Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(distribution): add network policies #302

Merged
merged 48 commits into from
Nov 25, 2024
Merged

feat(distribution): add network policies #302

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
48 commits
Select commit Hold shift + click to select a range
9bd1d6a
Feat: add property spec.distribution.common.networkPoliciesEnabled
Oct 31, 2024
52f2066
feat(logging): add network policies
Oct 31, 2024
b1e2bfe
feat(monitoring): add network policies
Nov 5, 2024
b3af3f4
fix(monitoring): fix kustomization
Nov 5, 2024
44b1ca6
feat(tracing): add network policies
Nov 5, 2024
405039d
feat(monitoring,tracing): add network policy egress
Nov 7, 2024
346206c
feat(monitoring): add network policies for ingress
Nov 7, 2024
860bffb
fix(monitoring): fix network policy with sso
Nov 7, 2024
16a9206
feat(opa): add network policies
stefanoghinelli Nov 11, 2024
f89ddde
feat(ingress): add network policies
stefanoghinelli Nov 11, 2024
f3849eb
feat(auth): add network policies
stefanoghinelli Nov 11, 2024
f3d5b57
fix(network-policies): fix syntax
Nov 11, 2024
dd0b591
feat(pomerium): add minio network policies
stefanoghinelli Nov 11, 2024
748839f
feat(network-policies): add minio policies
Nov 11, 2024
e503131
feat(network-policies): add loki policy
Nov 11, 2024
8cf0846
feat(pomerium): add minio tracing network policy
stefanoghinelli Nov 11, 2024
775262e
feat(tracing): add minio network policies
stefanoghinelli Nov 11, 2024
dd9174e
fix(network-policies): ingress,tracing
Nov 11, 2024
43c1433
feat(network-policies): add auth network policies
stefanoghinelli Nov 12, 2024
beabc07
feat(network-policies): add logging network policies
stefanoghinelli Nov 12, 2024
7721022
feat(network-policies): add monitoring network policies
stefanoghinelli Nov 12, 2024
0f3ba97
fix(network-policies): remove condition from prometheus include
stefanoghinelli Nov 12, 2024
b6c8df3
feat(network-policies): update name,add labels on auth
stefanoghinelli Nov 14, 2024
59e983a
feat(network-policies): update name,add labels on ingress
stefanoghinelli Nov 14, 2024
d3ffc4a
feat(network-policies): update name,add labels on logging
stefanoghinelli Nov 14, 2024
f21d06a
feat(network-policies): update name,add labels on monitoring
stefanoghinelli Nov 14, 2024
bcc4f58
feat(network-policies): update name,add labels on opa
stefanoghinelli Nov 14, 2024
2c31111
feat(network-policies): update name,add labels on tracing
stefanoghinelli Nov 14, 2024
06b97bb
feat(network-policies): add common labels
Nov 14, 2024
a1e1162
feat(network-policies): add reducer
Nov 14, 2024
6b8fa4c
feat(network-policies): add missing labels
stefanoghinelli Nov 15, 2024
f171b0c
feat(network-policies): add policies deletion during type migration
stefanoghinelli Nov 15, 2024
bfe1557
chore(network-policies): remove from eks and kfd
Nov 15, 2024
7aa446e
feat(network-policies): improve description
Nov 15, 2024
232026e
fix(network-policies): move grafana network policy
stefanoghinelli Nov 15, 2024
d8cc889
fix(network-policies): update policy names
stefanoghinelli Nov 19, 2024
a75416d
docs(network-policies): add READMEs and diagrams
stefanoghinelli Nov 19, 2024
aedf02d
chore(makefile): add network policy target
stefanoghinelli Nov 19, 2024
cb326bf
fix(docs): remove trailing punctuation
stefanoghinelli Nov 19, 2024
fc66d60
fix(docs): update main readme
stefanoghinelli Nov 19, 2024
11771be
fix(docs): update opa readme
stefanoghinelli Nov 19, 2024
820144e
fix(network-policies): remove unused policy
Nov 20, 2024
85ca1ef
fix(docs): fix names in monitoring network policies
Nov 20, 2024
ef0983f
docs(network-policies): update READMEs and diagrams
stefanoghinelli Nov 21, 2024
b3798f1
feat(network-policies): add external-dns egress policy
stefanoghinelli Nov 21, 2024
4967b9c
chore(network-policies): add copyright notice to tracing policies
stefanoghinelli Nov 21, 2024
48e5ca6
fix(network-policies): logging,auth
stefanoghinelli Nov 21, 2024
70f8b84
Merge branch 'feat/release-v1.30.0' into feat/add-network-policies
sbruzzese902 Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,20 @@ generate-docs:
@md-gen gen --input schemas/public/kfddistribution-kfd-v1alpha2.json --output docs/schemas/kfddistribution-kfd-v1alpha2.md --overwrite --banner banners/kfddistribution.md
@md-gen gen --input schemas/public/ekscluster-kfd-v1alpha2.json --output docs/schemas/ekscluster-kfd-v1alpha2.md --overwrite --banner banners/ekscluster.md

.PHONY: generate-np-diagrams
generate-np-diagrams:
docker run --rm -v $(PWD)/docs/network-policies:/workdir minlag/mermaid-cli:latest -i "/workdir/overview.md" -o "/workdir/overview.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/auth:/workdir minlag/mermaid-cli:latest -i "/workdir/sso.md" -o "/workdir/sso.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/ingress:/workdir minlag/mermaid-cli:latest -i "/workdir/single.md" -o "/workdir/single.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/ingress:/workdir minlag/mermaid-cli:latest -i "/workdir/dual.md" -o "/workdir/dual.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/logging:/workdir minlag/mermaid-cli:latest -i "/workdir/loki.md" -o "/workdir/loki.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/logging:/workdir minlag/mermaid-cli:latest -i "/workdir/opensearch.md" -o "/workdir/opensearch.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/monitoring:/workdir minlag/mermaid-cli:latest -i "/workdir/mimir.md" -o "/workdir/mimir.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/monitoring:/workdir minlag/mermaid-cli:latest -i "/workdir/prometheus.md" -o "/workdir/prometheus.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/opa:/workdir minlag/mermaid-cli:latest -i "/workdir/gatekeeper.md" -o "/workdir/gatekeeper.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/opa:/workdir minlag/mermaid-cli:latest -i "/workdir/kyverno.md" -o "/workdir/kyverno.png" -w 2048 -H 1536 -b white
docker run --rm -v $(PWD)/docs/network-policies/modules/tracing:/workdir minlag/mermaid-cli:latest -i "/workdir/tempo.md" -o "/workdir/tempo.png" -w 2048 -H 1536 -b white

.PHONY: dump-private-schema
dump-private-schema:
@cat schemas/public/ekscluster-kfd-v1alpha2.json | \
Expand Down
1 change: 0 additions & 1 deletion defaults/ekscluster-kfd-v1alpha2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ data:
relativeVendorPath: "../../vendor"
provider:
type: eks

# the module section will be used to fine tune each module behaviour and configuration
modules:
# ingress module configuration
Expand Down
1 change: 0 additions & 1 deletion defaults/kfddistribution-kfd-v1alpha2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ data:
relativeVendorPath: "../../vendor"
provider:
type: none

# the module section will be used to fine tune each module behaviour and configuration
modules:
# ingress module configuration
Expand Down
2 changes: 1 addition & 1 deletion defaults/onpremises-kfd-v1alpha2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ data:
relativeVendorPath: "../../vendor"
provider:
type: none

networkPoliciesEnabled: false
# the module section will be used to fine tune each module behaviour and configuration
modules:
# ingress module configuration
Expand Down
24 changes: 24 additions & 0 deletions docs/network-policies/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Network Policies Documentation

This documentation describes all Network Policies of the KFD components for the OnPremises schema.

## Modules
- [Auth](modules/auth/README.md) - Pomerium SSO
- [Ingress](modules/ingress/README.md) - Nginx (single/dual) + Cert-manager
- [Logging](modules/logging/README.md) - OpenSearch/Loki
- [Monitoring](modules/monitoring/README.md) - Prometheus/Mimir
- [OPA](modules/opa/README.md) - Gatekeeper/Kyverno
- [Tracing](modules/tracing/README.md) - Tempo

## Common Patterns
All namespaces include:
- Default deny-all policy
- DNS access to kube-dns
- Prometheus metrics collection
- Kubernetes API server access where needed

## High Level Overview
- [Overview](overview.md)

## Instructions
Generate the new Network Policies diagrams with `make generate-np-diagrams`.
16 changes: 16 additions & 0 deletions docs/network-policies/modules/auth/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Auth Module Network Policies

## Components
- Pomerium

## Namespaces
- pomerium

## Network Policies List
- deny-all
- all-egress-kube-dns
- pomerium-ingress-nginx
- pomerium-egress-all

## Configurations
- [SSO with Pomerium](sso.md)
53 changes: 53 additions & 0 deletions docs/network-policies/modules/auth/sso.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# SSO with Pomerium

```mermaid
graph TD
%% Namespaces
subgraph ingress-nginx
nginx[Nginx Controller]
end

subgraph pomerium
pom[Pomerium<br/>app: pomerium]
acme[ACME HTTP Solver<br/>app: cert-manager]
end

subgraph monitoring
graf[Grafana]
prom[Prometheus]
am[Alertmanager]
minio_monitoring[MinIO]
end

subgraph logging
osd[OpenSearch Dashboards]
minio_logging[MinIO]
end

subgraph tracing
minio_tracing[MinIO]
end

subgraph gatekeer-system
gpm[Gatekeeper Policy Manager]
end

%% External and K8s Core Components
dns[Kube DNS]
ext[External]

%% Edges
pom -->|"53/UDP"| dns
nginx -->|"8080/TCP"| pom
nginx -->|"8089/TCP"| acme
prom -->|"9090/TCP metrics"| pom
pom -->|"443/TCP"| ext
pom -->|"3000/TCP"| graf
pom -->|"9090/TCP"| prom
pom -->|"9093/TCP"| am
pom -->|"5601/TCP"| osd
pom -->|"9001/TCP"| minio_logging
pom -->|"9001/TCP"| minio_tracing
pom -->|"9001/TCP"| minio_monitoring
pom -->|"8080/TCP"| gpm
```
35 changes: 35 additions & 0 deletions docs/network-policies/modules/ingress/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Ingress Module Network Policies

## Components
- Nginx Ingress Controller (single/dual mode)
- Cert-manager
- Forecastle

## Namespaces
- ingress-nginx
- cert-manager

## Network Policies List

### Cert-manager
- deny-all
- all-egress-kube-dns
- cert-manager-egress-kube-apiserver
- cert-manager-webhook-ingress-kube-apiserver
- cert-manager-egress-https
- cert-manager-ingress-prometheus-metrics
- acme-http-solver-ingress-lets-encrypt

### Ingress-nginx
- deny-all
- all-egress-kube-dns
- forecastle-ingress-nginx
- forecastle-egress-kube-apiserver
- nginx-egress-all
- all-ingress-nginx
- nginx-ingress-prometheus-metric
- external-dns

## Configurations
- [Single Nginx](single.md)
- [Dual Nginx](dual.md)
33 changes: 33 additions & 0 deletions docs/network-policies/modules/ingress/dual.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Dual Nginx Configuration

```mermaid
graph TD
%% Namespaces
subgraph ingress-nginx
nginx[Nginx Controller<br/>app: ingress]
fc[Forecastle<br/>app: forecastle]
end

subgraph cert-manager
cm[Cert Manager<br/>app: cert-manager]
cmw[Cert Manager Webhook]
end

%% External and K8s Core Components
dns[Kube DNS]
api[Kubernetes API]
prom[Prometheus]
ext[External ACME / Internet]

%% Edges
nginx & cm -->|"53/UDP"| dns
cm -->|"6443/TCP"| api
fc -->|"6443/TCP"| api
api -->|"10250/TCP"| cmw
prom -->|"10254/TCP"| nginx
prom -->|"9402/TCP"| cm
cm -->|"443,80/TCP"| ext
all[All Namespaces] -->|"8080,8443,9443/TCP"| nginx
nginx -->|"egress: all"| all
nginx -->|"3000/TCP"| fc
```
35 changes: 35 additions & 0 deletions docs/network-policies/modules/ingress/single.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Single Nginx Configuration

```mermaid
graph TD
%% Namespaces
subgraph ingress-nginx
nginx[Nginx Controller<br/>app: ingress-nginx]
fc[Forecastle<br/>app: forecastle]
edns[ExternalDNS<br/>app: external-dns]
end

subgraph cert-manager
cm[Cert Manager<br/>app: cert-manager]
cmw[Cert Manager Webhook]
end

%% External and K8s Core Components
dns[Kube DNS]
api[Kubernetes API]
prom[Prometheus]
ext[External / ACME]

%% Edges
nginx & cm -->|"53/UDP"| dns
cm -->|"6443/TCP"| api
fc -->|"6443/TCP"| api
api -->|"10250/TCP"| cmw
prom -->|"10254/TCP"| nginx
prom -->|"9402/TCP"| cm
cm -->|"443,80/TCP"| ext
all[All Namespaces] -->|"8080,8443,9443/TCP"| nginx
nginx -->|"egress: all"| all
nginx -->|"3000/TCP"| fc
edns --> |"egress: all"| ext
```
53 changes: 53 additions & 0 deletions docs/network-policies/modules/logging/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Logging Module Network Policies

## Components
- OpenSearch Stack
- Loki Stack

## Namespaces
- logging

## Network Policies List

### Common Policies
- deny-all
- all-egress-kube-dns
- event-tailer-egress-kube-apiserver
- fluentd-egress-all
- fluentbit-egress-fluentd
- fluentbit-egress-kube-apiserver
- fluentbit-ingress-prometheus-metrics
- logging-operator-egress-kube-apiserver

### OpenSearch Stack
- fluentd-ingress-fluentbit
- fluentd-ingress-prometheus-metrics
- opensearch-discovery
- opensearch-ingress-dashboards
- opensearch-ingress-fluentd
- opensearch-ingress-prometheus-metrics
- opensearch-ingress-jobs
- opensearch-dashboards-egress-opensearch
- opensearch-dashboards-ingress-nginx
- opensearch-dashboards-ingress-jobs
- jobs-egress-opensearch

### Loki Stack
- loki-distributed-ingress-fluentd
- loki-distributed-ingress-grafana
- loki-distributed-ingress-prometheus-metrics
- loki-distributed-discovery
- loki-distributed-egress-all

### MinIO
- minio-ingress-namespace
- minio-buckets-setup-egress-kube-apiserver
- minio-buckets-setup-egress-minio
- minio-ingress-prometheus-metrics
- minio-ingress-nginx
- minio-egress-https

## Configurations
- [OpenSearch Stack](opensearch.md)
- [Loki Stack](loki.md)

52 changes: 52 additions & 0 deletions docs/network-policies/modules/logging/loki.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Loki Stack Configuration

```mermaid
graph TD
%% Namespaces
subgraph logging
fb[Fluentbit<br/>app.kubernetes.io/name: fluentbit]
fd[Fluentd<br/>app.kubernetes.io/name: fluentd]
loki_gateway[Loki Gateway<br/>app.kubernetes.io/component: gateway]
loki_compactor[Loki Compactor<br/>app.kubernetes.io/component: compactor]
loki_distributor[Loki Distributor<br/>app.kubernetes.io/component: distributor]
loki_ingester[Loki Ingester<br/>app.kubernetes.io/component: ingester]
loki_querier[Loki Querier<br/>app.kubernetes.io/component: querier]
loki_query_frontend[Loki Query Frontend<br/>app.kubernetes.io/component: query-frontend]
minio[MinIO<br/>app: minio]
bucket[MinIO Bucket Setup<br/>app: minio-logging-buckets-setup]
end

subgraph monitoring
prom[Prometheus]
graf[Grafana]
end

pom[Pomerium]

%% External and K8s Core Components
api[Kubernetes API]
ext[External]
dns[Kube DNS]

%% Edges
logging -->|"53/UDP"| dns
bucket -->|"6443/TCP"| api
fb -->|"24240/TCP"| fd
fd -->|"8080/TCP"| loki_gateway
prom -->|"3100/TCP"| loki_gateway
graf -->|"8080/TCP"| loki_gateway
prom -->|"2020/TCP"| fb
fb -->|"6443/TCP"| api
loki_query_frontend -->|"loki-discovery<br/>9095,7946,3100/TCP"| loki_distributor
loki_distributor -->|"loki-discovery<br/>9095,7946,3100/TCP"| loki_ingester
loki_querier -->|"loki-discovery<br/>9095,7946,3100/TCP"| loki_ingester
loki_querier -->|"loki-discovery<br/>9095,7946,3100/TCP"| loki_query_frontend
loki_compactor -->|"loki-discovery<br/>9095,7946,3100/TCP"| loki_ingester
loki_compactor -->|"egress: all"| minio
loki_ingester -->|"egress: all"| minio
loki_querier -->|"egress: all"| minio
bucket -->|"9000/TCP"| minio
minio -->|"443/TCP"| ext
pom -->|"9001/TCP"| minio
minio -->|"9000/TCP"| logging
```
Loading