Implements egress network policy

This patch set adds in the egress policy for core OpenStack Services.

Depends-On: https://review.opendev.org/#/c/679853/

Change-Id: I585ddabcbd640db784520c913af8eddecaee3843
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
This commit is contained in:
Tin Lam 2019-09-29 20:36:36 -05:00 committed by Tin Lam
parent f396b038f7
commit a25eccb7cb
17 changed files with 320 additions and 121 deletions

View File

@ -662,6 +662,30 @@ endpoints:
default: 24224 default: 24224
metrics: metrics:
default: 24220 default: 24220
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
# They are using to enable the Egress K8s network policy.
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
manifests: manifests:
configmap_bin: true configmap_bin: true

View File

@ -1408,19 +1408,28 @@ endpoints:
default: 24224 default: 24224
metrics: metrics:
default: 24220 default: 24220
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. kube_dns:
# They are using to enable the Egress K8s network policy.
k8s:
port:
api:
default: 6443
internal: 5000
default:
namespace: default
kube_system:
namespace: kube-system namespace: kube-system
kube_public: name: kubernetes-dns
namespace: kube-public hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
network_policy: network_policy:
cinder: cinder:

View File

@ -1,2 +1,17 @@
manifests: manifests:
network_policy: true network_policy: true
network_policy:
cinder:
egress:
- to:
- ipBlock:
cidr: 172.17.0.1/16
- to:
- ipBlock:
cidr: $API_ADDR/16
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -774,21 +774,6 @@ endpoints:
default: 24224 default: 24224
metrics: metrics:
default: 24220 default: 24220
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
# They are using to enable the Egress K8s network policy.
k8s:
port:
api:
default: 6443
internal: 5000
http:
default: 80
default:
namespace: default
kube_system:
namespace: kube-system
kube_public:
namespace: kube-public
dashboard: dashboard:
name: horizon name: horizon
hosts: hosts:
@ -812,6 +797,30 @@ endpoints:
web: web:
default: 80 default: 80
public: 443 public: 443
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
# They are using to enable the Egress K8s network policy.
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
pod: pod:
security_context: security_context:

View File

@ -1,8 +1,8 @@
manifests: manifests:
network_policy: true network_policy: true
#NOTE(gagehugo): Test this whitelist when the netpol gate works #NOTE(gagehugo): Test this whitelist when the netpol gate works
#network_policy: network_policy:
# glance: glance:
# ingress: # ingress:
# - from: # - from:
# - podSelector: # - podSelector:
@ -33,3 +33,16 @@ manifests:
# port: 9191 # port: 9191
# - protocol: TCP # - protocol: TCP
# port: 9292 # port: 9292
egress:
- to:
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -1002,21 +1002,30 @@ endpoints:
default: 24224 default: 24224
metrics: metrics:
default: 24220 default: 24220
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
# They are using to enable the Egress K8s network policy. # They are using to enable the Egress K8s network policy.
k8s: kube_dns:
port:
api:
default: 6443
internal: 5000
http:
default: 80
default:
namespace: default
kube_system:
namespace: kube-system namespace: kube-system
kube_public: name: kubernetes-dns
namespace: kube-public hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
pod: pod:
security_context: security_context:

View File

@ -1,8 +1,8 @@
manifests: manifests:
network_policy: true network_policy: true
#NOTE(gagehugo): Test these once the netpol gate works #NOTE(gagehugo): Test these once the netpol gate works
#network_policy: network_policy:
# heat: heat:
# ingress: # ingress:
# - from: # - from:
# - podSelector: # - podSelector:
@ -23,17 +23,26 @@ manifests:
# port: 8003 # port: 8003
# - protocol: TCP # - protocol: TCP
# port: 8004 # port: 8004
# egress: egress:
# - to: - to:
# - podSelector: - podSelector:
# matchLabels: matchLabels:
# application: neutron application: neutron
# - podSelector: - to:
# matchLabels: - podSelector:
# application: nova matchLabels:
# - podSelector: application: nova
# matchLabels: - to:
# application: glance - podSelector:
# - podSelector: matchLabels:
# matchLabels: application: glance
# application: cinder - to:
- podSelector:
matchLabels:
application: cinder
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -2219,19 +2219,30 @@ endpoints:
port: port:
mysql: mysql:
default: 3306 default: 3306
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
# They are using to enable the Egress K8s network policy. # They are using to enable the Egress K8s network policy.
k8s: kube_dns:
port:
api:
default: 6443
internal: 5000
default:
namespace: default
kube_system:
namespace: kube-system namespace: kube-system
kube_public: name: kubernetes-dns
namespace: kube-public hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
network_policy: network_policy:
horizon: horizon:

View File

@ -20,3 +20,34 @@ network_policy:
protocol: TCP protocol: TCP
- port: 443 - port: 443
protocol: TCP protocol: TCP
egress:
- to:
- podSelector:
matchLabels:
application: neutron
- to:
- podSelector:
matchLabels:
application: nova
- to:
- podSelector:
matchLabels:
application: glance
- to:
- podSelector:
matchLabels:
application: cinder
- to:
- podSelector:
matchLabels:
application: keystone
- to:
- podSelector:
matchLabels:
application: heat
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -1210,19 +1210,30 @@ endpoints:
default: 24224 default: 24224
metrics: metrics:
default: 24220 default: 24220
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
# They are using to enable the Egress K8s network policy. # They are using to enable the Egress K8s network policy.
k8s: kube_dns:
port:
api:
default: 6443
internal: 5000
default:
namespace: default
kube_system:
namespace: kube-system namespace: kube-system
kube_public: name: kubernetes-dns
namespace: kube-public hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
manifests: manifests:
configmap_bin: true configmap_bin: true

View File

@ -63,17 +63,10 @@ network_policy:
port: 5000 port: 5000
- protocol: TCP - protocol: TCP
port: 35357 port: 35357
# egress: egress:
# - to: - to:
# - namespaceSelector: - ipBlock:
# matchLabels: cidr: $API_ADDR/32
# name: ceph ports:
# - to: - protocol: TCP
# - podSelector: port: $API_PORT
# matchLabels:
# application: ceph
# - ports:
# - port: 53
# protocol: UDP
# - port: 53
# protocol: TCP

View File

@ -2303,20 +2303,30 @@ endpoints:
api: api:
default: 6385 default: 6385
public: 80 public: 80
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
# They are using to enable the Egress K8s network policy. # They are using to enable the Egress K8s network policy.
k8s: kube_dns:
port:
api:
default: 6443
internal: 5000
default:
namespace: default
kube_system:
namespace: kube-system namespace: kube-system
kube_public: name: kubernetes-dns
namespace: kube-public hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
network_policy: network_policy:
neutron: neutron:

View File

@ -1,2 +1,11 @@
manifests: manifests:
network_policy: true network_policy: true
network_policy:
neutron:
egress:
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -2122,19 +2122,30 @@ endpoints:
default: 24224 default: 24224
metrics: metrics:
default: 24220 default: 24220
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
# They are using to enable the Egress K8s network policy. # They are using to enable the Egress K8s network policy.
k8s: kube_dns:
port:
api:
default: 6443
internal: 5000
default:
namespace: default
kube_system:
namespace: kube-system namespace: kube-system
kube_public: name: kubernetes-dns
namespace: kube-public hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
pod: pod:
user: user:

View File

@ -1,2 +1,19 @@
manifests: manifests:
network_policy: true network_policy: true
network_policy:
nova:
egress:
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT
placement:
egress:
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -0,0 +1,16 @@
#!/bin/bash
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
export API_ADDR=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].addresses[0].ip')
export API_PORT=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].ports[0].port')

View File

@ -60,7 +60,8 @@ function override_file_args () {
for FILE in $(combination ${1//,/ } | uniq | tac); do for FILE in $(combination ${1//,/ } | uniq | tac); do
FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml" FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
if [ -f "${FILE_PATH}" ]; then if [ -f "${FILE_PATH}" ]; then
OVERRIDE_ARGS+=" --values=${FILE_PATH} " envsubst < ${FILE_PATH} > /tmp/${HELM_CHART}-${FILE}.yaml
OVERRIDE_ARGS+=" --values=/tmp/${HELM_CHART}-${FILE}.yaml "
fi fi
echoerr "${FILE_PATH}" echoerr "${FILE_PATH}"
done done
@ -68,4 +69,5 @@ function override_file_args () {
} }
echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers." echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
source ../openstack-helm/tools/deployment/common/env-variables.sh
override_file_args "${OSH_FEATURE_MIX}" override_file_args "${OSH_FEATURE_MIX}"