Enable Egress policy enforcement

This PS is enable the Egress policies and enforces them in Openstack-helm. Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
2018-10-31 11:00:48 -04:00 · 2018-10-31 11:00:48 -04:00 · 95a6a2e875
commit 95a6a2e875
parent c90df9d6d5
10 changed files with 148 additions and 28 deletions
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -1243,11 +1243,26 @@ endpoints:
        default: 24224
      metrics:
        default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public

 network_policy:
  cinder:
    ingress:
      - {}
+    egress:
+      - {}

 manifests:
  configmap_bin: true
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -112,6 +112,8 @@ network_policy:
          port: 9191
        - protocol: TCP
          port: 9292
+    egress:
+      - {}

 conf:
  rally_tests:
@ -758,6 +760,21 @@ endpoints:
        default: 24224
      metrics:
        default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+      http:
+        default: 80
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public

 pod:
  user:
@ -926,3 +943,4 @@ manifests:
  service_ingress_registry: false
  service_api: true
  service_registry: false
+
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -935,6 +935,21 @@ endpoints:
        default: 24224
      metrics:
        default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+      http:
+        default: 80
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public

 pod:
  user:
@ -1138,6 +1153,20 @@ network_policy:
          port: 8003
        - protocol: TCP
          port: 8004
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              application: neutron
+        - podSelector:
+            matchLabels:
+              application: nova
+        - podSelector:
+            matchLabels:
+              application: glance
+        - podSelector:
+            matchLabels:
+              application: cinder

 manifests:
  configmap_bin: true
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -2060,6 +2060,19 @@ endpoints:
    port:
      mysql:
        default: 3306
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public

 network_policy:
  horizon:
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -404,6 +404,15 @@ network_policy:
          port: 5000
        - protocol: TCP
          port: 35357
+    egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              name: ceph
+      - to:
+        - podSelector:
+            matchLabels:
+              application: ceph

 conf:
  keystone:
@ -1114,6 +1123,19 @@ endpoints:
        default: 24224
      metrics:
        default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public

 manifests:
  configmap_bin: true
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -1857,12 +1857,27 @@ endpoints:
        default: 24224
      metrics:
        default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public

 network_policy:
  neutron:
    # TODO(lamt): Need to tighten this ingress for security.
    ingress:
      - {}
+    egress:
+      - {}

 manifests:
  configmap_bin: true
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -1982,6 +1982,19 @@ endpoints:
        default: 24224
      metrics:
        default: 24220
+  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # They are using to enable the Egress K8s network policy.
+  k8s:
+    port:
+      api:
+        default: 6443
+        internal: 5000
+  default:
+    namespace: default
+  kube_system:
+    namespace: kube-system
+  kube_public:
+    namespace: kube-public

 pod:
  user:
@ -2238,10 +2251,30 @@ network_policy:
    # TODO(lamt): Need to tighten this ingress for security.
    ingress:
      - {}
+    egress:
+      - {}
+      - to:
+        - podSelector:
+            matchLabels:
+              application: ceph
+        - podSelector:
+            matchLabels:
+              application: ingress
+        - podSelector:
+            matchLabels:
+              application: openvswitch
+        - podSelector:
+            matchLabels:
+              application: libvirt
+        - podSelector:
+            matchLabels:
+              application: cinder
  placement:
    # TODO(lamt): Need to tighten this ingress for security.
    ingress:
      - {}
+    egress:
+      - {}

 manifests:
  configmap_bin: true
--- a/tools/deployment/developer/ceph/150-libvirt.sh
+++ b/tools/deployment/developer/ceph/150-libvirt.sh
@ -19,19 +19,11 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} libvirt

-tee /tmp/libvirt.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  libvirt:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
  --namespace=openstack \
+  --set manifests.network_policy=true \
  --values=/tmp/libvirt.yaml \
  ${OSH_EXTRA_HELM_ARGS} \
  ${OSH_EXTRA_HELM_ARGS_LIBVIRT}
--- a/tools/deployment/developer/common/140-openvswitch.sh
+++ b/tools/deployment/developer/common/140-openvswitch.sh
@ -19,20 +19,11 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} openvswitch

-tee /tmp/openvswitch.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  openvswitch:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install openvswitch ${OSH_INFRA_PATH}/openvswitch \
  --namespace=openstack \
-  --values=/tmp/openvswitch.yaml \
+  --set manifests.network_policy=true \
  ${OSH_EXTRA_HELM_ARGS} \
  ${OSH_EXTRA_HELM_ARGS_OPENVSWITCH}

--- a/tools/deployment/developer/nfs/150-libvirt.sh
+++ b/tools/deployment/developer/nfs/150-libvirt.sh
@ -19,20 +19,12 @@ set -xe
 : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
 make -C ${OSH_INFRA_PATH} libvirt

-tee /tmp/libvirt.yaml <<EOF
-manifests:
-  network_policy: true
-network_policy:
-  libvirt:
-    ingress:
-      - {}
-EOF
-
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
  --namespace=openstack \
  --set conf.ceph.enabled=false \
+  --set manifests.network_policy=true \
  --values=/tmp/libvirt.yaml \
  ${OSH_EXTRA_HELM_ARGS} \
  ${OSH_EXTRA_HELM_ARGS_LIBVIRT}