openstack
/
openstack-helm-infra
Code Issues Proposed changes

Add network policy toolkit function 

This patch set implements the helm toolkit function to generate a
kubernetes network policy manifest based on overrideable values.
This also adds a chart that shuts down all the ingress and egress
traffics in the namespace. This can be used to ensure the
whitelisted network policy works as intended.

Additionally, implementation is done for some infrastructure charts.

Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2018-08-27 15:26:24 -05:00 committed by Mike Pham
parent be7dbf6c28
commit 92e68d33ea
50 changed files with 1332 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
elasticsearch/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "elasticsearch" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

1
elasticsearch/values.yaml
View File

@ -635,6 +635,7 @@ manifests:
configmap_bin_exporter: true
deployment_exporter: true
service_exporter: true
network_policy: false
service_data: true
service_discovery: true
service_ingress: true

25
fluent-logging/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,25 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. */}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "fluentbit" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluentd" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent-logging" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

1
fluent-logging/values.yaml
View File

@ -568,6 +568,7 @@ manifests:
configmap_bin: true
deployment_exporter: true
service_exporter: true
network_policy: false
secret_elasticsearch: true
service_fluentd: true
job_elasticsearch_template: true

20
grafana/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "grafana" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

1
grafana/values.yaml
View File

@ -311,6 +311,7 @@ manifests:
job_db_init_session: true
job_db_session_sync: true
job_image_repo_sync: true
network_policy: false
secret_db: true
secret_db_session: true
secret_admin_creds: true

86
helm-toolkit/templates/manifests/_network_policy.tpl Normal file
View File

@ -0,0 +1,86 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Creates a network policy manifest for services.
values: |
network_policy:
myLabel:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
ports:
- protocol: TCP
port: 80
usage: |
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
return: |
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: RELEASE-NAME
namespace: NAMESPACE
spec:
policyTypes:
- Ingress
- Egress
podSelector:
matchLabels:
application: myLabel
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
ports:
- protocol: TCP
port: 80
egress:
- {}
*/}}
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
{{- $envAll := index . "envAll" -}}
{{- $name := index . "name" -}}
{{- $label := index . "label" -}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $label }}-netpol
namespace: {{ $envAll.Release.Namespace }}
spec:
policyTypes:
- Egress
{{- if hasKey (index $envAll.Values "network_policy") $label }}
{{- if index $envAll.Values.network_policy $label "ingress" }}
- Ingress
{{- end }}
{{- end }}
podSelector:
matchLabels:
{{ $name }}: {{ $label }}
egress:
- {}
{{- if hasKey (index $envAll.Values "network_policy") $label }}
{{- if index $envAll.Values.network_policy $label "ingress" }}
ingress:
{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
{{- end }}
{{- end }}
{{- end }}

20
ingress/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ingress" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

22
ingress/values.yaml
View File

@ -175,6 +175,27 @@ endpoints:
port:
metrics:
default: 10254
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy:
ingress:
ingress:
- {}
conf:
controller:
@ -209,3 +230,4 @@ manifests:
monitoring:
prometheus:
service_exporter: true
network_policy: false

20
kibana/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "kibana" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

1
kibana/values.yaml
View File

@ -318,6 +318,7 @@ manifests:
deployment: true
ingress: true
job_image_repo_sync: true
network_policy: false
secret_elasticsearch: true
secret_ingress_tls: true
service: true

19
ldap/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ldap" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

7
ldap/values.yaml
View File

@ -147,6 +147,11 @@ endpoints:
ldap:
default: 389
network_policy:
ldap:
ingress:
- {}
data:
sample: |
dn: ou=People,dc=cluster,dc=local
@ -231,6 +236,8 @@ manifests:
configmap_bin: true
configmap_etc: true
job_bootstrap: true
network_policy: false
job_image_repo_sync: true
network_policy: false
statefulset: true
service: true

20
libvirt/templates/network-policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "libvirt" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
libvirt/values.yaml
View File

@ -58,6 +58,11 @@ endpoints:
registry:
node: 5000
network_policy:
libvirt:
ingress:
- {}
ceph_client:
configmap: ceph-etc
user_secret_name: pvc-ceph-client-key
@ -163,3 +168,4 @@ manifests:
configmap_etc: true
daemonset_libvirt: true
job_image_repo_sync: true
network_policy: false

20
lockdown/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
appVersion: "1.0"
description: |
A helm chart used to lockdown all ingress and egress for a namespace
name: lockdown
version: 0.1.0

27
lockdown/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,27 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: {{ .Release.Namespace }}
spec:
policyTypes:
- Egress
- Ingress
podSelector: {}
egress: []
ingress: []

17
lockdown/values.yaml Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for lockdown chart.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

19
mariadb/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "mariadb" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

22
mariadb/values.yaml
View File

@ -264,6 +264,27 @@ endpoints:
default: 3306
wsrep:
default: 4567
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy:
mariadb:
ingress:
- {}
manifests:
configmap_bin: true
@ -280,6 +301,7 @@ manifests:
secret_etc: true
service_exporter: true
pdb_server: true
network_policy: false
secret_db: true
secret_etc: true
service_discovery: true

19
memcached/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "memcached" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

22
memcached/values.yaml
View File

@ -82,6 +82,27 @@ endpoints:
port:
metrics:
default: 9150
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy:
memcached:
ingress:
- {}
monitoring:
prometheus:
@ -114,6 +135,7 @@ manifests:
configmap_bin: true
deployment: true
job_image_repo_sync: true
network_policy: false
service: true
monitoring:
prometheus:

20
nagios/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nagios" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

1
nagios/values.yaml
View File

@ -213,6 +213,7 @@ manifests:
deployment: true
ingress: true
job_image_repo_sync: true
network_policy: false
secret_nagios: true
secret_ingress_tls: true
service: true

20
openvswitch/templates/network-policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "openvswitch" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
openvswitch/values.yaml
View File

@ -104,6 +104,11 @@ endpoints:
registry:
node: 5000
network_policy:
openvswitch:
ingress:
- {}
dependencies:
dynamic:
common:
@ -126,3 +131,4 @@ manifests:
daemonset_ovs_db: true
daemonset_ovs_vswitchd: true
job_image_repo_sync: true
network_policy: false

19
prometheus-alertmanager/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. */}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "alertmanager" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

1
prometheus-alertmanager/values.yaml
View File

@ -169,6 +169,7 @@ manifests:
configmap_etc: true
ingress: true
job_image_repo_sync: true
network_policy: false
secret_ingress_tls: true
service: true
service_discovery: true

19
prometheus-process-exporter/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. */}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-process-exporter" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

19
prometheus/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. */}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

1
prometheus/values.yaml
View File

@ -231,6 +231,7 @@ manifests:
ingress: true
helm_tests: true
job_image_repo_sync: true
network_policy: false
secret_ingress_tls: true
secret_prometheus: true
service_ingress: true

19
rabbitmq/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "rabbitmq" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

22
rabbitmq/values.yaml
View File

@ -249,6 +249,27 @@ endpoints:
port:
metrics:
default: 9095
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy:
rabbitmq:
ingress:
- {}
volume:
chown_on_start: true
@ -267,6 +288,7 @@ manifests:
configmap_bin: true
deployment_exporter: true
service_exporter: true
network_policy: false
service_discovery: true
service_ingress_management: true
service: true

29
tools/deployment/developer/netpol/039-lockdown.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make lockdown
#NOTE: Deploy command
helm upgrade --install lockdown ./lockdown \
--namespace=osh-infra
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh openstack
#NOTE: Validate Deployment info
helm status lockdown

60
tools/deployment/developer/netpol/040-ldap.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Pull images and lint chart
make ldap
tee /tmp/ldap.yaml <<EOF
manifests:
network_policy: true
network_policy:
ingress:
- from:
- podSelector:
matchLabels:
application: ldap
- podSelector:
matchLabels:
application: grafana
- podSelector:
matchLabels:
application: nagios
- podSelector:
matchLabels:
application: elasticsearch
- podSelector:
matchLabels:
application: kibana
ports:
- protocol: TCP
port: 389
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command
helm upgrade --install ldap ./ldap \
--namespace=osh-infra \
--values=/tmp/ldap.yaml \
--set bootstrap.enabled=true
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status ldap

57
tools/deployment/developer/netpol/045-mariadb.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make mariadb
tee /tmp/mariadb.yaml <<EOF
manifests:
network_policy: true
network_policy:
mariadb:
ingress:
- from:
- podSelector:
matchLabels:
application: grafana
- podSelector:
matchLabels:
application: mariadb
ports:
- protocol: TCP
port: 3306
- protocol: TCP
port: 4567
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command
: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
helm upgrade --install mariadb ./mariadb \
--namespace=osh-infra \
--values=/tmp/mariadb.yaml \
--set pod.replicas.server=1 \
${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status mariadb

70
tools/deployment/developer/netpol/050-prometheus.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make prometheus
tee /tmp/prometheus.yaml <<EOF
manifests:
network_policy: true
network_policy:
prometheus:
ingress:
- from:
- podSelector:
matchLabels:
application: prometheus
- podSelector:
matchLabels:
application: elasticsearch-exporter
- podSelector:
matchLabels:
application: elasticsearch
- podSelector:
matchLabels:
application: grafana
- podSelector:
matchLabels:
application: nagios
- podSelector:
matchLabels:
application: fluentd-exporter
- podSelector:
matchLabels:
application: fluentd
ports:
- protocol: TCP
port: 9093
- protocol: TCP
port: 6783
- protocol: TCP
port: 9108
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command
helm upgrade --install prometheus ./prometheus \
--namespace=osh-infra \
--values=/tmp/prometheus.yaml
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status prometheus

51
tools/deployment/developer/netpol/060-alertmanager.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make prometheus-alertmanager
tee /tmp/prometheus-alertmanager.yaml <<EOF
manifests:
network_policy: true
network_policy:
alertmanager:
ingress:
- from:
- podSelector:
matchLabels:
application: prometheus-alertmanager
ports:
- protocol: TCP
port: 9093
- protocol: TCP
port: 6783
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command
helm upgrade --install prometheus-alertmanager ./prometheus-alertmanager \
--namespace=osh-infra \
--values=/tmp/prometheus-alertmanager.yaml \
--set pod.replicas.alertmanager=1
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status prometheus-alertmanager

30
tools/deployment/developer/netpol/070-kube-state-metrics.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make prometheus-kube-state-metrics
#NOTE: Deploy command
helm upgrade --install prometheus-kube-state-metrics \
./prometheus-kube-state-metrics --namespace=kube-system
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh kube-system
#NOTE: Validate Deployment info
helm status prometheus-kube-state-metrics

30
tools/deployment/developer/netpol/080-node-exporter.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make prometheus-node-exporter
#NOTE: Deploy command
helm upgrade --install prometheus-node-exporter \
./prometheus-node-exporter --namespace=kube-system
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh kube-system
#NOTE: Validate Deployment info
helm status prometheus-node-exporter

30
tools/deployment/developer/netpol/090-process-exporter.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make prometheus-process-exporter
#NOTE: Deploy command
helm upgrade --install prometheus-process-exporter \
./prometheus-process-exporter --namespace=kube-system
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh kube-system
#NOTE: Validate Deployment info
helm status prometheus-process-exporter

48
tools/deployment/developer/netpol/100-grafana.sh Executable file
View File

@ -0,0 +1,48 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make grafana
tee /tmp/grafana.yaml <<EOF
manifests:
network_policy: true
network_policy:
grafana:
ingress:
- from:
- podSelector:
matchLabels:
application: grafana
ports:
- protocol: TCP
port: 3000
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command
helm upgrade --install grafana ./grafana \
--namespace=osh-infra \
--values=/tmp/grafana.yaml
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status grafana

49
tools/deployment/developer/netpol/110-nagios.sh Executable file
View File

@ -0,0 +1,49 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make nagios
tee /tmp/nagios.yaml <<EOF
manifests:
network_policy: true
network_policy:
nagios:
ingress:
- from:
- podSelector:
matchLabels:
application: nagios
ports:
- protocol: TCP
port: 8000
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command
helm upgrade --install nagios ./nagios \
--namespace=osh-infra \
--values=/tmp/nagios.yaml
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status nagios

46
tools/deployment/developer/netpol/120-elasticsearch.sh Executable file
View File

@ -0,0 +1,46 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make elasticsearch
#NOTE: Deploy command
tee /tmp/elasticsearch.yaml << EOF
monitoring:
prometheus:
enabled: true
pod:
replicas:
data: 1
manifests:
network_policy: true
network_policy:
elasticsearch:
ingress:
- from:
EOF
helm upgrade --install elasticsearch ./elasticsearch \
--namespace=osh-infra \
--values=/tmp/elasticsearch.yaml
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status elasticsearch

91
tools/deployment/developer/netpol/125-elasticsearch-ldap.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
ELASTICSEARCH_ENDPOINT="elasticsearch-logging.osh-infra"
#NOTE: Create index with specified LDAP user
function create_index () {
index_result=$(curl -K- <<< "--user $1:$2" \
-XPUT "${ELASTICSEARCH_ENDPOINT}/$1_index?pretty" -H 'Content-Type: application/json' -d'
{
"settings" : {
"index" : {
"number_of_shards" : 3,
"number_of_replicas" : 2
}
}
}
' | python -c "import sys, json; print json.load(sys.stdin)['acknowledged']")
if [ "$index_result" == "True" ];
then
echo "$1's index successfully created!";
else
echo "$1's index not created!";
exit 1;
fi
}
#NOTE: Insert test data with specified LDAP user
function insert_test_data () {
insert_result=$(curl -K- <<< "--user $1:$2" \
-XPUT "${ELASTICSEARCH_ENDPOINT}/$1_index/sample_type/123/_create?pretty" -H 'Content-Type: application/json' -d'
{
"name" : "Elasticsearch",
"message" : "Test data text entry"
}
' | python -c "import sys, json; print json.load(sys.stdin)['result']")
if [ "$insert_result" == "created" ]; then
sleep 20
echo "Test data inserted into $1's index!";
else
echo "Test data not inserted into $1's index!";
exit 1;
fi
}
#NOTE: Check hits on test data in specified LDAP user's index
function check_hits () {
total_hits=$(curl -K- <<< "--user $1:$2" \
"${ELASTICSEARCH_ENDPOINT}/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query" : {
"bool": {
"must": [
{ "match": { "name": "Elasticsearch" }},
{ "match": { "message": "Test data text entry" }}
]
}
}
}
' | python -c "import sys, json; print json.load(sys.stdin)['hits']['total']")
if [ "$total_hits" -gt 0 ]; then
echo "Successful hits on test data query on $1's index!"
else
echo "No hits on query for test data on $1's index!";
exit 1;
fi
}
create_index bob password
create_index alice password
insert_test_data bob password
insert_test_data alice password
check_hits bob password
check_hits alice password

51
tools/deployment/developer/netpol/130-fluent-logging.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make fluent-logging
tee /tmp/fluent-logging.yaml <<EOF
manifests:
network_policy: true
network_policy:
fluentbit:
ingress:
- from:
fluentd:
ingress:
- from:
fluent:
ingress:
- from:
fluent-logging:
ingress:
- from:
EOF
#NOTE: Deploy command
helm upgrade --install fluent-logging ./fluent-logging \
--namespace=osh-infra \
--values=/tmp/fluent-logging.yaml \
--set pod.replicas.fluentd=1
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status fluent-logging

47
tools/deployment/developer/netpol/140-kibana.sh Executable file
View File

@ -0,0 +1,47 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make kibana
tee /tmp/kibana.yaml <<EOF
manifests:
network_policy: true
network_policy:
kibana:
ingress:
- from:
- podSelector:
matchLabels:
application: kibana
ports:
- protocol: TCP
port: 5601
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command
helm upgrade --install kibana ./kibana \
--namespace=osh-infra \
--values=/tmp/kibana.yaml
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh osh-infra
#NOTE: Validate Deployment info
helm status kibana

48
tools/deployment/developer/netpol/901-test-networkpolicy.sh Executable file
View File

@ -0,0 +1,48 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
# test_netpol(namespace, component, target_host, expected_result{fail,success})
function test_netpol {
NS=$1
COMPONENT=$2
HOST=$3
STATUS=$4
echo Testing connection from $COMPONENT to host $HOST with namespace $NS
POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}')
PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
if [ "x${STATUS}" == "xfail" ]; then
if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
echo "Connection timed out; as expected by policy."
else
exit 1
fi
else
sudo nsenter -t $PID -n wget --spider --timeout=10 --tries=1 $HOST
fi
}
# Doing negative tests
test_netpol osh-infra mariadb-server elasticsearch.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb-server nagios.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb-server prometheus.osh-infra.svc.cluster.local fail
# Doing positive tests
test_netpol osh-infra grafana mariadb.osh-infra.svc.cluster.local:3306 success
echo Test successfully

31
zuul.d/jobs.yaml
View File

@ -139,6 +139,37 @@
- ./tools/deployment/developer/nfs/130-fluent-logging.sh
- ./tools/deployment/developer/nfs/140-kibana.sh
- job:
name: openstack-helm-infra-dev-deploy-nfs-networkpolicy
parent: openstack-helm-functional
timeout: 7200
pre-run: playbooks/osh-infra-upgrade-host.yaml
run: playbooks/osh-infra-gate-runner.yaml
post-run: playbooks/osh-infra-collect-logs.yaml
nodeset: openstack-helm-single-node
vars:
gate_scripts:
- ./tools/deployment/developer/nfs/000-install-packages.sh
- ./tools/deployment/developer/nfs/005-deploy-k8s.sh
- ./tools/deployment/developer/nfs/010-deploy-docker-registry.sh
- ./tools/deployment/developer/nfs/020-ingress.sh
- ./tools/deployment/developer/nfs/030-nfs-provisioner.sh
- ./tools/deployment/developer/netpol/039-lockdown.sh
- ./tools/deployment/developer/netpol/040-ldap.sh
- ./tools/deployment/developer/netpol/045-mariadb.sh
- ./tools/deployment/developer/netpol/050-prometheus.sh
- ./tools/deployment/developer/netpol/060-alertmanager.sh
- ./tools/deployment/developer/netpol/070-kube-state-metrics.sh
- ./tools/deployment/developer/netpol/080-node-exporter.sh
- ./tools/deployment/developer/netpol/090-process-exporter.sh
- ./tools/deployment/developer/netpol/100-grafana.sh
- ./tools/deployment/developer/netpol/110-nagios.sh
- ./tools/deployment/developer/netpol/120-elasticsearch.sh
- ./tools/deployment/developer/netpol/125-elasticsearch-ldap.sh
- ./tools/deployment/developer/netpol/130-fluent-logging.sh
- ./tools/deployment/developer/netpol/140-kibana.sh
- ./tools/deployment/developer/netpol/901-test-networkpolicy.sh
- job:
name: openstack-helm-infra-openstack-support
parent: openstack-helm-functional

2
zuul.d/project.yaml
View File

@ -28,6 +28,8 @@
#NOTE(srwilkers): Changing the dev-deploy-nfs job to nonvoting until
# we can agree on the proper services to deploy with this job
voting: false
- openstack-helm-infra-dev-deploy-nfs-networkpolicy:
voting: false
- openstack-helm-infra-openstack-support
- openstack-helm-infra-kubernetes-keystone-auth
gate: