From fceebdb91af7062856143e66f089cf4c56b23ed2 Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Mon, 6 May 2024 16:48:52 +0100 Subject: [PATCH] Add networkpolices to protect metrics endpoint and allow communication with webhooks --- .github/workflows/test-sample-go.yml | 2 +- .../project/config/default/kustomization.yaml | 5 + .../network-policy/allow-metrics-traffic.yaml | 26 +++++ .../network-policy/allow-webhook-traffic.yaml | 26 +++++ .../config/network-policy/kustomization.yaml | 3 + .../project/config/default/kustomization.yaml | 5 + .../network-policy/allow-metrics-traffic.yaml | 26 +++++ .../config/network-policy/kustomization.yaml | 2 + docs/book/src/reference/metrics.md | 14 ++- .../common/kustomize/v2/scaffolds/init.go | 3 + .../config/kdefault/kustomization.go | 5 + .../network-policy/allow-metrics-traffic.go | 71 +++++++++++ .../network-policy/allow-webhook-traffic.go | 71 +++++++++++ .../config/network-policy/kustomization.go | 45 +++++++ .../common/kustomize/v2/scaffolds/webhook.go | 15 ++- test/e2e/kind-config.yaml | 2 + test/e2e/setup.sh | 4 + test/e2e/v4/generate_test.go | 59 ++++++++++ test/e2e/v4/plugin_cluster_test.go | 110 +++++++++++++++--- .../config/default/kustomization.yaml | 5 + .../network-policy/allow-metrics-traffic.yaml | 26 +++++ .../network-policy/allow-webhook-traffic.yaml | 26 +++++ .../config/network-policy/kustomization.yaml | 3 + .../config/default/kustomization.yaml | 5 + .../network-policy/allow-metrics-traffic.yaml | 26 +++++ .../network-policy/allow-webhook-traffic.yaml | 26 +++++ .../config/network-policy/kustomization.yaml | 3 + .../config/default/kustomization.yaml | 5 + .../network-policy/allow-metrics-traffic.yaml | 26 +++++ .../network-policy/allow-webhook-traffic.yaml | 26 +++++ .../config/network-policy/kustomization.yaml | 3 + .../config/default/kustomization.yaml | 5 + .../network-policy/allow-metrics-traffic.yaml | 26 +++++ .../config/network-policy/kustomization.yaml | 2 + .../config/default/kustomization.yaml | 5 + .../network-policy/allow-metrics-traffic.yaml | 26 +++++ .../network-policy/allow-webhook-traffic.yaml | 26 +++++ .../config/network-policy/kustomization.yaml | 3 + 38 files changed, 747 insertions(+), 20 deletions(-) create mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/allow-metrics-traffic.yaml create mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/allow-webhook-traffic.yaml create mode 100644 docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/kustomization.yaml create mode 100644 docs/book/src/getting-started/testdata/project/config/network-policy/allow-metrics-traffic.yaml create mode 100644 docs/book/src/getting-started/testdata/project/config/network-policy/kustomization.yaml create mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/allow-metrics-traffic.go create mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/allow-webhook-traffic.go create mode 100644 pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/kustomization.go create mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/network-policy/allow-metrics-traffic.yaml create mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/network-policy/allow-webhook-traffic.yaml create mode 100644 testdata/project-v4-multigroup-with-deploy-image/config/network-policy/kustomization.yaml create mode 100644 testdata/project-v4-multigroup/config/network-policy/allow-metrics-traffic.yaml create mode 100644 testdata/project-v4-multigroup/config/network-policy/allow-webhook-traffic.yaml create mode 100644 testdata/project-v4-multigroup/config/network-policy/kustomization.yaml create mode 100644 testdata/project-v4-with-deploy-image/config/network-policy/allow-metrics-traffic.yaml create mode 100644 testdata/project-v4-with-deploy-image/config/network-policy/allow-webhook-traffic.yaml create mode 100644 testdata/project-v4-with-deploy-image/config/network-policy/kustomization.yaml create mode 100644 testdata/project-v4-with-grafana/config/network-policy/allow-metrics-traffic.yaml create mode 100644 testdata/project-v4-with-grafana/config/network-policy/kustomization.yaml create mode 100644 testdata/project-v4/config/network-policy/allow-metrics-traffic.yaml create mode 100644 testdata/project-v4/config/network-policy/allow-webhook-traffic.yaml create mode 100644 testdata/project-v4/config/network-policy/kustomization.yaml diff --git a/.github/workflows/test-sample-go.yml b/.github/workflows/test-sample-go.yml index 829f2e5642f..76016c2e018 100644 --- a/.github/workflows/test-sample-go.yml +++ b/.github/workflows/test-sample-go.yml @@ -24,7 +24,7 @@ jobs: run: | KUSTOMIZATION_FILE_PATH="testdata/project-v4/config/default/kustomization.yaml" sed -i '25s/^#//' $KUSTOMIZATION_FILE_PATH - sed -i '46s/^#//' $KUSTOMIZATION_FILE_PATH + sed -i '51s/^#//' $KUSTOMIZATION_FILE_PATH - name: Test run: | diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml index 8dc238281b8..93cb05d3124 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/default/kustomization.yaml @@ -27,6 +27,11 @@ resources: - ../prometheus # [METRICS] Expose the controller manager metrics service. - metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/allow-metrics-traffic.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 00000000000..de6ec5f8097 --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/allow-webhook-traffic.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/allow-webhook-traffic.yaml new file mode 100644 index 00000000000..4de86e58119 --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/allow-webhook-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic to your webhook server running +# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks +# will only work when applied in namespaces labeled with 'webhook: enabled' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project + app.kubernetes.io/managed-by: kustomize + name: allow-webhook-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label webhook: enabled + - from: + - namespaceSelector: + matchLabels: + webhook: enabled # Only from namespaces with this label + ports: + - port: 443 + protocol: TCP diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/kustomization.yaml new file mode 100644 index 00000000000..0872bee124c --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/network-policy/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- allow-webhook-traffic.yaml +- allow-metrics-traffic.yaml diff --git a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml index 0fe6fa9c410..866baf4ad6c 100644 --- a/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/default/kustomization.yaml @@ -27,6 +27,11 @@ resources: #- ../prometheus # [METRICS] Expose the controller manager metrics service. - metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: diff --git a/docs/book/src/getting-started/testdata/project/config/network-policy/allow-metrics-traffic.yaml b/docs/book/src/getting-started/testdata/project/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 00000000000..de6ec5f8097 --- /dev/null +++ b/docs/book/src/getting-started/testdata/project/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/docs/book/src/getting-started/testdata/project/config/network-policy/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/network-policy/kustomization.yaml new file mode 100644 index 00000000000..ec0fb5e57df --- /dev/null +++ b/docs/book/src/getting-started/testdata/project/config/network-policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- allow-metrics-traffic.yaml diff --git a/docs/book/src/reference/metrics.md b/docs/book/src/reference/metrics.md index 7906d1d9b3d..535c8bb7959 100644 --- a/docs/book/src/reference/metrics.md +++ b/docs/book/src/reference/metrics.md @@ -188,11 +188,19 @@ enhance the controller-runtime and address these considerations. -### By using Network Policy +### By using Network Policy (You can optionally enable) NetworkPolicy acts as a basic firewall for pods within a Kubernetes cluster, controlling traffic -flow at the IP address or port level. However, it doesn't handle authentication (authn), authorization (authz), -or encryption directly like [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) solution. +flow at the IP address or port level. However, it doesn't handle `authn/authz`. + +Uncomment the following line in the `config/default/kustomization.yaml`: + +``` +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which uses webhooks and applied on namespaces labeled 'webhooks: enabled' will be able to work properly. +#- ../network-policy +``` ### By exposing the metrics endpoint using HTTPS and CertManager diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/init.go b/pkg/plugins/common/kustomize/v2/scaffolds/init.go index 0d94427872e..ccddd7a09de 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/init.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/init.go @@ -24,6 +24,7 @@ import ( "sigs.k8s.io/kubebuilder/v4/pkg/plugins" "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault" "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager" + network_policy "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy" "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/prometheus" "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac" ) @@ -79,6 +80,8 @@ func (s *initScaffolder) Scaffold() error { &kdefault.ManagerMetricsPatch{}, &manager.Config{Image: imageName}, &kdefault.Kustomization{}, + &network_policy.Kustomization{}, + &network_policy.NetworkPolicyAllowMetrics{}, &prometheus.Kustomization{}, &prometheus.Monitor{}, } diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go index 7c9f9ec8496..8f61d345505 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/kustomization.go @@ -72,6 +72,11 @@ resources: #- ../prometheus # [METRICS] Expose the controller manager metrics service. - metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/allow-metrics-traffic.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/allow-metrics-traffic.go new file mode 100644 index 00000000000..e9aa320f21c --- /dev/null +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/allow-metrics-traffic.go @@ -0,0 +1,71 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package network_policy + +import ( + "path/filepath" + + "sigs.k8s.io/kubebuilder/v4/pkg/machinery" +) + +var _ machinery.Template = &NetworkPolicyAllowMetrics{} + +// NetworkPolicyAllowMetrics scaffolds a file that defines the NetworkPolicy +// to allow access to the metrics endpoint +type NetworkPolicyAllowMetrics struct { + machinery.TemplateMixin + machinery.ProjectNameMixin +} + +// SetTemplateDefaults implements file.Template +func (f *NetworkPolicyAllowMetrics) SetTemplateDefaults() error { + if f.Path == "" { + f.Path = filepath.Join("config", "network-policy", "allow-metrics-traffic.yaml") + } + + f.TemplateBody = metricsNetworkPolicyTemplate + + return nil +} + +const metricsNetworkPolicyTemplate = `# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: {{ .ProjectName }} + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP +` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/allow-webhook-traffic.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/allow-webhook-traffic.go new file mode 100644 index 00000000000..7203ef09247 --- /dev/null +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/allow-webhook-traffic.go @@ -0,0 +1,71 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package network_policy + +import ( + "path/filepath" + + "sigs.k8s.io/kubebuilder/v4/pkg/machinery" +) + +var _ machinery.Template = &NetworkPolicyAllowWebhooks{} + +// NetworkPolicyAllowWebhooks in scaffolds a file that defines the NetworkPolicy +// to allow the webhook server can communicate +type NetworkPolicyAllowWebhooks struct { + machinery.TemplateMixin + machinery.ProjectNameMixin +} + +// SetTemplateDefaults implements file.Template +func (f *NetworkPolicyAllowWebhooks) SetTemplateDefaults() error { + if f.Path == "" { + f.Path = filepath.Join("config", "network-policy", "allow-webhook-traffic.yaml") + } + + f.TemplateBody = webhooksNetworkPolicyTemplate + + return nil +} + +const webhooksNetworkPolicyTemplate = `# This NetworkPolicy allows ingress traffic to your webhook server running +# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks +# will only work when applied in namespaces labeled with 'webhook: enabled' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: {{ .ProjectName }} + app.kubernetes.io/managed-by: kustomize + name: allow-webhook-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label webhook: enabled + - from: + - namespaceSelector: + matchLabels: + webhook: enabled # Only from namespaces with this label + ports: + - port: 443 + protocol: TCP +` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/kustomization.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/kustomization.go new file mode 100644 index 00000000000..f90268b855a --- /dev/null +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy/kustomization.go @@ -0,0 +1,45 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package network_policy + +import ( + "path/filepath" + + "sigs.k8s.io/kubebuilder/v4/pkg/machinery" +) + +var _ machinery.Template = &Kustomization{} + +// Kustomization scaffolds a file that defines the kustomization scheme for the prometheus folder +type Kustomization struct { + machinery.TemplateMixin +} + +// SetTemplateDefaults implements file.Template +func (f *Kustomization) SetTemplateDefaults() error { + if f.Path == "" { + f.Path = filepath.Join("config", "network-policy", "kustomization.yaml") + } + + f.TemplateBody = kustomizationTemplate + + return nil +} + +const kustomizationTemplate = `resources: +- allow-metrics-traffic.yaml +` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/webhook.go b/pkg/plugins/common/kustomize/v2/scaffolds/webhook.go index bdb2b00b8e8..827dd724814 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/webhook.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/webhook.go @@ -30,6 +30,7 @@ import ( "sigs.k8s.io/kubebuilder/v4/pkg/plugins" "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/certmanager" "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault" + network_policy "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/network-policy" "sigs.k8s.io/kubebuilder/v4/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/webhook" ) @@ -83,13 +84,22 @@ func (s *webhookScaffolder) Scaffold() error { &certmanager.KustomizeConfig{}, &patches.EnableWebhookPatch{}, &patches.EnableCAInjectionPatch{}, + &network_policy.NetworkPolicyAllowWebhooks{}, &crd.Kustomization{}, ); err != nil { return fmt.Errorf("error scaffolding kustomize webhook manifests: %v", err) } + policyKustomizeFilePath := "config/network-policy/kustomization.yaml" + err := pluginutil.InsertCodeIfNotExist(policyKustomizeFilePath, + "resources:", allowWebhookTrafficFragment) + if err != nil { + log.Errorf("Unable to add the line '- allow-webhook-traffic.yaml' at the end of the file"+ + "%s to allow webhook traffic.", policyKustomizeFilePath) + } + kustomizeFilePath := "config/default/kustomization.yaml" - err := pluginutil.UncommentCode(kustomizeFilePath, "#- ../webhook", `#`) + err = pluginutil.UncommentCode(kustomizeFilePath, "#- ../webhook", `#`) if err != nil { hasWebHookUncommented, err := pluginutil.HasFragment(kustomizeFilePath, "- ../webhook") if !hasWebHookUncommented || err != nil { @@ -137,3 +147,6 @@ func (s *webhookScaffolder) Scaffold() error { return nil } + +const allowWebhookTrafficFragment = ` +- allow-webhook-traffic.yaml` diff --git a/test/e2e/kind-config.yaml b/test/e2e/kind-config.yaml index 3b367b7e66b..3e5262c0e6e 100644 --- a/test/e2e/kind-config.yaml +++ b/test/e2e/kind-config.yaml @@ -14,5 +14,7 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 +networking: + disableDefaultCNI: true # Disable the default CNI so that we can test NetworkPolicies nodes: - role: control-plane diff --git a/test/e2e/setup.sh b/test/e2e/setup.sh index d785bd42a96..18f96e24945 100755 --- a/test/e2e/setup.sh +++ b/test/e2e/setup.sh @@ -27,6 +27,7 @@ install_kind # export KIND_CLUSTER= # create_cluster function create_cluster { + echo "Getting kind config..." KIND_VERSION=$1 : ${KIND_CLUSTER:?"KIND_CLUSTER must be set"} : ${1:?"k8s version must be set as arg 1"} @@ -36,7 +37,10 @@ function create_cluster { if test -f $(dirname "$0")/kind-config-${version_prefix}.yaml; then kind_config=$(dirname "$0")/kind-config-${version_prefix}.yaml fi + echo "Creating cluster..." kind create cluster -v 4 --name $KIND_CLUSTER --retain --wait=1m --config ${kind_config} --image=kindest/node:$1 + echo "Installing Calico..." + kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml fi } diff --git a/test/e2e/v4/generate_test.go b/test/e2e/v4/generate_test.go index 83f9e49aa33..ad23cfc38b6 100644 --- a/test/e2e/v4/generate_test.go +++ b/test/e2e/v4/generate_test.go @@ -119,6 +119,65 @@ func GenerateV4WithoutMetrics(kbc *utils.TestContext) { } } +// GenerateV4WithoutMetrics implements a go/v4 plugin project defined by a TestContext. +func GenerateV4WithNetworkPoliciesWithoutWebhooks(kbc *utils.TestContext) { + initingTheProject(kbc) + creatingAPI(kbc) + + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- ../prometheus", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + metricsTarget, "#")).To(Succeed()) + By("uncomment kustomization.yaml to enable network policy") + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- ../network-policy", "#")).To(Succeed()) +} + +// GenerateV4WithNetworkPolicies implements a go/v4 plugin project defined by a TestContext. +func GenerateV4WithNetworkPolicies(kbc *utils.TestContext) { + initingTheProject(kbc) + creatingAPI(kbc) + + By("scaffolding mutating and validating webhooks") + err := kbc.CreateWebhook( + "--group", kbc.Group, + "--version", kbc.Version, + "--kind", kbc.Kind, + "--defaulting", + "--programmatic-validation", + ) + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + + By("implementing the mutating and validating webhooks") + err = pluginutil.ImplementWebhooks(filepath.Join( + kbc.Dir, "api", kbc.Version, + fmt.Sprintf("%s_webhook.go", strings.ToLower(kbc.Kind)))) + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- ../certmanager", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- ../prometheus", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- path: webhookcainjection_patch.yaml", "#")).To(Succeed()) + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + metricsTarget, "#")).To(Succeed()) + By("uncomment kustomization.yaml to enable network policy") + ExpectWithOffset(1, pluginutil.UncommentCode( + filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + "#- ../network-policy", "#")).To(Succeed()) + + ExpectWithOffset(1, pluginutil.UncommentCode(filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"), + certManagerTarget, "#")).To(Succeed()) +} + // GenerateV4WithoutWebhooks implements a go/v4 plugin with APIs and enable Prometheus and CertManager func GenerateV4WithoutWebhooks(kbc *utils.TestContext) { initingTheProject(kbc) diff --git a/test/e2e/v4/plugin_cluster_test.go b/test/e2e/v4/plugin_cluster_test.go index 8eb4592e72a..2a9082365d3 100644 --- a/test/e2e/v4/plugin_cluster_test.go +++ b/test/e2e/v4/plugin_cluster_test.go @@ -69,29 +69,39 @@ var _ = Describe("kubebuilder", func() { It("should generate a runnable project", func() { kbc.IsRestricted = false GenerateV4(kbc) - Run(kbc, true, false, true) + Run(kbc, true, false, true, false) }) It("should generate a runnable project with the Installer", func() { kbc.IsRestricted = false GenerateV4(kbc) - Run(kbc, false, true, true) + Run(kbc, false, true, true, false) }) It("should generate a runnable project without metrics exposed", func() { kbc.IsRestricted = false GenerateV4WithoutMetrics(kbc) - Run(kbc, true, false, false) + Run(kbc, true, false, false, false) + }) + It("should generate a runnable project with metrics protected by network policies", func() { + kbc.IsRestricted = false + GenerateV4WithNetworkPoliciesWithoutWebhooks(kbc) + Run(kbc, false, false, true, true) + }) + It("should generate a runnable project with webhooks and metrics protected by network policies", func() { + kbc.IsRestricted = false + GenerateV4WithNetworkPolicies(kbc) + Run(kbc, true, false, true, true) }) It("should generate a runnable project with the manager running "+ "as restricted and without webhooks", func() { kbc.IsRestricted = true GenerateV4WithoutWebhooks(kbc) - Run(kbc, false, false, true) + Run(kbc, false, false, true, false) }) }) }) // Run runs a set of e2e tests for a scaffolded project defined by a TestContext. -func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, hasMetrics bool) { +func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, hasMetrics bool, hasNetworkPolicies bool) { var controllerPodName string var err error var output []byte @@ -159,16 +169,6 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, hasMetrics bool) ExpectWithOffset(1, podOutput).To(ContainSubstring("health-probe-bind-address"), "Expected manager pod to have --health-probe-bind-address flag") - if hasWebhook { - By("validating that cert-manager has provisioned the certificate Secret") - EventuallyWithOffset(1, func() error { - _, err := kbc.Kubectl.Get( - true, - "secrets", "webhook-server-cert") - return err - }, time.Minute, time.Second).Should(Succeed()) - } - By("validating that the Prometheus manager has provisioned the Service") EventuallyWithOffset(1, func() error { _, err := kbc.Kubectl.Get( @@ -183,7 +183,62 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, hasMetrics bool) "ServiceMonitor") ExpectWithOffset(1, err).NotTo(HaveOccurred()) + if hasNetworkPolicies { + By("Checking for Calico pods") + outputGet, err := kbc.Kubectl.Get( + false, + "pods", + "-n", "kube-system", + "-l", "k8s-app=calico-node", + "-o", "jsonpath={.items[*].status.phase}", + ) + Expect(err).NotTo(HaveOccurred(), "Failed to get Calico pods") + Expect(outputGet).To(ContainSubstring("Running"), "All Calico pods should be in Running state") + + if hasMetrics { + By("labeling the namespace to allow consume the metrics") + _, err = kbc.Kubectl.Command("label", "namespaces", kbc.Kubectl.Namespace, + "metrics=enabled") + ExpectWithOffset(2, err).NotTo(HaveOccurred()) + + By("Ensuring the Allow Metrics Traffic NetworkPolicy exists", func() { + output, err := kbc.Kubectl.Get( + true, + "networkpolicy", fmt.Sprintf("e2e-%s-allow-metrics-traffic", kbc.TestSuffix), + ) + Expect(err).NotTo(HaveOccurred(), "NetworkPolicy allow-metrics-traffic should exist in the namespace") + Expect(output).To(ContainSubstring("allow-metrics-traffic"), "NetworkPolicy allow-metrics-traffic "+ + "should be present in the output") + }) + } + + if hasWebhook { + By("labeling the namespace to allow webhooks traffic") + _, err = kbc.Kubectl.Command("label", "namespaces", kbc.Kubectl.Namespace, + "webhook=enabled") + ExpectWithOffset(2, err).NotTo(HaveOccurred()) + + By("Ensuring the allow-webhook-traffic NetworkPolicy exists", func() { + output, err := kbc.Kubectl.Get( + true, + "networkpolicy", fmt.Sprintf("e2e-%s-allow-webhook-traffic", kbc.TestSuffix), + ) + Expect(err).NotTo(HaveOccurred(), "NetworkPolicy allow-webhook-traffic should exist in the namespace") + Expect(output).To(ContainSubstring("allow-webhook-traffic"), "NetworkPolicy allow-webhook-traffic "+ + "should be present in the output") + }) + } + } + if hasWebhook { + By("validating that cert-manager has provisioned the certificate Secret") + EventuallyWithOffset(1, func() error { + _, err := kbc.Kubectl.Get( + true, + "secrets", "webhook-server-cert") + return err + }, time.Minute, time.Second).Should(Succeed()) + By("validating that the mutating|validating webhooks have the CA injected") verifyCAInjection := func() error { mwhOutput, err := kbc.Kubectl.Get( @@ -256,6 +311,31 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, hasMetrics bool) ExpectWithOffset(1, err).NotTo(HaveOccurred()) ExpectWithOffset(1, count).To(BeNumerically("==", 5)) } + + if hasWebhook && hasNetworkPolicies { + By("validating that webhooks from namespace without the label will fail") + + // Define the namespace name and CR sample file path + namespace := "test-namespace-without-webhook-label" + sampleFile := "path/to/your/sample-file.yaml" + + // Create the namespace + By("creating a namespace without the webhook: enabled label") + _, err := kbc.Kubectl.Command("create", "namespace", namespace) + Expect(err).NotTo(HaveOccurred(), "namespace should be created successfully") + + // Apply the Custom Resource in the new namespace and expect it to fail + By("applying the CR in the namespace without the webhook: enabled label and expecting it to fail") + EventuallyWithOffset(1, func() error { + _, err = kbc.Kubectl.Apply(false, "-n", namespace, "-f", sampleFile) + return err + }, time.Minute, time.Second).Should(HaveOccurred(), "applying the CR should fail due to webhook call timeout") + + // Cleanup: Remove the namespace + By("removing the namespace") + _, err = kbc.Kubectl.Command("delete", "namespace", namespace) + Expect(err).NotTo(HaveOccurred(), "namespace should be removed successfully") + } } func getControllerName(kbc *utils.TestContext) string { diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml index 303bbc1d6e8..ef209c84019 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/default/kustomization.yaml @@ -27,6 +27,11 @@ resources: #- ../prometheus # [METRICS] Expose the controller manager metrics service. - metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/allow-metrics-traffic.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 00000000000..14e2a89ee75 --- /dev/null +++ b/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup-with-deploy-image + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/allow-webhook-traffic.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/allow-webhook-traffic.yaml new file mode 100644 index 00000000000..c5a8be28260 --- /dev/null +++ b/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/allow-webhook-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic to your webhook server running +# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks +# will only work when applied in namespaces labeled with 'webhook: enabled' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup-with-deploy-image + app.kubernetes.io/managed-by: kustomize + name: allow-webhook-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label webhook: enabled + - from: + - namespaceSelector: + matchLabels: + webhook: enabled # Only from namespaces with this label + ports: + - port: 443 + protocol: TCP diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/kustomization.yaml new file mode 100644 index 00000000000..0872bee124c --- /dev/null +++ b/testdata/project-v4-multigroup-with-deploy-image/config/network-policy/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- allow-webhook-traffic.yaml +- allow-metrics-traffic.yaml diff --git a/testdata/project-v4-multigroup/config/default/kustomization.yaml b/testdata/project-v4-multigroup/config/default/kustomization.yaml index 88ea8e9f042..32e0e86801e 100644 --- a/testdata/project-v4-multigroup/config/default/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/default/kustomization.yaml @@ -27,6 +27,11 @@ resources: #- ../prometheus # [METRICS] Expose the controller manager metrics service. - metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: diff --git a/testdata/project-v4-multigroup/config/network-policy/allow-metrics-traffic.yaml b/testdata/project-v4-multigroup/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 00000000000..3f144fb140e --- /dev/null +++ b/testdata/project-v4-multigroup/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/testdata/project-v4-multigroup/config/network-policy/allow-webhook-traffic.yaml b/testdata/project-v4-multigroup/config/network-policy/allow-webhook-traffic.yaml new file mode 100644 index 00000000000..ec32d71710c --- /dev/null +++ b/testdata/project-v4-multigroup/config/network-policy/allow-webhook-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic to your webhook server running +# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks +# will only work when applied in namespaces labeled with 'webhook: enabled' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: allow-webhook-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label webhook: enabled + - from: + - namespaceSelector: + matchLabels: + webhook: enabled # Only from namespaces with this label + ports: + - port: 443 + protocol: TCP diff --git a/testdata/project-v4-multigroup/config/network-policy/kustomization.yaml b/testdata/project-v4-multigroup/config/network-policy/kustomization.yaml new file mode 100644 index 00000000000..0872bee124c --- /dev/null +++ b/testdata/project-v4-multigroup/config/network-policy/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- allow-webhook-traffic.yaml +- allow-metrics-traffic.yaml diff --git a/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml index 93ec80cc093..ba24525ade9 100644 --- a/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml +++ b/testdata/project-v4-with-deploy-image/config/default/kustomization.yaml @@ -27,6 +27,11 @@ resources: #- ../prometheus # [METRICS] Expose the controller manager metrics service. - metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: diff --git a/testdata/project-v4-with-deploy-image/config/network-policy/allow-metrics-traffic.yaml b/testdata/project-v4-with-deploy-image/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 00000000000..5597fb43197 --- /dev/null +++ b/testdata/project-v4-with-deploy-image/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4-with-deploy-image + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/testdata/project-v4-with-deploy-image/config/network-policy/allow-webhook-traffic.yaml b/testdata/project-v4-with-deploy-image/config/network-policy/allow-webhook-traffic.yaml new file mode 100644 index 00000000000..81fdaf9fbb0 --- /dev/null +++ b/testdata/project-v4-with-deploy-image/config/network-policy/allow-webhook-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic to your webhook server running +# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks +# will only work when applied in namespaces labeled with 'webhook: enabled' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4-with-deploy-image + app.kubernetes.io/managed-by: kustomize + name: allow-webhook-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label webhook: enabled + - from: + - namespaceSelector: + matchLabels: + webhook: enabled # Only from namespaces with this label + ports: + - port: 443 + protocol: TCP diff --git a/testdata/project-v4-with-deploy-image/config/network-policy/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/network-policy/kustomization.yaml new file mode 100644 index 00000000000..0872bee124c --- /dev/null +++ b/testdata/project-v4-with-deploy-image/config/network-policy/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- allow-webhook-traffic.yaml +- allow-metrics-traffic.yaml diff --git a/testdata/project-v4-with-grafana/config/default/kustomization.yaml b/testdata/project-v4-with-grafana/config/default/kustomization.yaml index 1f9f8a6f785..2f83888dec7 100644 --- a/testdata/project-v4-with-grafana/config/default/kustomization.yaml +++ b/testdata/project-v4-with-grafana/config/default/kustomization.yaml @@ -27,6 +27,11 @@ resources: #- ../prometheus # [METRICS] Expose the controller manager metrics service. - metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: diff --git a/testdata/project-v4-with-grafana/config/network-policy/allow-metrics-traffic.yaml b/testdata/project-v4-with-grafana/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 00000000000..87772311883 --- /dev/null +++ b/testdata/project-v4-with-grafana/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4-with-grafana + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/testdata/project-v4-with-grafana/config/network-policy/kustomization.yaml b/testdata/project-v4-with-grafana/config/network-policy/kustomization.yaml new file mode 100644 index 00000000000..ec0fb5e57df --- /dev/null +++ b/testdata/project-v4-with-grafana/config/network-policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- allow-metrics-traffic.yaml diff --git a/testdata/project-v4/config/default/kustomization.yaml b/testdata/project-v4/config/default/kustomization.yaml index ef81f77b8fa..4c50113a534 100644 --- a/testdata/project-v4/config/default/kustomization.yaml +++ b/testdata/project-v4/config/default/kustomization.yaml @@ -27,6 +27,11 @@ resources: #- ../prometheus # [METRICS] Expose the controller manager metrics service. - metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager patches: diff --git a/testdata/project-v4/config/network-policy/allow-metrics-traffic.yaml b/testdata/project-v4/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 00000000000..d3058fee06d --- /dev/null +++ b/testdata/project-v4/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4 + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/testdata/project-v4/config/network-policy/allow-webhook-traffic.yaml b/testdata/project-v4/config/network-policy/allow-webhook-traffic.yaml new file mode 100644 index 00000000000..e7ee8707835 --- /dev/null +++ b/testdata/project-v4/config/network-policy/allow-webhook-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic to your webhook server running +# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks +# will only work when applied in namespaces labeled with 'webhook: enabled' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: project-v4 + app.kubernetes.io/managed-by: kustomize + name: allow-webhook-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label webhook: enabled + - from: + - namespaceSelector: + matchLabels: + webhook: enabled # Only from namespaces with this label + ports: + - port: 443 + protocol: TCP diff --git a/testdata/project-v4/config/network-policy/kustomization.yaml b/testdata/project-v4/config/network-policy/kustomization.yaml new file mode 100644 index 00000000000..0872bee124c --- /dev/null +++ b/testdata/project-v4/config/network-policy/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- allow-webhook-traffic.yaml +- allow-metrics-traffic.yaml