diff --git a/Makefile b/Makefile
index 209b4f6b8..2ed6b4009 100644
--- a/Makefile
+++ b/Makefile
@@ -94,6 +94,20 @@ generate-docs:
@md-gen gen --input schemas/public/kfddistribution-kfd-v1alpha2.json --output docs/schemas/kfddistribution-kfd-v1alpha2.md --overwrite --banner banners/kfddistribution.md
@md-gen gen --input schemas/public/ekscluster-kfd-v1alpha2.json --output docs/schemas/ekscluster-kfd-v1alpha2.md --overwrite --banner banners/ekscluster.md
+.PHONY: generate-np-diagrams
+generate-np-diagrams:
+ docker run --rm -v $(PWD)/docs/network-policies:/workdir minlag/mermaid-cli:latest -i "/workdir/overview.md" -o "/workdir/overview.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/auth:/workdir minlag/mermaid-cli:latest -i "/workdir/sso.md" -o "/workdir/sso.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/ingress:/workdir minlag/mermaid-cli:latest -i "/workdir/single.md" -o "/workdir/single.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/ingress:/workdir minlag/mermaid-cli:latest -i "/workdir/dual.md" -o "/workdir/dual.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/logging:/workdir minlag/mermaid-cli:latest -i "/workdir/loki.md" -o "/workdir/loki.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/logging:/workdir minlag/mermaid-cli:latest -i "/workdir/opensearch.md" -o "/workdir/opensearch.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/monitoring:/workdir minlag/mermaid-cli:latest -i "/workdir/mimir.md" -o "/workdir/mimir.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/monitoring:/workdir minlag/mermaid-cli:latest -i "/workdir/prometheus.md" -o "/workdir/prometheus.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/opa:/workdir minlag/mermaid-cli:latest -i "/workdir/gatekeeper.md" -o "/workdir/gatekeeper.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/opa:/workdir minlag/mermaid-cli:latest -i "/workdir/kyverno.md" -o "/workdir/kyverno.png" -w 2048 -H 1536 -b white
+ docker run --rm -v $(PWD)/docs/network-policies/modules/tracing:/workdir minlag/mermaid-cli:latest -i "/workdir/tempo.md" -o "/workdir/tempo.png" -w 2048 -H 1536 -b white
+
.PHONY: dump-private-schema
dump-private-schema:
@cat schemas/public/ekscluster-kfd-v1alpha2.json | \
diff --git a/defaults/ekscluster-kfd-v1alpha2.yaml b/defaults/ekscluster-kfd-v1alpha2.yaml
index 12bf6492d..41e37df57 100644
--- a/defaults/ekscluster-kfd-v1alpha2.yaml
+++ b/defaults/ekscluster-kfd-v1alpha2.yaml
@@ -15,7 +15,6 @@ data:
relativeVendorPath: "../../vendor"
provider:
type: eks
-
# the module section will be used to fine tune each module behaviour and configuration
modules:
# ingress module configuration
diff --git a/defaults/kfddistribution-kfd-v1alpha2.yaml b/defaults/kfddistribution-kfd-v1alpha2.yaml
index 39ab2fbb5..08a10f651 100644
--- a/defaults/kfddistribution-kfd-v1alpha2.yaml
+++ b/defaults/kfddistribution-kfd-v1alpha2.yaml
@@ -15,7 +15,6 @@ data:
relativeVendorPath: "../../vendor"
provider:
type: none
-
# the module section will be used to fine tune each module behaviour and configuration
modules:
# ingress module configuration
diff --git a/defaults/onpremises-kfd-v1alpha2.yaml b/defaults/onpremises-kfd-v1alpha2.yaml
index 755885e26..d2717c3ba 100644
--- a/defaults/onpremises-kfd-v1alpha2.yaml
+++ b/defaults/onpremises-kfd-v1alpha2.yaml
@@ -15,7 +15,7 @@ data:
relativeVendorPath: "../../vendor"
provider:
type: none
-
+ networkPoliciesEnabled: false
# the module section will be used to fine tune each module behaviour and configuration
modules:
# ingress module configuration
diff --git a/docs/network-policies/README.md b/docs/network-policies/README.md
new file mode 100644
index 000000000..5511fbb1e
--- /dev/null
+++ b/docs/network-policies/README.md
@@ -0,0 +1,24 @@
+# Network Policies Documentation
+
+This documentation describes all Network Policies of the KFD components for the OnPremises schema.
+
+## Modules
+- [Auth](modules/auth/README.md) - Pomerium SSO
+- [Ingress](modules/ingress/README.md) - Nginx (single/dual) + Cert-manager
+- [Logging](modules/logging/README.md) - OpenSearch/Loki
+- [Monitoring](modules/monitoring/README.md) - Prometheus/Mimir
+- [OPA](modules/opa/README.md) - Gatekeeper/Kyverno
+- [Tracing](modules/tracing/README.md) - Tempo
+
+## Common Patterns
+All namespaces include:
+- Default deny-all policy
+- DNS access to kube-dns
+- Prometheus metrics collection
+- Kubernetes API server access where needed
+
+## High Level Overview
+- [Overview](overview.md)
+
+## Instructions
+Generate the new Network Policies diagrams with `make generate-np-diagrams`.
\ No newline at end of file
diff --git a/docs/network-policies/modules/auth/README.md b/docs/network-policies/modules/auth/README.md
new file mode 100644
index 000000000..488d84b6b
--- /dev/null
+++ b/docs/network-policies/modules/auth/README.md
@@ -0,0 +1,16 @@
+# Auth Module Network Policies
+
+## Components
+- Pomerium
+
+## Namespaces
+- pomerium
+
+## Network Policies List
+- deny-all
+- all-egress-kube-dns
+- pomerium-ingress-nginx
+- pomerium-egress-all
+
+## Configurations
+- [SSO with Pomerium](sso.md)
diff --git a/docs/network-policies/modules/auth/sso.md b/docs/network-policies/modules/auth/sso.md
new file mode 100644
index 000000000..5d6b816f1
--- /dev/null
+++ b/docs/network-policies/modules/auth/sso.md
@@ -0,0 +1,53 @@
+# SSO with Pomerium
+
+```mermaid
+graph TD
+ %% Namespaces
+ subgraph ingress-nginx
+ nginx[Nginx Controller]
+ end
+
+ subgraph pomerium
+ pom[Pomerium
app: pomerium]
+ acme[ACME HTTP Solver
app: cert-manager]
+ end
+
+ subgraph monitoring
+ graf[Grafana]
+ prom[Prometheus]
+ am[Alertmanager]
+ minio_monitoring[MinIO]
+ end
+
+ subgraph logging
+ osd[OpenSearch Dashboards]
+ minio_logging[MinIO]
+ end
+
+ subgraph tracing
+ minio_tracing[MinIO]
+ end
+
+ subgraph gatekeer-system
+ gpm[Gatekeeper Policy Manager]
+ end
+
+ %% External and K8s Core Components
+ dns[Kube DNS]
+ ext[External]
+
+ %% Edges
+ pom -->|"53/UDP"| dns
+ nginx -->|"8080/TCP"| pom
+ nginx -->|"8089/TCP"| acme
+ prom -->|"9090/TCP metrics"| pom
+ pom -->|"443/TCP"| ext
+ pom -->|"3000/TCP"| graf
+ pom -->|"9090/TCP"| prom
+ pom -->|"9093/TCP"| am
+ pom -->|"5601/TCP"| osd
+ pom -->|"9001/TCP"| minio_logging
+ pom -->|"9001/TCP"| minio_tracing
+ pom -->|"9001/TCP"| minio_monitoring
+ pom -->|"8080/TCP"| gpm
+```
\ No newline at end of file
diff --git a/docs/network-policies/modules/ingress/README.md b/docs/network-policies/modules/ingress/README.md
new file mode 100644
index 000000000..23eb467df
--- /dev/null
+++ b/docs/network-policies/modules/ingress/README.md
@@ -0,0 +1,35 @@
+# Ingress Module Network Policies
+
+## Components
+- Nginx Ingress Controller (single/dual mode)
+- Cert-manager
+- Forecastle
+
+## Namespaces
+- ingress-nginx
+- cert-manager
+
+## Network Policies List
+
+### Cert-manager
+- deny-all
+- all-egress-kube-dns
+- cert-manager-egress-kube-apiserver
+- cert-manager-webhook-ingress-kube-apiserver
+- cert-manager-egress-https
+- cert-manager-ingress-prometheus-metrics
+- acme-http-solver-ingress-lets-encrypt
+
+### Ingress-nginx
+- deny-all
+- all-egress-kube-dns
+- forecastle-ingress-nginx
+- forecastle-egress-kube-apiserver
+- nginx-egress-all
+- all-ingress-nginx
+- nginx-ingress-prometheus-metric
+- external-dns
+
+## Configurations
+- [Single Nginx](single.md)
+- [Dual Nginx](dual.md)
diff --git a/docs/network-policies/modules/ingress/dual.md b/docs/network-policies/modules/ingress/dual.md
new file mode 100644
index 000000000..6b988d41d
--- /dev/null
+++ b/docs/network-policies/modules/ingress/dual.md
@@ -0,0 +1,33 @@
+# Dual Nginx Configuration
+
+```mermaid
+graph TD
+ %% Namespaces
+ subgraph ingress-nginx
+ nginx[Nginx Controller
app: ingress]
+ fc[Forecastle
app: forecastle]
+ end
+
+ subgraph cert-manager
+ cm[Cert Manager
app: cert-manager]
+ cmw[Cert Manager Webhook]
+ end
+
+ %% External and K8s Core Components
+ dns[Kube DNS]
+ api[Kubernetes API]
+ prom[Prometheus]
+ ext[External ACME / Internet]
+
+ %% Edges
+ nginx & cm -->|"53/UDP"| dns
+ cm -->|"6443/TCP"| api
+ fc -->|"6443/TCP"| api
+ api -->|"10250/TCP"| cmw
+ prom -->|"10254/TCP"| nginx
+ prom -->|"9402/TCP"| cm
+ cm -->|"443,80/TCP"| ext
+ all[All Namespaces] -->|"8080,8443,9443/TCP"| nginx
+ nginx -->|"egress: all"| all
+ nginx -->|"3000/TCP"| fc
+```
\ No newline at end of file
diff --git a/docs/network-policies/modules/ingress/single.md b/docs/network-policies/modules/ingress/single.md
new file mode 100644
index 000000000..b0f7b2054
--- /dev/null
+++ b/docs/network-policies/modules/ingress/single.md
@@ -0,0 +1,35 @@
+# Single Nginx Configuration
+
+```mermaid
+graph TD
+ %% Namespaces
+ subgraph ingress-nginx
+ nginx[Nginx Controller
app: ingress-nginx]
+ fc[Forecastle
app: forecastle]
+ edns[ExternalDNS
app: external-dns]
+ end
+
+ subgraph cert-manager
+ cm[Cert Manager
app: cert-manager]
+ cmw[Cert Manager Webhook]
+ end
+
+ %% External and K8s Core Components
+ dns[Kube DNS]
+ api[Kubernetes API]
+ prom[Prometheus]
+ ext[External / ACME]
+
+ %% Edges
+ nginx & cm -->|"53/UDP"| dns
+ cm -->|"6443/TCP"| api
+ fc -->|"6443/TCP"| api
+ api -->|"10250/TCP"| cmw
+ prom -->|"10254/TCP"| nginx
+ prom -->|"9402/TCP"| cm
+ cm -->|"443,80/TCP"| ext
+ all[All Namespaces] -->|"8080,8443,9443/TCP"| nginx
+ nginx -->|"egress: all"| all
+ nginx -->|"3000/TCP"| fc
+ edns --> |"egress: all"| ext
+```
\ No newline at end of file
diff --git a/docs/network-policies/modules/logging/README.md b/docs/network-policies/modules/logging/README.md
new file mode 100644
index 000000000..41fb930d9
--- /dev/null
+++ b/docs/network-policies/modules/logging/README.md
@@ -0,0 +1,53 @@
+# Logging Module Network Policies
+
+## Components
+- OpenSearch Stack
+- Loki Stack
+
+## Namespaces
+- logging
+
+## Network Policies List
+
+### Common Policies
+- deny-all
+- all-egress-kube-dns
+- event-tailer-egress-kube-apiserver
+- fluentd-egress-all
+- fluentbit-egress-fluentd
+- fluentbit-egress-kube-apiserver
+- fluentbit-ingress-prometheus-metrics
+- logging-operator-egress-kube-apiserver
+
+### OpenSearch Stack
+- fluentd-ingress-fluentbit
+- fluentd-ingress-prometheus-metrics
+- opensearch-discovery
+- opensearch-ingress-dashboards
+- opensearch-ingress-fluentd
+- opensearch-ingress-prometheus-metrics
+- opensearch-ingress-jobs
+- opensearch-dashboards-egress-opensearch
+- opensearch-dashboards-ingress-nginx
+- opensearch-dashboards-ingress-jobs
+- jobs-egress-opensearch
+
+### Loki Stack
+- loki-distributed-ingress-fluentd
+- loki-distributed-ingress-grafana
+- loki-distributed-ingress-prometheus-metrics
+- loki-distributed-discovery
+- loki-distributed-egress-all
+
+### MinIO
+- minio-ingress-namespace
+- minio-buckets-setup-egress-kube-apiserver
+- minio-buckets-setup-egress-minio
+- minio-ingress-prometheus-metrics
+- minio-ingress-nginx
+- minio-egress-https
+
+## Configurations
+- [OpenSearch Stack](opensearch.md)
+- [Loki Stack](loki.md)
+
diff --git a/docs/network-policies/modules/logging/loki.md b/docs/network-policies/modules/logging/loki.md
new file mode 100644
index 000000000..1b87f37ce
--- /dev/null
+++ b/docs/network-policies/modules/logging/loki.md
@@ -0,0 +1,52 @@
+# Loki Stack Configuration
+
+```mermaid
+graph TD
+ %% Namespaces
+ subgraph logging
+ fb[Fluentbit
app.kubernetes.io/name: fluentbit]
+ fd[Fluentd
app.kubernetes.io/name: fluentd]
+ loki_gateway[Loki Gateway
app.kubernetes.io/component: gateway]
+ loki_compactor[Loki Compactor
app.kubernetes.io/component: compactor]
+ loki_distributor[Loki Distributor
app.kubernetes.io/component: distributor]
+ loki_ingester[Loki Ingester
app.kubernetes.io/component: ingester]
+ loki_querier[Loki Querier
app.kubernetes.io/component: querier]
+ loki_query_frontend[Loki Query Frontend
app.kubernetes.io/component: query-frontend]
+ minio[MinIO
app: minio]
+ bucket[MinIO Bucket Setup
app: minio-logging-buckets-setup]
+ end
+
+ subgraph monitoring
+ prom[Prometheus]
+ graf[Grafana]
+ end
+
+ pom[Pomerium]
+
+ %% External and K8s Core Components
+ api[Kubernetes API]
+ ext[External]
+ dns[Kube DNS]
+
+ %% Edges
+ logging -->|"53/UDP"| dns
+ bucket -->|"6443/TCP"| api
+ fb -->|"24240/TCP"| fd
+ fd -->|"8080/TCP"| loki_gateway
+ prom -->|"3100/TCP"| loki_gateway
+ graf -->|"8080/TCP"| loki_gateway
+ prom -->|"2020/TCP"| fb
+ fb -->|"6443/TCP"| api
+ loki_query_frontend -->|"loki-discovery
9095,7946,3100/TCP"| loki_distributor
+ loki_distributor -->|"loki-discovery
9095,7946,3100/TCP"| loki_ingester
+ loki_querier -->|"loki-discovery
9095,7946,3100/TCP"| loki_ingester
+ loki_querier -->|"loki-discovery
9095,7946,3100/TCP"| loki_query_frontend
+ loki_compactor -->|"loki-discovery
9095,7946,3100/TCP"| loki_ingester
+ loki_compactor -->|"egress: all"| minio
+ loki_ingester -->|"egress: all"| minio
+ loki_querier -->|"egress: all"| minio
+ bucket -->|"9000/TCP"| minio
+ minio -->|"443/TCP"| ext
+ pom -->|"9001/TCP"| minio
+ minio -->|"9000/TCP"| logging
+```
\ No newline at end of file
diff --git a/docs/network-policies/modules/logging/opensearch.md b/docs/network-policies/modules/logging/opensearch.md
new file mode 100644
index 000000000..5cf5727eb
--- /dev/null
+++ b/docs/network-policies/modules/logging/opensearch.md
@@ -0,0 +1,48 @@
+# Opensearch Stack Configuration
+
+```mermaid
+graph TD
+ %% Namespace
+ subgraph logging
+ fb[Fluentbit
app.kubernetes.io/name: fluentbit]
+ fd[Fluentd
app.kubernetes.io/name: fluentd]
+ os[OpenSearch
app.kubernetes.io/name: opensearch]
+ osd[OpenSearch Dashboards
app: opensearch-dashboards]
+ minio[MinIO
app: minio]
+ bucket[MinIO Bucket Setup
app: minio-logging-buckets-setup]
+ op[Logging Operator
app.kubernetes.io/name: logging-operator]
+ et[Event Tailer
app.kubernetes.io/name: event-tailer]
+ job[OpenSearch Jobs]
+ end
+
+ %% External and K8s Core Components
+ api[Kubernetes API]
+ ext[External]
+ prom[Prometheus]
+ pom[Pomerium]
+ nginx[Nginx]
+ dns[Kube DNS]
+
+ %% Edges
+ logging --->|"53/UDP,TCP"| dns
+ fb -->|"6443/TCP"| api
+ et -->|"6443/TCP"| api
+ op -->|"6443/TCP"| api
+ bucket -->|"6443/TCP"| api
+ fb -->|"24240/TCP"| fd
+ fd -->|"egress: all"| os
+ osd -->|"9200/TCP"| os
+ pom -->|"5601/TCP"| osd
+ job -->|"5601/TCP"| osd
+ job -->|"9200/TCP"| os
+ prom -->|"2020/TCP"| fb
+ prom -->|"24231/TCP"| fd
+ prom -->|"9108/TCP"| os
+ prom -->|"9000/TCP"| minio
+ bucket -->|"9000/TCP"| minio
+ minio -->|"443/TCP"| ext
+ pom -->|"9001/TCP"| minio
+ logging -->|"9000/TCP"| minio
+ nginx -->|"9001/TCP"| minio
+ nginx -->|"5601/TCP"| osd
+```
\ No newline at end of file
diff --git a/docs/network-policies/modules/monitoring/README.md b/docs/network-policies/modules/monitoring/README.md
new file mode 100644
index 000000000..acf6e419e
--- /dev/null
+++ b/docs/network-policies/modules/monitoring/README.md
@@ -0,0 +1,55 @@
+# Monitoring Module Network Policies
+
+## Components
+- Prometheus Stack
+- Mimir Stack
+
+## Namespaces
+- monitoring
+
+## Network Policies List
+
+### Common Policies
+- deny-all
+- all-egress-kube-dns
+- alertmanager-main
+- alertmanager-ingress-nginx
+- blackbox-exporter
+- grafana
+- grafana-egress-tempo-gateway
+- grafana-ingress-nginx
+- kube-state-metrics
+- node-exporter
+- prometheus-ingress-nginx
+- prometheus-adapter
+- prometheus-ingress-prometheus-adapter
+- prometheus-operator
+- x509-exporter-egress-kube-apiserver
+- x509-exporter-ingress-prometheus-metrics
+- kube-state-metrics
+
+### MinIO
+- minio-ingress-namespace
+- minio-buckets-setup-egress-kube-apiserver
+- minio-buckets-setup-egress-minio
+- minio-ingress-prometheus-metrics
+- minio-monitoring-egress-all
+
+### Prometheus specific
+- prometheus-k8s
+- prometheus-egress-minio
+- prometheus-egress-kube-apiserver
+
+### Mimir specific
+- mimir-distributed-discovery
+- mimir-distributed-ingress-prometheus-metrics
+- mimir-gateway-ingress-grafana
+- mimir-querier-egress-https
+- mimir-ingester-egress-https
+- mimir-distributed-egress-minio (when using MinIO)
+- mimir-distributed-egress-all (when not using MinIO)
+
+## Configurations
+- [Prometheus Stack](prometheus.md)
+- [Mimir Stack](mimir.md)
+
diff --git a/docs/network-policies/modules/monitoring/mimir.md b/docs/network-policies/modules/monitoring/mimir.md
new file mode 100644
index 000000000..5619dbfe4
--- /dev/null
+++ b/docs/network-policies/modules/monitoring/mimir.md
@@ -0,0 +1,53 @@
+# Mimir Stack Configuration
+
+```mermaid
+graph TD
+ %% Namespace
+ subgraph monitoring
+ gateway[Mimir Gateway
app.kubernetes.io/component: gateway]
+ distributor[Mimir Distributor
app.kubernetes.io/component: distributor]
+ ingester[Mimir Ingester
app.kubernetes.io/component: ingester]
+ querier[Mimir Querier
app.kubernetes.io/component: querier]
+ qfront[Mimir Query Frontend
app.kubernetes.io/component: query-frontend]
+ qsched[Mimir Query Scheduler
app.kubernetes.io/component: query-scheduler]
+ store[Mimir Store Gateway
app.kubernetes.io/component: store-gateway]
+ compactor[Mimir Compactor
app.kubernetes.io/component: compactor]
+ grafana[Grafana
app.kubernetes.io/name: grafana]
+ prom[Prometheus
app.kubernetes.io/name: prometheus]
+ am[Alertmanager
app.kubernetes.io/component: alert-router]
+ bb[Blackbox Exporter
app.kubernetes.io/name: blackbox-exporter]
+ ksm[Kube State Metrics
app.kubernetes.io/name: kube-state-metrics]
+ ne[Node Exporter
app.kubernetes.io/name: node-exporter]
+ x509[x509 Exporter
app: x509-certificate-exporter]
+ minio[MinIO
app: minio]
+ bucket[MinIO Bucket Setup
app: minio-monitoring-buckets-setup]
+ end
+
+ %% External and K8s Core Components
+ api[Kubernetes API]
+ dns[Kube DNS]
+
+ %% Edges
+ monitoring -->|"53/UDP,TCP"| dns
+ bucket -->|"9000/TCP"| minio
+ qfront -->|"mimir-discovery
9095,7946,8080/TCP"| qsched
+ qfront -->|"mimir-discovery
9095,7946,8080/TCP"| querier
+ gateway -->|"mimir-discovery
9095,7946,8080/TCP"| distributor
+ distributor -->|"mimir-discovery
9095,7946,8080/TCP"| ingester
+ qsched -->|"mimir-discovery
9095,7946,8080/TCP"| querier
+ querier -->|"mimir-discovery
9095,7946,8080/TCP"| store
+ querier -->|"mimir-discovery
9095,7946,8080/TCP"| ingester
+ store -->|"mimir-discovery
9095,7946,8080/TCP"| compactor
+ compactor -->|"mimir-discovery
9095,7946,8080/TCP"| store
+ ingester & store & compactor -->|"9000/TCP"| minio
+ grafana -->|"8080/TCP"| gateway
+ prom -->|"8080/TCP"| distributor
+ prom -->|"9115,19115/TCP"| bb
+ prom -->|"8443,9443/TCP"| ksm
+ prom -->|"9100/TCP"| ne
+ prom -->|"9793/TCP"| x509
+ prom -->|"9093,8080/TCP"| am
+ pom[Pomerium] -->|"3000/TCP"| grafana
+ pom -->|"9093/TCP"| am
+ x509 -->|"6443/TCP"| api
+```
\ No newline at end of file
diff --git a/docs/network-policies/modules/monitoring/prometheus.md b/docs/network-policies/modules/monitoring/prometheus.md
new file mode 100644
index 000000000..f05457035
--- /dev/null
+++ b/docs/network-policies/modules/monitoring/prometheus.md
@@ -0,0 +1,43 @@
+# Prometheus Stack Configuration
+
+```mermaid
+graph TD
+ %% Namespace
+ subgraph monitoring
+ prom[Prometheus
app.kubernetes.io/name: prometheus]
+ grafana[Grafana
app.kubernetes.io/name: grafana]
+ am[Alertmanager
app.kubernetes.io/name: alertmanager]
+ bb[Blackbox Exporter
app.kubernetes.io/name: blackbox-exporter
app.kubernetes.io/component: exporter]
+ ksm[Kube State Metrics
app.kubernetes.io/name: kube-state-metrics
app.kubernetes.io/component: exporter]
+ ne[Node Exporter
app.kubernetes.io/name: node-exporter
app.kubernetes.io/component: exporter]
+ pa[Prometheus Adapter
app.kubernetes.io/name: prometheus-adapter
app.kubernetes.io/component: metrics-adapter]
+ po[Prometheus Operator
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/component: controller]
+ minio[MinIO
app: minio]
+ bucket[MinIO Bucket Setup
app: minio-monitoring-buckets-setup]
+ x509[x509 Exporter
app: x509-certificate-exporter]
+ end
+
+ %% External and K8s Core Components
+ api[Kubernetes API]
+ dns[Kube DNS]
+ pom["Pomerium"]
+
+ %% Edges
+ monitoring -->|"53/UDP,TCP"| dns
+ bucket -->|"9000/TCP"| minio
+ prom -->|"6443,8405/TCP"| api
+ prom -->|"9000/TCP"| minio
+ prom -->|"9115,19115/TCP"| bb
+ prom -->|"8443,9443/TCP"| ksm
+ prom -->|"9100/TCP"| ne
+ prom -->|"8443/TCP"| po
+ prom -->|"9793/TCP"| x509
+ prom & am & bb & grafana & ksm & ne & pa & po -->|"egress: all"| all[All Namespaces]
+ pa -->|"9090/TCP"| prom
+ grafana -->|"9090/TCP"| prom
+ prom -->|"9093,8080/TCP"| am
+ pom -->|"9093/TCP"| am
+ prom -->|"3000/TCP"| grafana
+ pom -->|"3000/TCP"| grafana
+ x509 -->|"6443/TCP"| api
+```
diff --git a/docs/network-policies/modules/opa/README.md b/docs/network-policies/modules/opa/README.md
new file mode 100644
index 000000000..a43db5d2a
--- /dev/null
+++ b/docs/network-policies/modules/opa/README.md
@@ -0,0 +1,36 @@
+# OPA Module Network Policies
+
+## Components
+- Gatekeeper + Gatekeeper Policy Manager
+- Kyverno
+
+## Namespaces
+- gatekeeper-system (when using Gatekeeper)
+- kyverno (when using Kyverno)
+
+## Network Policies List
+
+### Gatekeeper
+- deny-all
+- all-egress-dns
+- audit-controller-egress-kube-apiserver
+- controller-manager-egress-kube-apiserver
+- controller-manager-ingress-kube-apiserver
+- gpm-egress-kube-apiserver
+- gpm-ingress-pomerium
+- gatekeeper-ingress-prometheus-metrics
+
+### Kyverno
+- deny-all
+- all-egress-dns
+- kyverno-admission-egress-kube-apiserver
+- kyverno-admission-ingress-nodes
+- kyverno-background-egress-kube-apiserver
+- kyverno-reports-egress-kube-apiserver
+- kyverno-cleanup-egress-kube-apiserver
+- kyverno-cleanup-reports-egress-kube-apiserver
+
+## Configurations
+- [Gatekeeper](gatekeeper.md)
+- [Kyverno](kyverno.md)
+
diff --git a/docs/network-policies/modules/opa/gatekeeper.md b/docs/network-policies/modules/opa/gatekeeper.md
new file mode 100644
index 000000000..d3d049f7d
--- /dev/null
+++ b/docs/network-policies/modules/opa/gatekeeper.md
@@ -0,0 +1,26 @@
+# Gatekeeper Configuration
+
+```mermaid
+graph TD
+ %% Namespace
+ subgraph gatekeeper-system
+ audit[Audit Controller
control-plane: audit-controller]
+ cm[Controller Manager
control-plane: controller-manager]
+ gpm[Policy Manager
app: gatekeeper-policy-manager]
+ end
+
+ %% External and K8s Core Components
+ api[Kubernetes API]
+ dns[Kube DNS]
+ prom[Prometheus]
+ pom[Pomerium]
+
+ %% Edges
+ audit & cm -->|"53/UDP"| dns
+ audit -->|"6443/TCP"| api
+ cm -->|"6443/TCP"| api
+ gpm -->|"6443/TCP"| api
+ pom -->|"8080/TCP"| gpm
+ prom -->|"8888/TCP"| audit & cm
+ api -->|"8443,443/TCP"| cm
+```
diff --git a/docs/network-policies/modules/opa/kyverno.md b/docs/network-policies/modules/opa/kyverno.md
new file mode 100644
index 000000000..602c40dc8
--- /dev/null
+++ b/docs/network-policies/modules/opa/kyverno.md
@@ -0,0 +1,27 @@
+# Kyverno Configuration
+
+```mermaid
+graph TD
+ %% Namespace
+ subgraph kyverno
+ admission[Admission Controller
component: admission-controller]
+ background[Background Controller
component: background-controller]
+ reports[Reports Controller
component: reports-controller]
+ cleanup[Cleanup Controller
component: cleanup-controller]
+ end
+
+ %% External and K8s Core Components
+ dns[Kube DNS]
+ api[Kubernetes API]
+
+ %% Edges
+ admission -->|"53/UDP"| dns
+ background -->|"53/UDP"| dns
+ reports -->|"53/UDP"| dns
+ cleanup -->|"53/UDP"| dns
+ admission -->|"6443/TCP"| api
+ background -->|"6443/TCP"| api
+ reports -->|"6443/TCP"| api
+ cleanup -->|"6443/TCP"| api
+ all[All Namespaces] -->|"9443/TCP"| admission
+```
diff --git a/docs/network-policies/modules/tracing/README.md b/docs/network-policies/modules/tracing/README.md
new file mode 100644
index 000000000..4db75de3b
--- /dev/null
+++ b/docs/network-policies/modules/tracing/README.md
@@ -0,0 +1,32 @@
+# Tracing Module Network Policies
+
+## Components
+- Tempo
+
+## Namespaces
+- tracing
+
+## Network Policies List
+- deny-all
+- all-egress-kube-dns
+- tempo-distributed-discovery
+- tempo-distributed-ingress-prometheus-metrics
+- tempo-gateway-ingress-grafana
+- all-egress-tempo-distributor
+- tempo-distributor-ingress-traces
+- tempo-components-egress-memcached
+- memcached-ingress-querier
+- tempo-components-egress-https
+- tempo-distributed-egress-minio (when using MinIO)
+- tempo-distributed-egress-all (when not using MinIO)
+
+### MinIO
+- minio-ingress-namespace
+- minio-buckets-setup-egress-kube-apiserver
+- minio-buckets-setup-egress-minio
+- minio-ingress-prometheus-metrics
+- minio-ingress-pomerium
+- minio-egress-https
+
+## Configurations
+- [Tempo](tempo.md)
diff --git a/docs/network-policies/modules/tracing/tempo.md b/docs/network-policies/modules/tracing/tempo.md
new file mode 100644
index 000000000..0ca46d1ba
--- /dev/null
+++ b/docs/network-policies/modules/tracing/tempo.md
@@ -0,0 +1,42 @@
+# Tempo Configuration
+
+```mermaid
+graph TD
+ %% Namespaces
+ subgraph tracing
+ gateway[Tempo Gateway
component: gateway]
+ dist[Tempo Distributor
component: distributor]
+ query[Tempo Querier
component: querier]
+ mem[Memcached
component: memcached]
+ minio[MinIO
app: minio]
+ bucket[MinIO Bucket Setup
app: minio-tracing-buckets-setup]
+ end
+
+ subgraph monitoring
+ graf[Grafana]
+ prom[Prometheus]
+ end
+
+ subgraph pomerium
+ pom[Pomerium]
+ end
+
+ allns[All Namespaces]
+
+ %% External and K8s Core Components
+ dns[Kube DNS]
+ ext[External]
+
+ %% Edges
+ gateway & dist & query -->|"53/UDP"| dns
+ gateway -->|"9095,7946,3100/TCP"| dist & query
+ dist -->|"9095,7946,3100/TCP"| query
+ query -->|"11211/TCP"| mem
+ allns -->|"4317/TCP"| dist
+ graf -->|"8080/TCP"| gateway
+ prom -->|"3100/TCP"| gateway & dist & query
+ pom -->|"9001/TCP"| minio
+ query -->|"9000/TCP"| minio
+ minio -->|"443/TCP"| ext
+ bucket -->|"9000/TCP"| minio
+```
\ No newline at end of file
diff --git a/docs/network-policies/overview.md b/docs/network-policies/overview.md
new file mode 100644
index 000000000..93fbc5033
--- /dev/null
+++ b/docs/network-policies/overview.md
@@ -0,0 +1,36 @@
+# KFD Network Policies Overview
+
+```mermaid
+graph TD
+ subgraph kfd[KFD Core Modules]
+ ingress[Ingress
Nginx + Cert-manager]
+ auth[Auth
Pomerium]
+ mon[Monitoring
Prometheus/Mimir]
+ log[Logging
Opensearch/Loki]
+ tracing[Tracing
Tempo]
+ opa[OPA
Gatekeeper/Kyverno]
+ end
+
+ %% K8s Core Components
+ dns[KubeDNS]
+ api[Kubernetes API]
+ ext[External]
+
+ %% Edges
+ kfd --->|"53/UDP"| dns
+ kfd -->|"6443/TCP"| api
+ ingress -->|"8080/TCP"| auth
+ auth -->|"auth proxy"| mon & log & tracing & opa
+ auth -->|"443/TCP"| ext
+ mon -->|"metrics"| all
+ mon -->|"metrics"| auth
+ mon -->|"metrics"| ingress
+ mon -->|"metrics"| log
+ mon -->|"metrics"| tracing
+ mon -->|"metrics"| opa
+ all[All Namespaces] -->|"logs"| log
+ all -->|"traces"| tracing
+
+
+
+```
\ No newline at end of file
diff --git a/docs/schemas/onpremises-kfd-v1alpha2.md b/docs/schemas/onpremises-kfd-v1alpha2.md
index a6c612abe..67cfd9844 100644
--- a/docs/schemas/onpremises-kfd-v1alpha2.md
+++ b/docs/schemas/onpremises-kfd-v1alpha2.md
@@ -80,18 +80,25 @@ The name of the cluster. It will also be used as a prefix for all the other reso
### Properties
-| Property | Type | Required |
-|:----------------------------------------------------------------|:---------|:---------|
-| [nodeSelector](#specdistributioncommonnodeselector) | `object` | Optional |
-| [provider](#specdistributioncommonprovider) | `object` | Optional |
-| [registry](#specdistributioncommonregistry) | `string` | Optional |
-| [relativeVendorPath](#specdistributioncommonrelativevendorpath) | `string` | Optional |
-| [tolerations](#specdistributioncommontolerations) | `array` | Optional |
+| Property | Type | Required |
+|:------------------------------------------------------------------------|:----------|:---------|
+| [networkPoliciesEnabled](#specdistributioncommonnetworkpoliciesenabled) | `boolean` | Optional |
+| [nodeSelector](#specdistributioncommonnodeselector) | `object` | Optional |
+| [provider](#specdistributioncommonprovider) | `object` | Optional |
+| [registry](#specdistributioncommonregistry) | `string` | Optional |
+| [relativeVendorPath](#specdistributioncommonrelativevendorpath) | `string` | Optional |
+| [tolerations](#specdistributioncommontolerations) | `array` | Optional |
### Description
Common configuration for all the distribution modules.
+## .spec.distribution.common.networkPoliciesEnabled
+
+### Description
+
+EXPERIMENTAL FEATURE. This field defines whether Network Policies are provided for core modules.
+
## .spec.distribution.common.nodeSelector
### Description
diff --git a/pkg/apis/onpremises/v1alpha2/public/schema.go b/pkg/apis/onpremises/v1alpha2/public/schema.go
index 588056293..1f77e2d7e 100644
--- a/pkg/apis/onpremises/v1alpha2/public/schema.go
+++ b/pkg/apis/onpremises/v1alpha2/public/schema.go
@@ -86,6 +86,9 @@ type SpecDistributionCommon struct {
// value: infra
// ```
Tolerations []TypesKubeToleration `json:"tolerations,omitempty" yaml:"tolerations,omitempty" mapstructure:"tolerations,omitempty"`
+
+ // NetworkPoliciesEnabled corresponds to the JSON schema field "networkPoliciesEnabled".
+ NetworkPoliciesEnabled *bool `json:"networkPoliciesEnabled,omitempty" yaml:"networkPoliciesEnabled,omitempty" mapstructure:"networkPoliciesEnabled,omitempty"`
}
type SpecDistributionCommonProvider struct {
diff --git a/rules/onpremises-kfd-v1alpha2.yaml b/rules/onpremises-kfd-v1alpha2.yaml
index 7afc29d61..dedf65668 100644
--- a/rules/onpremises-kfd-v1alpha2.yaml
+++ b/rules/onpremises-kfd-v1alpha2.yaml
@@ -13,6 +13,14 @@ kubernetes:
- path: .spec.kubernetes.svcCidr
immutable: true
distribution:
+ - path: .spec.distribution.common.networkPoliciesEnabled
+ immutable: false
+ description: "changes to the network policies have been detected. This will cause the reconfiguration or deletion of the current network policies."
+ safe:
+ - to: none
+ reducers:
+ - key: distributionCommonNetworkPoliciesEnabled
+ lifecycle: pre-apply
- path: .spec.distribution.modules.networking.type
immutable: true
- path: .spec.distribution.modules.logging.type
diff --git a/schemas/public/onpremises-kfd-v1alpha2.json b/schemas/public/onpremises-kfd-v1alpha2.json
index 334d73be8..44af1db96 100644
--- a/schemas/public/onpremises-kfd-v1alpha2.json
+++ b/schemas/public/onpremises-kfd-v1alpha2.json
@@ -727,6 +727,10 @@
"registry": {
"type": "string",
"description": "URL of the registry where to pull images from for the Distribution phase. (Default is `registry.sighup.io/fury`)."
+ },
+ "networkPoliciesEnabled": {
+ "type": "boolean",
+ "description": "EXPERIMENTAL FEATURE. This field defines whether Network Policies are provided for core modules."
}
}
},
diff --git a/templates/distribution/manifests/auth/kustomization.yaml.tpl b/templates/distribution/manifests/auth/kustomization.yaml.tpl
index 5ab2396a8..a1e43808c 100644
--- a/templates/distribution/manifests/auth/kustomization.yaml.tpl
+++ b/templates/distribution/manifests/auth/kustomization.yaml.tpl
@@ -17,6 +17,10 @@ resources:
- resources/ingress-infra.yml
{{- end }}
+{{ if eq .spec.distribution.common.networkPoliciesEnabled true }}
+ - policies
+{{- end }}
+
patchesStrategicMerge:
- patches/infra-nodes.yml
- patches/pomerium-ingress.yml
diff --git a/templates/distribution/manifests/auth/policies/acme-http-solver.yaml.tpl b/templates/distribution/manifests/auth/policies/acme-http-solver.yaml.tpl
new file mode 100644
index 000000000..0f7a8a246
--- /dev/null
+++ b/templates/distribution/manifests/auth/policies/acme-http-solver.yaml.tpl
@@ -0,0 +1,35 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: acme-httpsolver-ingress-nginx
+ namespace: pomerium
+ labels:
+ cluster.kfd.sighup.io/module: auth
+ cluster.kfd.sighup.io/auth-provider-type: sso
+spec:
+ podSelector:
+ matchLabels:
+ app: cert-manager
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+{{- if eq .spec.distribution.modules.ingress.nginx.type "dual" }}
+ app: ingress
+{{- else if eq .spec.distribution.modules.ingress.nginx.type "single" }}
+ app: ingress-nginx
+{{- end }}
+ ports:
+ - port: 8089
+ protocol: TCP
+---
diff --git a/templates/distribution/manifests/auth/policies/common.yaml.tpl b/templates/distribution/manifests/auth/policies/common.yaml.tpl
new file mode 100644
index 000000000..dfe83bd10
--- /dev/null
+++ b/templates/distribution/manifests/auth/policies/common.yaml.tpl
@@ -0,0 +1,43 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: deny-all
+ namespace: pomerium
+ labels:
+ cluster.kfd.sighup.io/module: auth
+ cluster.kfd.sighup.io/auth-provider-type: sso
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-kube-dns
+ namespace: pomerium
+ labels:
+ cluster.kfd.sighup.io/auth-provider-type: sso
+spec:
+ podSelector:
+ matchLabels: {}
+ policyTypes:
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - protocol: UDP
+ port: 53
+---
diff --git a/templates/distribution/manifests/auth/policies/kustomization.yaml.tpl b/templates/distribution/manifests/auth/policies/kustomization.yaml.tpl
new file mode 100644
index 000000000..49e948a8d
--- /dev/null
+++ b/templates/distribution/manifests/auth/policies/kustomization.yaml.tpl
@@ -0,0 +1,15 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+{{- if eq .spec.distribution.modules.auth.provider.type "sso" }}
+resources:
+ - common.yaml
+ - acme-http-solver.yaml
+ - pomerium.yaml
+ - prometheus-metrics.yaml
+{{- end }}
diff --git a/templates/distribution/manifests/auth/policies/pomerium.yaml.tpl b/templates/distribution/manifests/auth/policies/pomerium.yaml.tpl
new file mode 100644
index 000000000..c82c7fc4f
--- /dev/null
+++ b/templates/distribution/manifests/auth/policies/pomerium.yaml.tpl
@@ -0,0 +1,48 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: pomerium-ingress-nginx
+ namespace: pomerium
+ labels:
+ cluster.kfd.sighup.io/module: auth
+ cluster.kfd.sighup.io/auth-provider-type: sso
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: pomerium
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress-nginx
+ ports:
+ - port: 8080
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: pomerium-egress-all
+ namespace: pomerium
+ labels:
+ cluster.kfd.sighup.io/module: auth
+ cluster.kfd.sighup.io/auth-provider-type: sso
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: pomerium
+ egress:
+ - {}
+---
diff --git a/templates/distribution/manifests/auth/policies/prometheus-metrics.yaml.tpl b/templates/distribution/manifests/auth/policies/prometheus-metrics.yaml.tpl
new file mode 100644
index 000000000..355ca48dd
--- /dev/null
+++ b/templates/distribution/manifests/auth/policies/prometheus-metrics.yaml.tpl
@@ -0,0 +1,31 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: pomerium-ingress-prometheus-metrics
+ namespace: pomerium
+ labels:
+ cluster.kfd.sighup.io/module: auth
+ cluster.kfd.sighup.io/auth-provider-type: sso
+spec:
+ podSelector:
+ matchLabels:
+ app: pomerium
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - protocol: TCP
+ port: 9090
+---
diff --git a/templates/distribution/manifests/ingress/kustomization.yaml.tpl b/templates/distribution/manifests/ingress/kustomization.yaml.tpl
index 374c70bba..8225fdadc 100644
--- a/templates/distribution/manifests/ingress/kustomization.yaml.tpl
+++ b/templates/distribution/manifests/ingress/kustomization.yaml.tpl
@@ -24,6 +24,10 @@ resources:
{{- end }}
+{{ if eq .spec.distribution.common.networkPoliciesEnabled true }}
+ - policies
+{{- end }}
+
{{- if ne .spec.distribution.modules.ingress.nginx.type "none" }}
- {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/ingress/katalog/forecastle" }}
{{- end }}
diff --git a/templates/distribution/manifests/ingress/policies/cert-manager/cert-manager.yaml.tpl b/templates/distribution/manifests/ingress/policies/cert-manager/cert-manager.yaml.tpl
new file mode 100644
index 000000000..bbc937c2b
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/cert-manager/cert-manager.yaml.tpl
@@ -0,0 +1,88 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# https://cert-manager.io/docs/installation/best-practice/#network-requirements
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: cert-manager-egress-kube-apiserver
+ namespace: cert-manager
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: cert-manager
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: cert-manager-webhook-ingress-kube-apiserver
+ namespace: cert-manager
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: cert-manager
+ policyTypes:
+ - Ingress
+ ingress:
+ - ports:
+ - port: 10250
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: cert-manager-egress-https
+ namespace: cert-manager
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: cert-manager
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - port: 443
+ protocol: TCP
+ - port: 80
+ protocol: TCP
+---
+{{- if eq .spec.distribution.modules.auth.provider.type "sso" }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: acme-http-solver-ingress-lets-encrypt
+ namespace: pomerium
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+ app: cert-manager
+ policyTypes:
+ - Ingress
+ ingress:
+ - ports:
+ - port: 8089
+ protocol: TCP
+---
+{{- end }}
diff --git a/templates/distribution/manifests/ingress/policies/cert-manager/common.yaml.tpl b/templates/distribution/manifests/ingress/policies/cert-manager/common.yaml.tpl
new file mode 100644
index 000000000..963b7db18
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/cert-manager/common.yaml.tpl
@@ -0,0 +1,38 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: deny-all
+ namespace: cert-manager
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-kube-dns
+ namespace: cert-manager
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels: {}
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - protocol: UDP
+ port: 53
+ - protocol: TCP
+ port: 53
+ # https://cert-manager.io/docs/installation/best-practice/#network-requirements
\ No newline at end of file
diff --git a/templates/distribution/manifests/ingress/policies/cert-manager/kustomization.yaml.tpl b/templates/distribution/manifests/ingress/policies/cert-manager/kustomization.yaml.tpl
new file mode 100644
index 000000000..b71d8d27f
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/cert-manager/kustomization.yaml.tpl
@@ -0,0 +1,12 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - common.yaml
+ - cert-manager.yaml
+ - prometheus-metrics.yaml
diff --git a/templates/distribution/manifests/ingress/policies/cert-manager/prometheus-metrics.yaml.tpl b/templates/distribution/manifests/ingress/policies/cert-manager/prometheus-metrics.yaml.tpl
new file mode 100644
index 000000000..c329f39e5
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/cert-manager/prometheus-metrics.yaml.tpl
@@ -0,0 +1,30 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: cert-manager-ingress-prometheus-metrics
+ namespace: cert-manager
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9402
+ protocol: TCP
diff --git a/templates/distribution/manifests/ingress/policies/ingress-nginx/common.yaml.tpl b/templates/distribution/manifests/ingress/policies/ingress-nginx/common.yaml.tpl
new file mode 100644
index 000000000..d1a1f295a
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/ingress-nginx/common.yaml.tpl
@@ -0,0 +1,44 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: deny-all
+ namespace: ingress-nginx
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-kube-dns
+ namespace: ingress-nginx
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels: {}
+ policyTypes:
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - protocol: UDP
+ port: 53
+---
diff --git a/templates/distribution/manifests/ingress/policies/ingress-nginx/external-dns.yaml.tpl b/templates/distribution/manifests/ingress/policies/ingress-nginx/external-dns.yaml.tpl
new file mode 100644
index 000000000..3bd02356e
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/ingress-nginx/external-dns.yaml.tpl
@@ -0,0 +1,22 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: external-dns-egress-all
+ namespace: ingress-nginx
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+ app: external-dns
+ policyTypes:
+ - Egress
+ egress:
+ - {}
+---
diff --git a/templates/distribution/manifests/ingress/policies/ingress-nginx/forecastle.yaml.tpl b/templates/distribution/manifests/ingress/policies/ingress-nginx/forecastle.yaml.tpl
new file mode 100644
index 000000000..c223b5b3d
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/ingress-nginx/forecastle.yaml.tpl
@@ -0,0 +1,59 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: forecastle-ingress-nginx
+ namespace: ingress-nginx
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+ app: forecastle
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - namespaceSelector:
+{{- if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ matchLabels:
+ kubernetes.io/metadata.name: pomerium
+{{ else }}
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ app: pomerium
+{{- else if eq .spec.distribution.modules.ingress.nginx.type "dual" }}
+ app: ingress
+{{- else if eq .spec.distribution.modules.ingress.nginx.type "single" }}
+ app: ingress-nginx
+{{- end }}
+ ports:
+ - port: 3000
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: forecastle-egress-kube-apiserver
+ namespace: ingress-nginx
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+ app: forecastle
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
\ No newline at end of file
diff --git a/templates/distribution/manifests/ingress/policies/ingress-nginx/kustomization.yaml.tpl b/templates/distribution/manifests/ingress/policies/ingress-nginx/kustomization.yaml.tpl
new file mode 100644
index 000000000..46494b30e
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/ingress-nginx/kustomization.yaml.tpl
@@ -0,0 +1,14 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - common.yaml
+ - forecastle.yaml
+ - nginx-ingress-controller.yaml
+ - prometheus-metrics.yaml
+ - external-dns.yaml
diff --git a/templates/distribution/manifests/ingress/policies/ingress-nginx/nginx-ingress-controller.yaml.tpl b/templates/distribution/manifests/ingress/policies/ingress-nginx/nginx-ingress-controller.yaml.tpl
new file mode 100644
index 000000000..164cb229c
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/ingress-nginx/nginx-ingress-controller.yaml.tpl
@@ -0,0 +1,51 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: nginx-egress-all
+ namespace: ingress-nginx
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+{{- if eq .spec.distribution.modules.ingress.nginx.type "dual" }}
+ app: ingress
+{{- else if eq .spec.distribution.modules.ingress.nginx.type "single" }}
+ app: ingress-nginx
+{{- end }}
+ policyTypes:
+ - Egress
+ egress:
+ - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-ingress-nginx
+ namespace: ingress-nginx
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+{{- if eq .spec.distribution.modules.ingress.nginx.type "dual" }}
+ app: ingress
+{{- else if eq .spec.distribution.modules.ingress.nginx.type "single" }}
+ app: ingress-nginx
+{{- end }}
+ ingress:
+ - ports:
+ - port: 8080
+ protocol: TCP
+ - port: 8443
+ protocol: TCP
+ - port: 9443
+ protocol: TCP
+ policyTypes:
+ - Ingress
diff --git a/templates/distribution/manifests/ingress/policies/ingress-nginx/prometheus-metrics.yaml.tpl b/templates/distribution/manifests/ingress/policies/ingress-nginx/prometheus-metrics.yaml.tpl
new file mode 100644
index 000000000..f070b9d54
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/ingress-nginx/prometheus-metrics.yaml.tpl
@@ -0,0 +1,33 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: nginx-ingress-prometheus-metrics
+ namespace: ingress-nginx
+ labels:
+ cluster.kfd.sighup.io/module: ingress
+ cluster.kfd.sighup.io/ingress-type: nginx
+spec:
+ podSelector:
+ matchLabels:
+{{- if eq .spec.distribution.modules.ingress.nginx.type "dual" }}
+ app: ingress
+{{- else if eq .spec.distribution.modules.ingress.nginx.type "single" }}
+ app: ingress-nginx
+{{- end }}
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - protocol: TCP
+ port: 10254
diff --git a/templates/distribution/manifests/ingress/policies/kustomization.yaml.tpl b/templates/distribution/manifests/ingress/policies/kustomization.yaml.tpl
new file mode 100644
index 000000000..22b97ea52
--- /dev/null
+++ b/templates/distribution/manifests/ingress/policies/kustomization.yaml.tpl
@@ -0,0 +1,15 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+{{- if eq .spec.distribution.modules.ingress.nginx.tls.provider "certManager" }}
+ - cert-manager
+{{ end }}
+{{- if ne .spec.distribution.modules.ingress.nginx.type "none" }}
+ - ingress-nginx
+{{ end }}
\ No newline at end of file
diff --git a/templates/distribution/manifests/logging/kustomization.yaml.tpl b/templates/distribution/manifests/logging/kustomization.yaml.tpl
index c8f361bfd..9b1b42738 100644
--- a/templates/distribution/manifests/logging/kustomization.yaml.tpl
+++ b/templates/distribution/manifests/logging/kustomization.yaml.tpl
@@ -47,6 +47,9 @@ resources:
- {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/logging/katalog/loki-distributed" }}
{{- end }}
+{{ if eq .spec.distribution.common.networkPoliciesEnabled true }}
+ - policies
+{{- end }}
# The kustomize version we are using does not support specifing more than 1 strategicMerge patch
# in a single YAML file under the `patches` directive like the old versions did for `patchesStrategicMerge`.
diff --git a/templates/distribution/manifests/logging/policies/common.yaml.tpl b/templates/distribution/manifests/logging/policies/common.yaml.tpl
new file mode 100644
index 000000000..6fd8ddaad
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/common.yaml.tpl
@@ -0,0 +1,41 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: deny-all
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-kube-dns
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ podSelector:
+ matchLabels: {}
+ policyTypes:
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - protocol: UDP
+ port: 53
diff --git a/templates/distribution/manifests/logging/policies/configs.yaml.tpl b/templates/distribution/manifests/logging/policies/configs.yaml.tpl
new file mode 100644
index 000000000..05ff5e2d5
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/configs.yaml.tpl
@@ -0,0 +1,23 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: event-tailer-egress-kube-apiserver
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: event-tailer
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
diff --git a/templates/distribution/manifests/logging/policies/fluentbit.yaml.tpl b/templates/distribution/manifests/logging/policies/fluentbit.yaml.tpl
new file mode 100644
index 000000000..48f6095a0
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/fluentbit.yaml.tpl
@@ -0,0 +1,66 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: fluentbit-egress-fluentd
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentbit
+ egress:
+ - ports:
+ # fluentd
+ - port: 24240
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: fluentbit-egress-kube-apiserver
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentbit
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: fluentbit-ingress-prometheus-metrics
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentbit
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ ports:
+ - port: 2020
+ protocol: TCP
diff --git a/templates/distribution/manifests/logging/policies/fluentd.yaml.tpl b/templates/distribution/manifests/logging/policies/fluentd.yaml.tpl
new file mode 100644
index 000000000..95adfac59
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/fluentd.yaml.tpl
@@ -0,0 +1,73 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: fluentd-egress-all
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-backend: minio
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentd
+ egress:
+ - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: fluentd-ingress-fluentbit
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentd
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentbit
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ ports:
+ - port: 24240
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: fluentd-ingress-prometheus-metrics
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentd
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ ports:
+ - port: 24231
+ protocol: TCP
+---
+
diff --git a/templates/distribution/manifests/logging/policies/kustomization.yaml.tpl b/templates/distribution/manifests/logging/policies/kustomization.yaml.tpl
new file mode 100644
index 000000000..17f67c2ef
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/kustomization.yaml.tpl
@@ -0,0 +1,26 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+{{ $loggingType := .spec.distribution.modules.logging.type }}
+
+resources:
+ - common.yaml
+ - configs.yaml
+ - fluentbit.yaml
+ - fluentd.yaml
+ - logging-operator.yaml
+ - minio.yaml
+
+{{- if eq $loggingType "loki" }}
+ - loki.yaml
+{{- end }}
+
+{{- if eq $loggingType "opensearch" }}
+ - opensearch-dashboards.yaml
+ - opensearch.yaml
+{{- end }}
diff --git a/templates/distribution/manifests/logging/policies/logging-operator.yaml.tpl b/templates/distribution/manifests/logging/policies/logging-operator.yaml.tpl
new file mode 100644
index 000000000..bc0a2cccd
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/logging-operator.yaml.tpl
@@ -0,0 +1,22 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: logging-operator-egress-kube-apiserver
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: logging-operator
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
diff --git a/templates/distribution/manifests/logging/policies/loki.yaml.tpl b/templates/distribution/manifests/logging/policies/loki.yaml.tpl
new file mode 100644
index 000000000..7bae584c3
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/loki.yaml.tpl
@@ -0,0 +1,150 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: loki-distributed-ingress-fluentd
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: loki
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: loki-distributed
+ app.kubernetes.io/component: gateway
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentd
+ ports:
+ - port: 8080
+ protocol: TCP
+ - port: 3100
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: loki-distributed-ingress-grafana
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: loki
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: loki-distributed
+ app.kubernetes.io/component: gateway
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: grafana
+ ports:
+ - port: 8080
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: loki-distributed-ingress-prometheus-metrics
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: loki
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: loki-distributed
+ ingress:
+ - ports:
+ - port: 3100
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: loki-distributed-discovery
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: loki
+spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: loki-distributed
+ ingress:
+ - ports:
+ - port: 9095
+ protocol: TCP
+ - port: 3100
+ protocol: TCP
+ - port: 7946
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: loki-distributed
+ egress:
+ - ports:
+ - port: 9095
+ protocol: TCP
+ - port: 3100
+ protocol: TCP
+ - port: 7946
+ protocol: TCP
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: loki-distributed
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: loki-distributed-egress-all
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: loki
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: loki-distributed
+ egress:
+ - {}
+---
diff --git a/templates/distribution/manifests/logging/policies/minio.yaml.tpl b/templates/distribution/manifests/logging/policies/minio.yaml.tpl
new file mode 100644
index 000000000..09c6ffa34
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/minio.yaml.tpl
@@ -0,0 +1,178 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-ingress-namespace
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-backend: minio
+spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ ports:
+ - port: 9000
+ protocol: TCP
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app: minio
+ ports:
+ - port: 9000
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-buckets-setup-egress-kube-apiserver
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-backend: minio
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio-logging-buckets-setup
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-buckets-setup-egress-minio
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-backend: minio
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio-logging-buckets-setup
+ egress:
+ - ports:
+ - port: 9000
+ protocol: TCP
+ to:
+ - podSelector:
+ matchLabels:
+ app: minio
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-ingress-prometheus-metrics
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-backend: minio
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: minio
+ ingress:
+ - ports:
+ - port: 9000
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-egress-https
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-backend: minio
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio
+ egress:
+ - ports:
+ - port: 443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-ingress-nginx
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-backend: minio
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: minio
+ ingress:
+# single nginx, no sso
+{{ if and (eq .spec.distribution.modules.ingress.nginx.type "single") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress-nginx
+# dual nginx, no sso
+{{ else if and (eq .spec.distribution.modules.ingress.nginx.type "dual") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress
+# sso
+{{ else if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: pomerium
+ podSelector:
+ matchLabels:
+ app: pomerium
+{{ end }}
+ ports:
+ - port: 9001
+ protocol: TCP
+---
diff --git a/templates/distribution/manifests/logging/policies/opensearch-dashboards.yaml.tpl b/templates/distribution/manifests/logging/policies/opensearch-dashboards.yaml.tpl
new file mode 100644
index 000000000..0b10c7bce
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/opensearch-dashboards.yaml.tpl
@@ -0,0 +1,94 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: opensearch-dashboards-egress-opensearch
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: opensearch-dashboards
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ports:
+ - port: 9200
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: opensearch-dashboards-ingress-jobs
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: opensearch-dashboards
+ release: opensearch-dashboards
+ ingress:
+ - from:
+ - podSelector:
+ matchExpressions:
+ - key: batch.kubernetes.io/job-name
+ operator: Exists
+ ports:
+ - port: 5601
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: opensearch-dashboards-ingress-nginx
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: opensearch-dashboards
+ ingress:
+ - from:
+ - namespaceSelector:
+{{- if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ matchLabels:
+ kubernetes.io/metadata.name: pomerium
+{{ else }}
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ app: pomerium
+{{- else if eq .spec.distribution.modules.ingress.nginx.type "dual" }}
+ app: ingress
+{{- else if eq .spec.distribution.modules.ingress.nginx.type "single" }}
+ app: ingress-nginx
+{{- end }}
+ ports:
+ - port: 5601
+ protocol: TCP
+---
+
diff --git a/templates/distribution/manifests/logging/policies/opensearch.yaml.tpl b/templates/distribution/manifests/logging/policies/opensearch.yaml.tpl
new file mode 100644
index 000000000..2ddcd18b2
--- /dev/null
+++ b/templates/distribution/manifests/logging/policies/opensearch.yaml.tpl
@@ -0,0 +1,177 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: opensearch-ingress-dashboards
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app: opensearch-dashboards
+ ports:
+ - port: 9200
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: opensearch-ingress-fluentd
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: fluentd
+ ports:
+ - port: 9200
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: opensearch-discovery
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ports:
+ - port: 9300
+ protocol: TCP
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ports:
+ - port: 9300
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: opensearch-ingress-prometheus-metrics
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9108
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: opensearch-ingress-jobs
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ingress:
+ - from:
+ - podSelector:
+ matchExpressions:
+ - key: batch.kubernetes.io/job-name
+ operator: Exists
+ ports:
+ - port: 9200
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: jobs-egress-opensearch
+ namespace: logging
+ labels:
+ cluster.kfd.sighup.io/module: logging
+ cluster.kfd.sighup.io/logging-type: opensearch
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchExpressions:
+ - key: batch.kubernetes.io/job-name
+ operator: Exists
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ app: opensearch-dashboards
+ release: opensearch-dashboards
+ ports:
+ - port: 5601
+ protocol: TCP
+ - to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: opensearch
+ ports:
+ - port: 9200
+ protocol: TCP
+---
\ No newline at end of file
diff --git a/templates/distribution/manifests/monitoring/kustomization.yaml.tpl b/templates/distribution/manifests/monitoring/kustomization.yaml.tpl
index 9297778b3..955daf763 100644
--- a/templates/distribution/manifests/monitoring/kustomization.yaml.tpl
+++ b/templates/distribution/manifests/monitoring/kustomization.yaml.tpl
@@ -54,6 +54,10 @@ resources:
- secrets/alertmanager.yml
{{- end }}
+{{ if eq .spec.distribution.common.networkPoliciesEnabled true }}
+ - policies
+{{- end }}
+
patchesStrategicMerge:
- patches/infra-nodes.yml
{{- if eq .spec.distribution.common.provider.type "eks" }}{{/* in EKS there are no files to monitor on nodes */}}
diff --git a/templates/distribution/manifests/monitoring/policies/alertmanager.yaml.tpl b/templates/distribution/manifests/monitoring/policies/alertmanager.yaml.tpl
new file mode 100644
index 000000000..2ed8a7215
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/alertmanager.yaml.tpl
@@ -0,0 +1,44 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/alertmanager-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: alertmanager-main
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9093
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: alertmanager
+ ports:
+ - port: 9094
+ protocol: TCP
+ - port: 9094
+ protocol: UDP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: alert-router
+ app.kubernetes.io/instance: main
+ app.kubernetes.io/name: alertmanager
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
+
\ No newline at end of file
diff --git a/templates/distribution/manifests/monitoring/policies/blackbox-exporter.yaml.tpl b/templates/distribution/manifests/monitoring/policies/blackbox-exporter.yaml.tpl
new file mode 100644
index 000000000..c8b4745c7
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/blackbox-exporter.yaml.tpl
@@ -0,0 +1,35 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/blackboxExporter-networkPolicy.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: blackbox-exporter
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9115
+ protocol: TCP
+ - port: 19115
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: blackbox-exporter
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
+
\ No newline at end of file
diff --git a/templates/distribution/manifests/monitoring/policies/common.yaml.tpl b/templates/distribution/manifests/monitoring/policies/common.yaml.tpl
new file mode 100644
index 000000000..9ca8ec757
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/common.yaml.tpl
@@ -0,0 +1,44 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: deny-all
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-kube-dns
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ podSelector:
+ matchLabels: {}
+ policyTypes:
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - protocol: UDP
+ port: 53
+ - protocol: TCP
+ port: 53
+
\ No newline at end of file
diff --git a/templates/distribution/manifests/monitoring/policies/grafana.yaml.tpl b/templates/distribution/manifests/monitoring/policies/grafana.yaml.tpl
new file mode 100644
index 000000000..95b548e7b
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/grafana.yaml.tpl
@@ -0,0 +1,82 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+{{- $monitoringType := .spec.distribution.modules.monitoring.type }}
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/grafana-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: grafana
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 3000
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: grafana
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: grafana-ingress-nginx
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: grafana
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Ingress
+ ingress:
+# single nginx, no sso
+{{if and (eq .spec.distribution.modules.ingress.nginx.type "single") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress-nginx
+# dual nginx, no sso
+{{ else if and (eq .spec.distribution.modules.ingress.nginx.type "dual") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress
+# sso
+{{ else if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: pomerium
+ podSelector:
+ matchLabels:
+ app: pomerium
+{{ end }}
+ ports:
+ - port: 3000
+ protocol: TCP
+---
diff --git a/templates/distribution/manifests/monitoring/policies/ingress.yaml.tpl b/templates/distribution/manifests/monitoring/policies/ingress.yaml.tpl
new file mode 100644
index 000000000..759609694
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/ingress.yaml.tpl
@@ -0,0 +1,103 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-ingress-nginx
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: prometheus
+ app.kubernetes.io/instance: k8s
+ app.kubernetes.io/name: prometheus
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Ingress
+ ingress:
+# single nginx, no sso
+{{if and (eq .spec.distribution.modules.ingress.nginx.type "single") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress-nginx
+# dual nginx, no sso
+{{ else if and (eq .spec.distribution.modules.ingress.nginx.type "dual") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress
+# sso
+{{ else if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: pomerium
+ podSelector:
+ matchLabels:
+ app: pomerium
+{{ end }}
+ ports:
+ - port: 9090
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: alertmanager-ingress-nginx
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: alert-router
+ app.kubernetes.io/instance: main
+ app.kubernetes.io/name: alertmanager
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Ingress
+ ingress:
+# single nginx, no sso
+{{if and (eq .spec.distribution.modules.ingress.nginx.type "single") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress-nginx
+# dual nginx, no sso
+{{ else if and (eq .spec.distribution.modules.ingress.nginx.type "dual") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress
+# sso
+{{ else if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: pomerium
+ podSelector:
+ matchLabels:
+ app: pomerium
+{{ end }}
+ ports:
+ - port: 9093
+ protocol: TCP
+---
diff --git a/templates/distribution/manifests/monitoring/policies/kube-state-metrics.yaml.tpl b/templates/distribution/manifests/monitoring/policies/kube-state-metrics.yaml.tpl
new file mode 100644
index 000000000..0851cf907
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/kube-state-metrics.yaml.tpl
@@ -0,0 +1,34 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/kubeStateMetrics-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: kube-state-metrics
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 8443
+ protocol: TCP
+ - port: 9443
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: kube-state-metrics
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
+
\ No newline at end of file
diff --git a/templates/distribution/manifests/monitoring/policies/kustomization.yaml.tpl b/templates/distribution/manifests/monitoring/policies/kustomization.yaml.tpl
new file mode 100644
index 000000000..0fa4c4391
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/kustomization.yaml.tpl
@@ -0,0 +1,33 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+{{- $monitoringType := .spec.distribution.modules.monitoring.type }}
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - common.yaml
+ - prometheus-operator.yaml
+ - kube-state-metrics.yaml
+ - node-exporter.yaml
+ - x509-exporter.yaml
+ - blackbox-exporter.yaml
+
+{{- if or (eq $monitoringType "prometheus") (eq $monitoringType "mimir") }}
+ - alertmanager.yaml
+ - prometheus-adapter.yaml
+ - grafana.yaml
+ - prometheus.yaml
+{{- end }}
+{{- if eq $monitoringType "mimir" }}
+ - mimir.yaml
+{{- if eq .spec.distribution.modules.monitoring.mimir.backend "minio" }}
+ - minio.yaml
+{{- end }}
+{{- end }}
+
+{{- if and (ne .spec.distribution.modules.ingress.nginx.type "none") }}{{/* we don't need ingresses for Prometheus in Agent mode */}}
+ - ingress.yaml
+{{- end }}
diff --git a/templates/distribution/manifests/monitoring/policies/mimir.yaml.tpl b/templates/distribution/manifests/monitoring/policies/mimir.yaml.tpl
new file mode 100644
index 000000000..77dd0149d
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/mimir.yaml.tpl
@@ -0,0 +1,191 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: mimir-distributed-ingress-prometheus-metrics
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+ cluster.kfd.sighup.io/monitoring-type: mimir
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: mimir
+ ingress:
+ - ports:
+ - port: 8080
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: mimir-distributed-discovery
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+ cluster.kfd.sighup.io/monitoring-type: mimir
+spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: mimir
+ ingress:
+ - ports:
+ - port: 9095
+ protocol: TCP
+ - port: 7946
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: mimir
+ egress:
+ - ports:
+ - port: 9095
+ protocol: TCP
+ - port: 7946
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: mimir
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: mimir-gateway-ingress-grafana
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+ cluster.kfd.sighup.io/monitoring-type: mimir
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: gateway
+ app.kubernetes.io/instance: mimir-distributed
+ app.kubernetes.io/name: mimir
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/component: grafana
+ ports:
+ - port: 8080
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: mimir-querier-egress-https
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+ cluster.kfd.sighup.io/monitoring-type: mimir
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: mimir-distributed
+ app.kubernetes.io/name: mimir
+ app.kubernetes.io/component: querier
+ egress:
+ - ports:
+ - port: 443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: mimir-ingester-egress-https
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+ cluster.kfd.sighup.io/monitoring-type: mimir
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: mimir-distributed
+ app.kubernetes.io/name: mimir
+ app.kubernetes.io/component: ingester
+ egress:
+ - ports:
+ - port: 443
+ protocol: TCP
+{{- if eq .spec.distribution.modules.monitoring.mimir.backend "minio" }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: mimir-distributed-egress-minio
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+ cluster.kfd.sighup.io/monitoring-type: mimir
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: mimir
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ app: minio
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ ports:
+ - port: 9000
+ protocol: TCP
+{{- else }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: mimir-distributed-egress-all
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+ cluster.kfd.sighup.io/monitoring-type: mimir
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: mimir
+ egress:
+ - {}
+{{- end }}
diff --git a/templates/distribution/manifests/monitoring/policies/minio.yaml.tpl b/templates/distribution/manifests/monitoring/policies/minio.yaml.tpl
new file mode 100644
index 000000000..7fcce1a79
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/minio.yaml.tpl
@@ -0,0 +1,124 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-ingress-namespace
+ namespace: monitoring
+ labels:
+ app: minio
+spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ ports:
+ - port: 9000
+ protocol: TCP
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app: minio
+ ports:
+ - port: 9000
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-buckets-setup-egress-kube-apiserver
+ namespace: monitoring
+ labels:
+ app: minio-monitoring-buckets-setup
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio-monitoring-buckets-setup
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-buckets-setup-egress-minio
+ namespace: monitoring
+ labels:
+ app: minio-monitoring-buckets-setup
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio-monitoring-buckets-setup
+ egress:
+ - ports:
+ - port: 9000
+ protocol: TCP
+ to:
+ - podSelector:
+ matchLabels:
+ app: minio
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-ingress-prometheus-metrics
+ namespace: monitoring
+ labels:
+ app: minio
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: minio
+ ingress:
+ - ports:
+ - port: 9000
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-monitoring-egress-all
+ namespace: monitoring
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio
+ egress:
+ - ports:
+ - port: 443
+ protocol: TCP
+---
diff --git a/templates/distribution/manifests/monitoring/policies/node-exporter.yaml.tpl b/templates/distribution/manifests/monitoring/policies/node-exporter.yaml.tpl
new file mode 100644
index 000000000..4b06c7ece
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/node-exporter.yaml.tpl
@@ -0,0 +1,32 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/nodeExporter-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: node-exporter
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9100
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: node-exporter
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
+
\ No newline at end of file
diff --git a/templates/distribution/manifests/monitoring/policies/prometheus-adapter.yaml.tpl b/templates/distribution/manifests/monitoring/policies/prometheus-adapter.yaml.tpl
new file mode 100644
index 000000000..7f26d2dd5
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/prometheus-adapter.yaml.tpl
@@ -0,0 +1,50 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/prometheusAdapter-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-adapter
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - {}
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: metrics-adapter
+ app.kubernetes.io/name: prometheus-adapter
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-ingress-prometheus-adapter
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/component: metrics-adapter
+ app.kubernetes.io/name: prometheus-adapter
+ app.kubernetes.io/part-of: kube-prometheus
+ ports:
+ - port: 9090
+ protocol: TCP
+---
diff --git a/templates/distribution/manifests/monitoring/policies/prometheus-operator.yaml.tpl b/templates/distribution/manifests/monitoring/policies/prometheus-operator.yaml.tpl
new file mode 100644
index 000000000..d33974f30
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/prometheus-operator.yaml.tpl
@@ -0,0 +1,32 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/prometheusOperator-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-operator
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 8443
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: prometheus-operator
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
+
\ No newline at end of file
diff --git a/templates/distribution/manifests/monitoring/policies/prometheus.yaml.tpl b/templates/distribution/manifests/monitoring/policies/prometheus.yaml.tpl
new file mode 100644
index 000000000..9d5fee209
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/prometheus.yaml.tpl
@@ -0,0 +1,166 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+{{- $monitoringType := .spec.distribution.modules.monitoring.type }}
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/prometheus-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-k8s
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9090
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus-adapter
+ ports:
+ - port: 9090
+ protocol: TCP
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: grafana
+ ports:
+ - port: 9090
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: prometheus
+ app.kubernetes.io/instance: k8s
+ app.kubernetes.io/name: prometheus
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-egress-minio
+ namespace: monitoring
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ app: minio
+ ports:
+ - port: 9000
+ protocol: TCP
+---
+{{- if eq $monitoringType "mimir" }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-egress-mimir
+ namespace: monitoring
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ app.kubernetes.io/instance: k8s
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/component: gateway
+ app.kubernetes.io/name: mimir
+ app.kubernetes.io/instance: mimir-distributed
+ ports:
+ - port: 8080
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-egress-kube-apiserver
+ namespace: monitoring
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+ - port: 8405
+ protocol: TCP
+---
+{{- if eq .spec.distribution.modules.monitoring.mimir.backend "minio" }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-egress-miniologging
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: logging
+ podSelector:
+ matchLabels:
+ app: minio
+ ports:
+ - port: 9000
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: prometheus-egress-minio-monitoring
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ app.kubernetes.io/instance: k8s
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app: minio
+ ports:
+ - port: 9000
+ protocol: TCP
+---
+{{- end }}
+{{- end }}
+
diff --git a/templates/distribution/manifests/monitoring/policies/x509-exporter.yaml.tpl b/templates/distribution/manifests/monitoring/policies/x509-exporter.yaml.tpl
new file mode 100644
index 000000000..a89c3f207
--- /dev/null
+++ b/templates/distribution/manifests/monitoring/policies/x509-exporter.yaml.tpl
@@ -0,0 +1,45 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: x509-exporter-egress-kube-apiserver
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: x509-certificate-exporter
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: x509-exporter-ingress-prometheus-metrics
+ namespace: monitoring
+ labels:
+ cluster.kfd.sighup.io/module: monitoring
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: x509-certificate-exporter
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9793
+ protocol: TCP
+
\ No newline at end of file
diff --git a/templates/distribution/manifests/opa/kustomization.yaml.tpl b/templates/distribution/manifests/opa/kustomization.yaml.tpl
index 6b6672a33..b31532d5b 100644
--- a/templates/distribution/manifests/opa/kustomization.yaml.tpl
+++ b/templates/distribution/manifests/opa/kustomization.yaml.tpl
@@ -27,6 +27,10 @@ resources:
{{- end }}
{{- end }}
+{{ if eq .spec.distribution.common.networkPoliciesEnabled true }}
+ - policies
+{{- end }}
+
patchesStrategicMerge:
- patches/infra-nodes.yml
{{- if .spec.distribution.modules.policy.kyverno.additionalExcludedNamespaces }}
diff --git a/templates/distribution/manifests/opa/policies/gatekeeper/audit.yaml.tpl b/templates/distribution/manifests/opa/policies/gatekeeper/audit.yaml.tpl
new file mode 100644
index 000000000..10f8a1e52
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/gatekeeper/audit.yaml.tpl
@@ -0,0 +1,22 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: audit-controller-egress-kube-apiserver
+ namespace: gatekeeper-system
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: gatekeeper
+spec:
+ podSelector:
+ matchLabels:
+ control-plane: audit-controller
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
diff --git a/templates/distribution/manifests/opa/policies/gatekeeper/common.yaml.tpl b/templates/distribution/manifests/opa/policies/gatekeeper/common.yaml.tpl
new file mode 100644
index 000000000..ad51c243a
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/gatekeeper/common.yaml.tpl
@@ -0,0 +1,43 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: deny-all
+ namespace: gatekeeper-system
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: gatekeeper
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-dns
+ namespace: gatekeeper-system
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: gatekeeper
+spec:
+ podSelector:
+ matchLabels: {}
+ policyTypes:
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - protocol: UDP
+ port: 53
\ No newline at end of file
diff --git a/templates/distribution/manifests/opa/policies/gatekeeper/controller-manager.yaml.tpl b/templates/distribution/manifests/opa/policies/gatekeeper/controller-manager.yaml.tpl
new file mode 100644
index 000000000..75fed7196
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/gatekeeper/controller-manager.yaml.tpl
@@ -0,0 +1,43 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: controller-manager-egress-kube-apiserver
+ namespace: gatekeeper-system
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: gatekeeper
+spec:
+ podSelector:
+ matchLabels:
+ control-plane: controller-manager
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: controller-manager-ingress-kube-apiserver
+ namespace: gatekeeper-system
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: gatekeeper
+spec:
+ podSelector:
+ matchLabels:
+ control-plane: controller-manager
+ policyTypes:
+ - Ingress
+ ingress:
+ - ports:
+ - protocol: TCP
+ port: 8443
+ - protocol: TCP
+ port: 443
diff --git a/templates/distribution/manifests/opa/policies/gatekeeper/gatekeeper-policy-manager.yaml.tpl b/templates/distribution/manifests/opa/policies/gatekeeper/gatekeeper-policy-manager.yaml.tpl
new file mode 100644
index 000000000..84557ba3e
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/gatekeeper/gatekeeper-policy-manager.yaml.tpl
@@ -0,0 +1,48 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: gpm-egress-kube-apiserver
+ namespace: gatekeeper-system
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: gatekeeper
+spec:
+ podSelector:
+ matchLabels:
+ app: gatekeeper-policy-manager
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: gpm-ingress-pomerium
+ namespace: gatekeeper-system
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: gatekeeper
+spec:
+ podSelector:
+ matchLabels:
+ app: gatekeeper-policy-manager
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: pomerium
+ podSelector:
+ matchLabels:
+ app: pomerium
+ ports:
+ - protocol: TCP
+ port: 8080
diff --git a/templates/distribution/manifests/opa/policies/gatekeeper/kustomization.yaml.tpl b/templates/distribution/manifests/opa/policies/gatekeeper/kustomization.yaml.tpl
new file mode 100644
index 000000000..79f5cfce0
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/gatekeeper/kustomization.yaml.tpl
@@ -0,0 +1,15 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - common.yaml
+ - audit.yaml
+ - controller-manager.yaml
+ - gatekeeper-policy-manager.yaml
+ - prometheus-metrics.yaml
+
diff --git a/templates/distribution/manifests/opa/policies/gatekeeper/prometheus-metrics.yaml.tpl b/templates/distribution/manifests/opa/policies/gatekeeper/prometheus-metrics.yaml.tpl
new file mode 100644
index 000000000..44cd7a68b
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/gatekeeper/prometheus-metrics.yaml.tpl
@@ -0,0 +1,29 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: gatekeeper-ingress-prometheus-metrics
+ namespace: gatekeeper-system
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: gatekeeper
+spec:
+ podSelector:
+ matchLabels:
+ gatekeeper.sh/system: "yes"
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - protocol: TCP
+ port: 8888
diff --git a/templates/distribution/manifests/opa/policies/kustomization.yaml.tpl b/templates/distribution/manifests/opa/policies/kustomization.yaml.tpl
new file mode 100644
index 000000000..aed10dc32
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/kustomization.yaml.tpl
@@ -0,0 +1,16 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+{{- if eq .spec.distribution.modules.policy.type "gatekeeper" }}
+ - gatekeeper
+{{- end }}
+{{- if eq .spec.distribution.modules.policy.type "kyverno" }}
+ - kyverno
+{{- end }}
+
diff --git a/templates/distribution/manifests/opa/policies/kyverno/common.yaml.tpl b/templates/distribution/manifests/opa/policies/kyverno/common.yaml.tpl
new file mode 100644
index 000000000..ccb1424a9
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/kyverno/common.yaml.tpl
@@ -0,0 +1,42 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: deny-all
+ namespace: kyverno
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: kyverno
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-dns
+ namespace: kyverno
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: kyverno
+spec:
+ podSelector:
+ matchLabels: {}
+ policyTypes:
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - protocol: UDP
+ port: 53
diff --git a/templates/distribution/manifests/opa/policies/kyverno/kustomization.yaml.tpl b/templates/distribution/manifests/opa/policies/kyverno/kustomization.yaml.tpl
new file mode 100644
index 000000000..77a88b0bb
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/kyverno/kustomization.yaml.tpl
@@ -0,0 +1,11 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - common.yaml
+ - kyverno.yaml
diff --git a/templates/distribution/manifests/opa/policies/kyverno/kyverno.yaml.tpl b/templates/distribution/manifests/opa/policies/kyverno/kyverno.yaml.tpl
new file mode 100644
index 000000000..ff8c06b24
--- /dev/null
+++ b/templates/distribution/manifests/opa/policies/kyverno/kyverno.yaml.tpl
@@ -0,0 +1,117 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: kyverno-admission-egress-kube-apiserver
+ namespace: kyverno
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: kyverno
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: admission-controller
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - protocol: TCP
+ port: 6443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: kyverno-admission-ingress-nodes
+ namespace: kyverno
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: kyverno
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: admission-controller
+ policyTypes:
+ - Ingress
+ ingress:
+ - ports:
+ - protocol: TCP
+ port: 9443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: kyverno-background-egress-kube-apiserver
+ namespace: kyverno
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: kyverno
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: background-controller
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - protocol: TCP
+ port: 6443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: kyverno-reports-egress-kube-apiserver
+ namespace: kyverno
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: kyverno
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: reports-controller
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - protocol: TCP
+ port: 6443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: kyverno-cleanup-egress-kube-apiserver
+ namespace: kyverno
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: kyverno
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: cleanup-controller
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - protocol: TCP
+ port: 6443
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: kyverno-cleanup-reports-egress-kube-apiserver
+ namespace: kyverno
+ labels:
+ cluster.kfd.sighup.io/module: opa
+ cluster.kfd.sighup.io/policy-type: kyverno
+spec:
+ podSelector:
+ matchExpressions:
+ - { key: "batch.kubernetes.io/job-name", operator: "Exists" }
+ policyTypes:
+ - Egress
+ egress:
+ - ports:
+ - protocol: TCP
+ port: 6443
diff --git a/templates/distribution/manifests/tracing/kustomization.yaml.tpl b/templates/distribution/manifests/tracing/kustomization.yaml.tpl
index bf54f6130..aab87047e 100644
--- a/templates/distribution/manifests/tracing/kustomization.yaml.tpl
+++ b/templates/distribution/manifests/tracing/kustomization.yaml.tpl
@@ -17,6 +17,10 @@ resources:
{{- end }}
{{- end }}
+{{ if eq .spec.distribution.common.networkPoliciesEnabled true }}
+ - policies
+{{- end }}
+
patchesStrategicMerge:
- patches/infra-nodes.yml
{{- if eq .spec.distribution.modules.tracing.tempo.backend "minio" }}
diff --git a/templates/distribution/manifests/tracing/policies/common.yaml.tpl b/templates/distribution/manifests/tracing/policies/common.yaml.tpl
new file mode 100644
index 000000000..6727129eb
--- /dev/null
+++ b/templates/distribution/manifests/tracing/policies/common.yaml.tpl
@@ -0,0 +1,42 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: deny-all
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ podSelector: {}
+ policyTypes:
+ - Egress
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-kube-dns
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ podSelector:
+ matchLabels: {}
+ policyTypes:
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - protocol: UDP
+ port: 53
+
\ No newline at end of file
diff --git a/templates/distribution/manifests/tracing/policies/kustomization.yaml.tpl b/templates/distribution/manifests/tracing/policies/kustomization.yaml.tpl
new file mode 100644
index 000000000..96e0dff5c
--- /dev/null
+++ b/templates/distribution/manifests/tracing/policies/kustomization.yaml.tpl
@@ -0,0 +1,14 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+ - common.yaml
+ - tempo.yaml
+{{- if eq .spec.distribution.modules.tracing.tempo.backend "minio" }}
+ - minio.yaml
+{{- end }}
diff --git a/templates/distribution/manifests/tracing/policies/minio.yaml.tpl b/templates/distribution/manifests/tracing/policies/minio.yaml.tpl
new file mode 100644
index 000000000..9e4244d78
--- /dev/null
+++ b/templates/distribution/manifests/tracing/policies/minio.yaml.tpl
@@ -0,0 +1,177 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-ingress-namespace
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+ cluster.kfd.sighup.io/tracing-backend: minio
+spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: tracing
+ ports:
+ - port: 9000
+ protocol: TCP
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: tracing
+ podSelector:
+ matchLabels:
+ app: minio
+ ports:
+ - port: 9000
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-buckets-setup-egress-kube-apiserver
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+ cluster.kfd.sighup.io/tracing-backend: minio
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio-tracing-buckets-setup
+ egress:
+ - ports:
+ - port: 6443
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-buckets-setup-egress-minio
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+ cluster.kfd.sighup.io/tracing-backend: minio
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio-tracing-buckets-setup
+ egress:
+ - ports:
+ - port: 9000
+ protocol: TCP
+ to:
+ - podSelector:
+ matchLabels:
+ app: minio
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: tracing
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-ingress-prometheus-metrics
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+ cluster.kfd.sighup.io/tracing-backend: minio
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: minio
+ ingress:
+ - ports:
+ - port: 9000
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-ingress-pomerium
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+ cluster.kfd.sighup.io/tracing-backend: minio
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app: minio
+ ingress:
+# single nginx, no sso
+{{if and (eq .spec.distribution.modules.ingress.nginx.type "single") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress-nginx
+# dual nginx, no sso
+{{ else if and (eq .spec.distribution.modules.ingress.nginx.type "dual") (ne .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: ingress-nginx
+ podSelector:
+ matchLabels:
+ app: ingress
+# sso
+{{ else if (eq .spec.distribution.modules.auth.provider.type "sso") }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: pomerium
+ podSelector:
+ matchLabels:
+ app: pomerium
+{{ end }}
+ ports:
+ - port: 9001
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: minio-egress-https
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+ cluster.kfd.sighup.io/tracing-backend: minio
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app: minio
+ egress:
+ - ports:
+ - port: 443
+ protocol: TCP
+---
\ No newline at end of file
diff --git a/templates/distribution/manifests/tracing/policies/tempo.yaml.tpl b/templates/distribution/manifests/tracing/policies/tempo.yaml.tpl
new file mode 100644
index 000000000..09528ec3d
--- /dev/null
+++ b/templates/distribution/manifests/tracing/policies/tempo.yaml.tpl
@@ -0,0 +1,255 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: tempo-distributed-discovery
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ ingress:
+ - ports:
+ - port: 9095
+ protocol: TCP
+ - port: 7946
+ protocol: TCP
+ - port: 3100
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: tracing
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ egress:
+ - ports:
+ - port: 9095
+ protocol: TCP
+ - port: 7946
+ protocol: TCP
+ - port: 3100
+ protocol: TCP
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: tracing
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: tempo-gateway-ingress-grafana
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: gateway
+ app.kubernetes.io/name: tempo
+ app.kubernetes.io/instance: tempo-distributed
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: grafana
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/part-of: kube-prometheus
+ ports:
+ - port: 8080
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: all-egress-tempo-distributor
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Egress
+ podSelector: {}
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ app.kubernetes.io/component: distributor
+ ports:
+ - port: 4317
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: tempo-distributor-ingress-traces
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ app.kubernetes.io/component: distributor
+ ingress:
+ - ports:
+ - port: 4317
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: tempo-components-egress-memcached
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: tempo-distributed
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ app.kubernetes.io/component: memcached
+ ports:
+ - port: 11211
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: memcached-ingress-querier
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ app.kubernetes.io/component: memcached
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ app.kubernetes.io/component: querier
+ ports:
+ - port: 11211
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: tempo-distributed-ingress-prometheus-metrics
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Ingress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ ingress:
+ - ports:
+ - port: 3100
+ protocol: TCP
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: monitoring
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: tempo-components-egress-https
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ app.kubernetes.io/instance: tempo-distributed
+ egress:
+ - ports:
+ - port: 443
+ protocol: TCP
+{{- if eq .spec.distribution.modules.tracing.tempo.backend "minio" }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: tempo-distributed-egress-minio
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+ cluster.kfd.sighup.io/tracing-backend: minio
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ app: minio
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: tracing
+ ports:
+ - port: 9000
+ protocol: TCP
+{{- else }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: tempo-distributed-egress-all
+ namespace: tracing
+ labels:
+ cluster.kfd.sighup.io/module: tracing
+spec:
+ policyTypes:
+ - Egress
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: tempo
+ egress:
+ - {}
+{{- end }}
+---
diff --git a/templates/distribution/scripts/pre-apply.sh.tpl b/templates/distribution/scripts/pre-apply.sh.tpl
index 3971a88f5..6b41a562a 100644
--- a/templates/distribution/scripts/pre-apply.sh.tpl
+++ b/templates/distribution/scripts/pre-apply.sh.tpl
@@ -17,6 +17,21 @@ vendorPath="{{ .paths.vendorPath }}"
# Text generated with: https://www.patorjk.com/software/taag/#p=display&f=ANSI%20Regular&t=TRACING%20TYPE
+# ███ ██ ███████ ████████ ██ ██ ██████ ██████ ██ ██ ██████ ██████ ██ ██ ██████ ██ ███████ ███████
+# ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+# ██ ██ ██ █████ ██ ██ █ ██ ██ ██ ██████ █████ ██████ ██ ██ ██ ██ ██ ██ █████ ███████
+# ██ ██ ██ ██ ██ ██ ███ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+# ██ ████ ███████ ██ ███ ███ ██████ ██ ██ ██ ██ ██ ██████ ███████ ██ ██████ ██ ███████ ███████
+
+{{- if index .reducers "distributionCommonNetworkPoliciesEnabled" }}
+
+{{- if eq .reducers.distributionCommonNetworkPoliciesEnabled.to false }}
+ $kubectlbin delete --ignore-not-found --wait --timeout=180s networkpolicies -A -l cluster.kfd.sighup.io/module
+ echo "KFD Network Policies deleted"
+{{- end }}
+
+{{- end }}
+
# ██ ██████ ██████ ██████ ██ ███ ██ ██████ ████████ ██ ██ ██████ ███████
# ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██
# ██ ██ ██ ██ ███ ██ ███ ██ ██ ██ ██ ██ ███ ██ ████ ██████ █████
@@ -42,6 +57,7 @@ deleteOpensearch() {
$kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-opensearch.yaml
$kubectlbin delete --ignore-not-found -l app.kubernetes.io/name=opensearch pvc -n logging --wait --timeout=180s
$kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-opensearch-dashboards.yaml
+ $kubectlbin delete --ignore-not-found --wait --timeout=180s networkpolicies -A -l cluster.kfd.sighup.io/logging-type=opensearch
echo "OpenSearch resources deleted"
}
@@ -58,6 +74,7 @@ deleteLoki() {
$kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-loki.yaml
$kubectlbin delete --ignore-not-found -l app.kubernetes.io/name=loki-distributed pvc -n logging --wait --timeout=180s
+ $kubectlbin delete --ignore-not-found --wait --timeout=180s networkpolicies -A -l cluster.kfd.sighup.io/logging-type=loki
echo "Loki resources deleted"
}
@@ -82,6 +99,7 @@ $kustomizebin build $vendorPath/modules/logging/katalog/minio-ha > delete-loggin
fi
{{- end }}
$kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-logging-minio-ha.yaml
+ $kubectlbin delete --ignore-not-found --wait --timeout=180s networkpolicies -A -l cluster.kfd.sighup.io/logging-backend=minio
echo "Minio Logging deleted"
}
@@ -166,7 +184,7 @@ deleteGatekeeper() {
$kustomizebin build $vendorPath/modules/opa/katalog/gatekeeper/monitoring | $kubectlbin delete --ignore-not-found --wait --timeout=180s -f -
{{- end }}
$kustomizebin build $vendorPath/modules/opa/katalog/gatekeeper/core | $kubectlbin delete --ignore-not-found --wait --timeout=180s -f -
-
+ $kubectlbin delete --ignore-not-found --wait --timeout=180s -A networkpolicy -l cluster.kfd.sighup.io/policy-type=gatekeeper
echo "Gatekeeper resources deleted"
}
@@ -174,6 +192,7 @@ deleteKyverno() {
$kustomizebin build $vendorPath/modules/opa/katalog/kyverno | $kubectlbin delete --ignore-not-found --wait --timeout=180s -f -
$kubectlbin delete --ignore-not-found --wait --timeout=180s validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
$kubectlbin delete --ignore-not-found --wait --timeout=180s mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+ $kubectlbin delete --ignore-not-found --wait --timeout=180s -A networkpolicy -l cluster.kfd.sighup.io/policy-type=kyverno
echo "Kyverno resources deleted"
}
@@ -296,6 +315,7 @@ deleteTracingMinioHA() {
fi
{{- end }}
$kubectlbin delete --ignore-not-found --wait --timeout=180s -f delete-tracing-minio-ha.yaml
+ $kubectlbin delete --ignore-not-found --wait --timeout=180s -A networkpolicy -l cluster.kfd.sighup.io/tracing-backend=minio
echo "Minio HA on tracing namespace deleted"
}