetes.io/component: gateway - app.kubernetes.io/instance: loki - app.kubernetes.io/name: loki - ports: - - port: 80 # Service Port - protocol: TCP - - port: 8080 # Pod Port - protocol: TCP - - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: monitoring - podSelector: - matchLabels: - app.kubernetes.io/component: prometheus - app.kubernetes.io/instance: k8s - app.kubernetes.io/name: prometheus - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: metrics - podSelector: - matchLabels: - app.kubernetes.io/component: query-layer - app.kubernetes.io/instance: thanos-query - app.kubernetes.io/name: thanos-query - ports: - - port: 9090 - protocol: TCP - - - to: [] # Requires internet access for plugins and dashboard downloading - ports: - - port: 443 - protocol: TCP - - - to: # Kube DNS - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - port: 53 - protocol: TCP - - port: 53 - protocol: UDP - - ingress: - - - from: [] - ports: - - port: 3000 - protocol: TCP - policyTypes: - - Egress - - Ingress - -### SoF Network Policy: Grafana Agent ### - - - name: grafana_agent - policy: - egress: - - - to: # Logging - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: logging - podSelector: - matchLabels: - app.kubernetes.io/component: gateway - app.kubernetes.io/instance: loki - app.kubernetes.io/name: loki - ports: - - port: 80 - protocol: TCP - - - to: # Kube DNS - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - port: 53 - protocol: TCP - - port: 53 - protocol: UDP - - ingress: - - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: monitoring - podSelector: - matchLabels: - app.kubernetes.io/component: prometheus - app.kubernetes.io/name: prometheus - ports: - - port: 12345 - protocol: TCP - - policyTypes: - - Egress - - Ingress - - loki_instance: image: