From 92e68d33ead9b46c534ed3f859764eb2baba44c5 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Mon, 27 Aug 2018 15:26:24 -0500 Subject: [PATCH] Add network policy toolkit function This patch set implements the helm toolkit function to generate a kubernetes network policy manifest based on overrideable values. This also adds a chart that shuts down all the ingress and egress traffics in the namespace. This can be used to ensure the whitelisted network policy works as intended. Additionally, implementation is done for some infrastructure charts. Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8 Co-Authored-By: Mike Pham Signed-off-by: Tin Lam --- elasticsearch/templates/network_policy.yaml | 20 ++++ elasticsearch/values.yaml | 1 + fluent-logging/templates/network_policy.yaml | 25 +++++ fluent-logging/values.yaml | 1 + grafana/templates/network_policy.yaml | 20 ++++ grafana/values.yaml | 1 + .../templates/manifests/_network_policy.tpl | 86 ++++++++++++++++++ ingress/templates/network_policy.yaml | 20 ++++ ingress/values.yaml | 22 +++++ kibana/templates/network_policy.yaml | 20 ++++ kibana/values.yaml | 1 + ldap/templates/network_policy.yaml | 19 ++++ ldap/values.yaml | 7 ++ libvirt/templates/network-policy.yaml | 20 ++++ libvirt/values.yaml | 6 ++ lockdown/Chart.yaml | 20 ++++ lockdown/templates/network_policy.yaml | 27 ++++++ lockdown/values.yaml | 17 ++++ mariadb/templates/network_policy.yaml | 19 ++++ mariadb/values.yaml | 22 +++++ memcached/templates/network_policy.yaml | 19 ++++ memcached/values.yaml | 22 +++++ nagios/templates/network_policy.yaml | 20 ++++ nagios/values.yaml | 1 + openvswitch/templates/network-policy.yaml | 20 ++++ openvswitch/values.yaml | 6 ++ .../templates/network_policy.yaml | 19 ++++ prometheus-alertmanager/values.yaml | 1 + .../templates/network_policy.yaml | 19 ++++ prometheus/templates/network_policy.yaml | 19 ++++ prometheus/values.yaml | 1 + rabbitmq/templates/network_policy.yaml | 19 ++++ rabbitmq/values.yaml | 22 +++++ .../developer/netpol/039-lockdown.sh | 29 ++++++ tools/deployment/developer/netpol/040-ldap.sh | 60 ++++++++++++ .../developer/netpol/045-mariadb.sh | 57 ++++++++++++ .../developer/netpol/050-prometheus.sh | 70 ++++++++++++++ .../developer/netpol/060-alertmanager.sh | 51 +++++++++++ .../netpol/070-kube-state-metrics.sh | 30 ++++++ .../developer/netpol/080-node-exporter.sh | 30 ++++++ .../developer/netpol/090-process-exporter.sh | 30 ++++++ .../developer/netpol/100-grafana.sh | 48 ++++++++++ .../deployment/developer/netpol/110-nagios.sh | 49 ++++++++++ .../developer/netpol/120-elasticsearch.sh | 46 ++++++++++ .../netpol/125-elasticsearch-ldap.sh | 91 +++++++++++++++++++ .../developer/netpol/130-fluent-logging.sh | 51 +++++++++++ .../deployment/developer/netpol/140-kibana.sh | 47 ++++++++++ .../netpol/901-test-networkpolicy.sh | 48 ++++++++++ zuul.d/jobs.yaml | 31 +++++++ zuul.d/project.yaml | 2 + 50 files changed, 1332 insertions(+) create mode 100644 elasticsearch/templates/network_policy.yaml create mode 100644 fluent-logging/templates/network_policy.yaml create mode 100644 grafana/templates/network_policy.yaml create mode 100644 helm-toolkit/templates/manifests/_network_policy.tpl create mode 100644 ingress/templates/network_policy.yaml create mode 100644 kibana/templates/network_policy.yaml create mode 100644 ldap/templates/network_policy.yaml create mode 100644 libvirt/templates/network-policy.yaml create mode 100644 lockdown/Chart.yaml create mode 100644 lockdown/templates/network_policy.yaml create mode 100644 lockdown/values.yaml create mode 100644 mariadb/templates/network_policy.yaml create mode 100644 memcached/templates/network_policy.yaml create mode 100644 nagios/templates/network_policy.yaml create mode 100644 openvswitch/templates/network-policy.yaml create mode 100644 prometheus-alertmanager/templates/network_policy.yaml create mode 100644 prometheus-process-exporter/templates/network_policy.yaml create mode 100644 prometheus/templates/network_policy.yaml create mode 100644 rabbitmq/templates/network_policy.yaml create mode 100755 tools/deployment/developer/netpol/039-lockdown.sh create mode 100755 tools/deployment/developer/netpol/040-ldap.sh create mode 100755 tools/deployment/developer/netpol/045-mariadb.sh create mode 100755 tools/deployment/developer/netpol/050-prometheus.sh create mode 100755 tools/deployment/developer/netpol/060-alertmanager.sh create mode 100755 tools/deployment/developer/netpol/070-kube-state-metrics.sh create mode 100755 tools/deployment/developer/netpol/080-node-exporter.sh create mode 100755 tools/deployment/developer/netpol/090-process-exporter.sh create mode 100755 tools/deployment/developer/netpol/100-grafana.sh create mode 100755 tools/deployment/developer/netpol/110-nagios.sh create mode 100755 tools/deployment/developer/netpol/120-elasticsearch.sh create mode 100755 tools/deployment/developer/netpol/125-elasticsearch-ldap.sh create mode 100755 tools/deployment/developer/netpol/130-fluent-logging.sh create mode 100755 tools/deployment/developer/netpol/140-kibana.sh create mode 100755 tools/deployment/developer/netpol/901-test-networkpolicy.sh diff --git a/elasticsearch/templates/network_policy.yaml b/elasticsearch/templates/network_policy.yaml new file mode 100644 index 0000000000..c29e9ac022 --- /dev/null +++ b/elasticsearch/templates/network_policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "elasticsearch" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index f9e481becf..56844f8150 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -635,6 +635,7 @@ manifests: configmap_bin_exporter: true deployment_exporter: true service_exporter: true + network_policy: false service_data: true service_discovery: true service_ingress: true diff --git a/fluent-logging/templates/network_policy.yaml b/fluent-logging/templates/network_policy.yaml new file mode 100644 index 0000000000..5391bdfc15 --- /dev/null +++ b/fluent-logging/templates/network_policy.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "fluentbit" }} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluentd" }} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent" }} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent-logging" }} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/fluent-logging/values.yaml b/fluent-logging/values.yaml index 34b5984301..6c464db5ad 100644 --- a/fluent-logging/values.yaml +++ b/fluent-logging/values.yaml @@ -568,6 +568,7 @@ manifests: configmap_bin: true deployment_exporter: true service_exporter: true + network_policy: false secret_elasticsearch: true service_fluentd: true job_elasticsearch_template: true diff --git a/grafana/templates/network_policy.yaml b/grafana/templates/network_policy.yaml new file mode 100644 index 0000000000..b0bfb79a41 --- /dev/null +++ b/grafana/templates/network_policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "grafana" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/grafana/values.yaml b/grafana/values.yaml index d374ca4d8b..d3c5dc00bd 100644 --- a/grafana/values.yaml +++ b/grafana/values.yaml @@ -311,6 +311,7 @@ manifests: job_db_init_session: true job_db_session_sync: true job_image_repo_sync: true + network_policy: false secret_db: true secret_db_session: true secret_admin_creds: true diff --git a/helm-toolkit/templates/manifests/_network_policy.tpl b/helm-toolkit/templates/manifests/_network_policy.tpl new file mode 100644 index 0000000000..3d412892ad --- /dev/null +++ b/helm-toolkit/templates/manifests/_network_policy.tpl @@ -0,0 +1,86 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Creates a network policy manifest for services. +values: | + network_policy: + myLabel: + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 +usage: | + {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} +return: | + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myLabel + ingress: + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - {} +*/}} + +{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} +{{- $envAll := index . "envAll" -}} +{{- $name := index . "name" -}} +{{- $label := index . "label" -}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $label }}-netpol + namespace: {{ $envAll.Release.Namespace }} +spec: + policyTypes: + - Egress +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if index $envAll.Values.network_policy $label "ingress" }} + - Ingress +{{- end }} +{{- end }} + podSelector: + matchLabels: + {{ $name }}: {{ $label }} + egress: + - {} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if index $envAll.Values.network_policy $label "ingress" }} + ingress: +{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/ingress/templates/network_policy.yaml b/ingress/templates/network_policy.yaml new file mode 100644 index 0000000000..51636a7503 --- /dev/null +++ b/ingress/templates/network_policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ingress" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/ingress/values.yaml b/ingress/values.yaml index 74a8905659..7d1568760a 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -175,6 +175,27 @@ endpoints: port: metrics: default: 10254 + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP + +network_policy: + ingress: + ingress: + - {} conf: controller: @@ -209,3 +230,4 @@ manifests: monitoring: prometheus: service_exporter: true + network_policy: false diff --git a/kibana/templates/network_policy.yaml b/kibana/templates/network_policy.yaml new file mode 100644 index 0000000000..8c84618b9a --- /dev/null +++ b/kibana/templates/network_policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "kibana" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/kibana/values.yaml b/kibana/values.yaml index 0fd80406a2..9721ff7071 100644 --- a/kibana/values.yaml +++ b/kibana/values.yaml @@ -318,6 +318,7 @@ manifests: deployment: true ingress: true job_image_repo_sync: true + network_policy: false secret_elasticsearch: true secret_ingress_tls: true service: true diff --git a/ldap/templates/network_policy.yaml b/ldap/templates/network_policy.yaml new file mode 100644 index 0000000000..6ed353835d --- /dev/null +++ b/ldap/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ldap" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/ldap/values.yaml b/ldap/values.yaml index 72a97b44eb..716b318523 100644 --- a/ldap/values.yaml +++ b/ldap/values.yaml @@ -147,6 +147,11 @@ endpoints: ldap: default: 389 +network_policy: + ldap: + ingress: + - {} + data: sample: | dn: ou=People,dc=cluster,dc=local @@ -231,6 +236,8 @@ manifests: configmap_bin: true configmap_etc: true job_bootstrap: true + network_policy: false job_image_repo_sync: true + network_policy: false statefulset: true service: true diff --git a/libvirt/templates/network-policy.yaml b/libvirt/templates/network-policy.yaml new file mode 100644 index 0000000000..dd6d227377 --- /dev/null +++ b/libvirt/templates/network-policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "libvirt" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/libvirt/values.yaml b/libvirt/values.yaml index b40cc3caec..b2551d86a2 100644 --- a/libvirt/values.yaml +++ b/libvirt/values.yaml @@ -58,6 +58,11 @@ endpoints: registry: node: 5000 +network_policy: + libvirt: + ingress: + - {} + ceph_client: configmap: ceph-etc user_secret_name: pvc-ceph-client-key @@ -163,3 +168,4 @@ manifests: configmap_etc: true daemonset_libvirt: true job_image_repo_sync: true + network_policy: false diff --git a/lockdown/Chart.yaml b/lockdown/Chart.yaml new file mode 100644 index 0000000000..2c6ebd9830 --- /dev/null +++ b/lockdown/Chart.yaml @@ -0,0 +1,20 @@ +# Copyright 2017-2018 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +appVersion: "1.0" +description: | + A helm chart used to lockdown all ingress and egress for a namespace +name: lockdown +version: 0.1.0 diff --git a/lockdown/templates/network_policy.yaml b/lockdown/templates/network_policy.yaml new file mode 100644 index 0000000000..ab7fb70281 --- /dev/null +++ b/lockdown/templates/network_policy.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-all + namespace: {{ .Release.Namespace }} +spec: + policyTypes: + - Egress + - Ingress + podSelector: {} + egress: [] + ingress: [] diff --git a/lockdown/values.yaml b/lockdown/values.yaml new file mode 100644 index 0000000000..dd425af2e0 --- /dev/null +++ b/lockdown/values.yaml @@ -0,0 +1,17 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for lockdown chart. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. diff --git a/mariadb/templates/network_policy.yaml b/mariadb/templates/network_policy.yaml new file mode 100644 index 0000000000..e49f9fee41 --- /dev/null +++ b/mariadb/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "mariadb" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/mariadb/values.yaml b/mariadb/values.yaml index dffca8abf3..f71212c37a 100644 --- a/mariadb/values.yaml +++ b/mariadb/values.yaml @@ -264,6 +264,27 @@ endpoints: default: 3306 wsrep: default: 4567 + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP + +network_policy: + mariadb: + ingress: + - {} manifests: configmap_bin: true @@ -280,6 +301,7 @@ manifests: secret_etc: true service_exporter: true pdb_server: true + network_policy: false secret_db: true secret_etc: true service_discovery: true diff --git a/memcached/templates/network_policy.yaml b/memcached/templates/network_policy.yaml new file mode 100644 index 0000000000..c58043b933 --- /dev/null +++ b/memcached/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "memcached" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/memcached/values.yaml b/memcached/values.yaml index 7604faa167..9ca41237b8 100644 --- a/memcached/values.yaml +++ b/memcached/values.yaml @@ -82,6 +82,27 @@ endpoints: port: metrics: default: 9150 + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP + +network_policy: + memcached: + ingress: + - {} monitoring: prometheus: @@ -114,6 +135,7 @@ manifests: configmap_bin: true deployment: true job_image_repo_sync: true + network_policy: false service: true monitoring: prometheus: diff --git a/nagios/templates/network_policy.yaml b/nagios/templates/network_policy.yaml new file mode 100644 index 0000000000..508d4b7628 --- /dev/null +++ b/nagios/templates/network_policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nagios" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/nagios/values.yaml b/nagios/values.yaml index 83fd664c4e..e327f582aa 100644 --- a/nagios/values.yaml +++ b/nagios/values.yaml @@ -213,6 +213,7 @@ manifests: deployment: true ingress: true job_image_repo_sync: true + network_policy: false secret_nagios: true secret_ingress_tls: true service: true diff --git a/openvswitch/templates/network-policy.yaml b/openvswitch/templates/network-policy.yaml new file mode 100644 index 0000000000..c4ce3aebe8 --- /dev/null +++ b/openvswitch/templates/network-policy.yaml @@ -0,0 +1,20 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "openvswitch" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml index 9d27558c87..de1410f892 100644 --- a/openvswitch/values.yaml +++ b/openvswitch/values.yaml @@ -104,6 +104,11 @@ endpoints: registry: node: 5000 +network_policy: + openvswitch: + ingress: + - {} + dependencies: dynamic: common: @@ -126,3 +131,4 @@ manifests: daemonset_ovs_db: true daemonset_ovs_vswitchd: true job_image_repo_sync: true + network_policy: false diff --git a/prometheus-alertmanager/templates/network_policy.yaml b/prometheus-alertmanager/templates/network_policy.yaml new file mode 100644 index 0000000000..c4c8d217f3 --- /dev/null +++ b/prometheus-alertmanager/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "alertmanager" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/prometheus-alertmanager/values.yaml b/prometheus-alertmanager/values.yaml index 6988e41181..b5ef49819d 100644 --- a/prometheus-alertmanager/values.yaml +++ b/prometheus-alertmanager/values.yaml @@ -169,6 +169,7 @@ manifests: configmap_etc: true ingress: true job_image_repo_sync: true + network_policy: false secret_ingress_tls: true service: true service_discovery: true diff --git a/prometheus-process-exporter/templates/network_policy.yaml b/prometheus-process-exporter/templates/network_policy.yaml new file mode 100644 index 0000000000..99c1a1456c --- /dev/null +++ b/prometheus-process-exporter/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-process-exporter" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/prometheus/templates/network_policy.yaml b/prometheus/templates/network_policy.yaml new file mode 100644 index 0000000000..26ba3404e4 --- /dev/null +++ b/prometheus/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/prometheus/values.yaml b/prometheus/values.yaml index c0a7ef002a..6cdb49fe9c 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -231,6 +231,7 @@ manifests: ingress: true helm_tests: true job_image_repo_sync: true + network_policy: false secret_ingress_tls: true secret_prometheus: true service_ingress: true diff --git a/rabbitmq/templates/network_policy.yaml b/rabbitmq/templates/network_policy.yaml new file mode 100644 index 0000000000..d975b8d72d --- /dev/null +++ b/rabbitmq/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "rabbitmq" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml index a8b03ecc81..d1cad04c20 100644 --- a/rabbitmq/values.yaml +++ b/rabbitmq/values.yaml @@ -249,6 +249,27 @@ endpoints: port: metrics: default: 9095 + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP + +network_policy: + rabbitmq: + ingress: + - {} volume: chown_on_start: true @@ -267,6 +288,7 @@ manifests: configmap_bin: true deployment_exporter: true service_exporter: true + network_policy: false service_discovery: true service_ingress_management: true service: true diff --git a/tools/deployment/developer/netpol/039-lockdown.sh b/tools/deployment/developer/netpol/039-lockdown.sh new file mode 100755 index 0000000000..08ebbeea22 --- /dev/null +++ b/tools/deployment/developer/netpol/039-lockdown.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +set -xe + +#NOTE: Lint and package chart +make lockdown + +#NOTE: Deploy command +helm upgrade --install lockdown ./lockdown \ + --namespace=osh-infra + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh openstack + +#NOTE: Validate Deployment info +helm status lockdown diff --git a/tools/deployment/developer/netpol/040-ldap.sh b/tools/deployment/developer/netpol/040-ldap.sh new file mode 100755 index 0000000000..259222d5fc --- /dev/null +++ b/tools/deployment/developer/netpol/040-ldap.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Pull images and lint chart +make ldap + +tee /tmp/ldap.yaml <