infrastructure/kubernetes_monitoring
2
0
Fork 0
Code Issues 6 Pull Requests Actions Projects Releases 3 Wiki Activity

refactor(network_policy): move network policy to template

Browse Source 
!8
This commit is contained in:
Jon Lockwood
2024-02-05 11:31:39 +09:30
parent 36ee3a10ff
commit 49bf414caa
2 changed files with 294 additions and 273 deletions
Download Patch File Download Diff File Expand all files Collapse all files

297
templates/NetworkPolicy.yaml
View File

@ -1,5 +1,5 @@
{{ range .Values.nfc_monitoring.network_policy.policies }}
{{- if .Values.nfc_monitoring.network_policy.enabled -}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
@ -13,10 +13,301 @@ metadata:
name: {{ .name | replace "_" "-" }}
namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }}
spec:
{{ toYaml .policy | nindent 2 }}
- name: prometheus
policy:
egress: # ToDo: add further restrictions to egress. is variable lookup possible to obtain values????
# - {}
- to: # Alert Manager
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: alerting
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/component: alert-router
app.kubernetes.io/name: alertmanager
ports:
- port: 9093
protocol: TCP
- to: # Ceph
- ipBlock:
cidr: 172.16.10.0/24
ports:
- port: 9283
protocol: TCP
- to: # Grafana
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: grafana
podSelector:
matchLabels:
app.kubernetes.io/component: graphing
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/name: grafana
ports:
- port: 3000
protocol: TCP
- to: # Grafana Agent
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/component: exporter
app.kubernetes.io/name: grafana-agent
ports:
- port: 12345
protocol: TCP
- to: # Kube DNS
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
# namespaceSelector:
# matchLabels:
# kubernetes.io/metadata.name: monitoiring
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: metrics
ports: []
- {} # ToDo: Temp rule: Allow All. this rule MUST be removed when egress has been refactored
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
# namespaceSelector:
# matchLabels:
# kubernetes.io/metadata.name: monitoiring
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: metrics
ports: []
# - port: 8080
# protocol: TCP
# - port: 9090
# protocol: TCP
# - port: 10901
# protocol: TCP
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: grafana
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: grafana
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus-adapter
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
ports:
- port: 9090
protocol: TCP
- from: []
ports: []
policyTypes:
- Egress
- Ingress
podSelector:
matchLabels:
{{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 6 }}
{{ toYaml $.Values.nfc_monitoring.prometheus.labels | nindent 6 }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/part-of: {{ $.Chart.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
{{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
app.kubernetes.io/part-of: {{ $.Chart.Name }}
app.kubernetes.io/version: {{ $.Chart.Version }}
name: {{ .name | replace "_" "-" }}
namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }}
spec:
- name: grafana
policy:
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: alerting
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/component: alert-router
app.kubernetes.io/name: alertmanager
ports:
- port: 9093
protocol: TCP
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: logging
podSelector:
matchLabels:
app.kubernetes.io/component: gateway
app.kubernetes.io/instance: loki
app.kubernetes.io/name: loki
ports:
- port: 80 # Service Port
protocol: TCP
- port: 8080 # Pod Port
protocol: TCP
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/name: prometheus
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: metrics
podSelector:
matchLabels:
app.kubernetes.io/component: query-layer
app.kubernetes.io/instance: thanos-query
app.kubernetes.io/name: thanos-query
ports:
- port: 9090
protocol: TCP
- to: [] # Requires internet access for plugins and dashboard downloading
ports:
- port: 443
protocol: TCP
- to: # Kube DNS
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
ingress:
- from: []
ports:
- port: 3000
protocol: TCP
policyTypes:
- Egress
- Ingress
podSelector:
matchLabels:
{{ toYaml $.Values.nfc_monitoring.grafana.labels | nindent 8 }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
app.kubernetes.io/part-of: {{ $.Chart.Name }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
{{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
app.kubernetes.io/part-of: {{ $.Chart.Name }}
app.kubernetes.io/version: {{ $.Chart.Version }}
name: {{ .name | replace "_" "-" }}
namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }}
spec:
- name: grafana_agent
policy:
egress:
- to: # Logging
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: logging
podSelector:
matchLabels:
app.kubernetes.io/component: gateway
app.kubernetes.io/instance: loki
app.kubernetes.io/name: loki
ports:
- port: 80
protocol: TCP
- to: # Kube DNS
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/name: prometheus
ports:
- port: 12345
protocol: TCP
policyTypes:
- Egress
- Ingress
podSelector:
matchLabels:
{{ toYaml $.Values.nfc_monitoring.grafana_agent.labels | nindent 8 }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
app.kubernetes.io/part-of: {{ $.Chart.Name }}
{{ end }}

270
values.yaml
View File

@ -439,276 +439,6 @@ nfc_monitoring:
enabled: false
# Network Policies to apply. These policies are automagically build using the values below.
# What you would find under path root.spec belongs here.
#
# Do:
# - Define 'Ingress'
# - Define 'Egress'
# - Ensure that the name matches the item name from values.yaml. i.e. nfc_monitoring.{item_name}
# for prometheus the item name is 'prometheus'. This value is used to select items pertaining to
# that item from values.yaml. for example the labels and namespace.
# Dont:
# - Define 'podSelector' as this is alreaady included using the selector labels
policies:
### SoF Network Policy: Prometheus ###
- name: prometheus
policy:
egress: # ToDo: add further restrictions to egress. is variable lookup possible to obtain values????
# - {}
- to: # Alert Manager
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: alerting
podSelector:
matchLabels:
app.kubernetes.io/instance: main
app.kubernetes.io/component: alert-router
app.kubernetes.io/name: alertmanager
ports:
- port: 9093
protocol: TCP
- to: # Ceph
- ipBlock:
cidr: 172.16.10.0/24
ports:
- port: 9283
protocol: TCP
- to: # Grafana
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: grafana
podSelector:
matchLabels:
app.kubernetes.io/component: graphing
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: grafana
ports:
- port: 3000
protocol: TCP
- to: # Grafana Agent
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/instance: k8s
app.kubernetes.io/component: exporter
app.kubernetes.io/name: grafana-agent
ports:
- port: 12345
protocol: TCP
- to: # Kube DNS
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
# namespaceSelector:
# matchLabels:
# kubernetes.io/metadata.name: monitoiring
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: metrics
ports: []
- {} # ToDo: Temp rule: Allow All. this rule MUST be removed when egress has been refactored
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
# namespaceSelector:
# matchLabels:
# kubernetes.io/metadata.name: monitoiring
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: metrics
ports: []
# - port: 8080
# protocol: TCP
# - port: 9090
# protocol: TCP
# - port: 10901
# protocol: TCP
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: grafana
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: grafana
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus-adapter
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
ports:
- port: 9090
protocol: TCP
- from: []
ports: []
policyTypes:
- Egress
- Ingress
### SoF Network Policy: Grafana ###
- name: grafana
policy:
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: alerting
podSelector:
matchLabels:
app.kubernetes.io/instance: main
app.kubernetes.io/component: alert-router
app.kubernetes.io/name: alertmanager
ports:
- port: 9093
protocol: TCP
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: logging
podSelector:
matchLabels:
app.kubernetes.io/component: gateway
app.kubernetes.io/instance: loki
app.kubernetes.io/name: loki
ports:
- port: 80 # Service Port
protocol: TCP
- port: 8080 # Pod Port
protocol: TCP
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: prometheus
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: metrics
podSelector:
matchLabels:
app.kubernetes.io/component: query-layer
app.kubernetes.io/instance: thanos-query
app.kubernetes.io/name: thanos-query
ports:
- port: 9090
protocol: TCP
- to: [] # Requires internet access for plugins and dashboard downloading
ports:
- port: 443
protocol: TCP
- to: # Kube DNS
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
ingress:
- from: []
ports:
- port: 3000
protocol: TCP
policyTypes:
- Egress
- Ingress
### SoF Network Policy: Grafana Agent ###
- name: grafana_agent
policy:
egress:
- to: # Logging
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: logging
podSelector:
matchLabels:
app.kubernetes.io/component: gateway
app.kubernetes.io/instance: loki
app.kubernetes.io/name: loki
ports:
- port: 80
protocol: TCP
- to: # Kube DNS
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/name: prometheus
ports:
- port: 12345
protocol: TCP
policyTypes:
- Egress
- Ingress
loki_instance:
image: