Implements egress network policy
This patch set adds in the egress policy for core OpenStack Services. Depends-On: https://review.opendev.org/#/c/679853/ Change-Id: I585ddabcbd640db784520c913af8eddecaee3843 Signed-off-by: Tin Lam <tlam@omegaprime.dev>
This commit is contained in:
parent
f396b038f7
commit
a25eccb7cb
@ -662,6 +662,30 @@ endpoints:
|
|||||||
default: 24224
|
default: 24224
|
||||||
metrics:
|
metrics:
|
||||||
default: 24220
|
default: 24220
|
||||||
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
||||||
|
# They are using to enable the Egress K8s network policy.
|
||||||
|
kube_dns:
|
||||||
|
namespace: kube-system
|
||||||
|
name: kubernetes-dns
|
||||||
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
ingress:
|
||||||
|
namespace: null
|
||||||
|
name: ingress
|
||||||
|
hosts:
|
||||||
|
default: ingress
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 80
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
|
@ -1408,19 +1408,28 @@ endpoints:
|
|||||||
default: 24224
|
default: 24224
|
||||||
metrics:
|
metrics:
|
||||||
default: 24220
|
default: 24220
|
||||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
kube_dns:
|
||||||
# They are using to enable the Egress K8s network policy.
|
|
||||||
k8s:
|
|
||||||
port:
|
|
||||||
api:
|
|
||||||
default: 6443
|
|
||||||
internal: 5000
|
|
||||||
default:
|
|
||||||
namespace: default
|
|
||||||
kube_system:
|
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
kube_public:
|
name: kubernetes-dns
|
||||||
namespace: kube-public
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
ingress:
|
||||||
|
namespace: null
|
||||||
|
name: ingress
|
||||||
|
hosts:
|
||||||
|
default: ingress
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 80
|
||||||
|
|
||||||
network_policy:
|
network_policy:
|
||||||
cinder:
|
cinder:
|
||||||
|
@ -1,2 +1,17 @@
|
|||||||
manifests:
|
manifests:
|
||||||
network_policy: true
|
network_policy: true
|
||||||
|
network_policy:
|
||||||
|
cinder:
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: 172.17.0.1/16
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/16
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
@ -774,21 +774,6 @@ endpoints:
|
|||||||
default: 24224
|
default: 24224
|
||||||
metrics:
|
metrics:
|
||||||
default: 24220
|
default: 24220
|
||||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
|
||||||
# They are using to enable the Egress K8s network policy.
|
|
||||||
k8s:
|
|
||||||
port:
|
|
||||||
api:
|
|
||||||
default: 6443
|
|
||||||
internal: 5000
|
|
||||||
http:
|
|
||||||
default: 80
|
|
||||||
default:
|
|
||||||
namespace: default
|
|
||||||
kube_system:
|
|
||||||
namespace: kube-system
|
|
||||||
kube_public:
|
|
||||||
namespace: kube-public
|
|
||||||
dashboard:
|
dashboard:
|
||||||
name: horizon
|
name: horizon
|
||||||
hosts:
|
hosts:
|
||||||
@ -812,6 +797,30 @@ endpoints:
|
|||||||
web:
|
web:
|
||||||
default: 80
|
default: 80
|
||||||
public: 443
|
public: 443
|
||||||
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
||||||
|
# They are using to enable the Egress K8s network policy.
|
||||||
|
kube_dns:
|
||||||
|
namespace: kube-system
|
||||||
|
name: kubernetes-dns
|
||||||
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
ingress:
|
||||||
|
namespace: null
|
||||||
|
name: ingress
|
||||||
|
hosts:
|
||||||
|
default: ingress
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 80
|
||||||
|
|
||||||
pod:
|
pod:
|
||||||
security_context:
|
security_context:
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
manifests:
|
manifests:
|
||||||
network_policy: true
|
network_policy: true
|
||||||
#NOTE(gagehugo): Test this whitelist when the netpol gate works
|
#NOTE(gagehugo): Test this whitelist when the netpol gate works
|
||||||
#network_policy:
|
network_policy:
|
||||||
# glance:
|
glance:
|
||||||
# ingress:
|
# ingress:
|
||||||
# - from:
|
# - from:
|
||||||
# - podSelector:
|
# - podSelector:
|
||||||
@ -33,3 +33,16 @@ manifests:
|
|||||||
# port: 9191
|
# port: 9191
|
||||||
# - protocol: TCP
|
# - protocol: TCP
|
||||||
# port: 9292
|
# port: 9292
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 80
|
||||||
|
- protocol: TCP
|
||||||
|
port: 443
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
@ -1002,21 +1002,30 @@ endpoints:
|
|||||||
default: 24224
|
default: 24224
|
||||||
metrics:
|
metrics:
|
||||||
default: 24220
|
default: 24220
|
||||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
||||||
# They are using to enable the Egress K8s network policy.
|
# They are using to enable the Egress K8s network policy.
|
||||||
k8s:
|
kube_dns:
|
||||||
port:
|
|
||||||
api:
|
|
||||||
default: 6443
|
|
||||||
internal: 5000
|
|
||||||
http:
|
|
||||||
default: 80
|
|
||||||
default:
|
|
||||||
namespace: default
|
|
||||||
kube_system:
|
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
kube_public:
|
name: kubernetes-dns
|
||||||
namespace: kube-public
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
ingress:
|
||||||
|
namespace: null
|
||||||
|
name: ingress
|
||||||
|
hosts:
|
||||||
|
default: ingress
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 80
|
||||||
|
|
||||||
pod:
|
pod:
|
||||||
security_context:
|
security_context:
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
manifests:
|
manifests:
|
||||||
network_policy: true
|
network_policy: true
|
||||||
#NOTE(gagehugo): Test these once the netpol gate works
|
#NOTE(gagehugo): Test these once the netpol gate works
|
||||||
#network_policy:
|
network_policy:
|
||||||
# heat:
|
heat:
|
||||||
# ingress:
|
# ingress:
|
||||||
# - from:
|
# - from:
|
||||||
# - podSelector:
|
# - podSelector:
|
||||||
@ -23,17 +23,26 @@ manifests:
|
|||||||
# port: 8003
|
# port: 8003
|
||||||
# - protocol: TCP
|
# - protocol: TCP
|
||||||
# port: 8004
|
# port: 8004
|
||||||
# egress:
|
egress:
|
||||||
# - to:
|
- to:
|
||||||
# - podSelector:
|
- podSelector:
|
||||||
# matchLabels:
|
matchLabels:
|
||||||
# application: neutron
|
application: neutron
|
||||||
# - podSelector:
|
- to:
|
||||||
# matchLabels:
|
- podSelector:
|
||||||
# application: nova
|
matchLabels:
|
||||||
# - podSelector:
|
application: nova
|
||||||
# matchLabels:
|
- to:
|
||||||
# application: glance
|
- podSelector:
|
||||||
# - podSelector:
|
matchLabels:
|
||||||
# matchLabels:
|
application: glance
|
||||||
# application: cinder
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: cinder
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
@ -2219,19 +2219,30 @@ endpoints:
|
|||||||
port:
|
port:
|
||||||
mysql:
|
mysql:
|
||||||
default: 3306
|
default: 3306
|
||||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
||||||
# They are using to enable the Egress K8s network policy.
|
# They are using to enable the Egress K8s network policy.
|
||||||
k8s:
|
kube_dns:
|
||||||
port:
|
|
||||||
api:
|
|
||||||
default: 6443
|
|
||||||
internal: 5000
|
|
||||||
default:
|
|
||||||
namespace: default
|
|
||||||
kube_system:
|
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
kube_public:
|
name: kubernetes-dns
|
||||||
namespace: kube-public
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
ingress:
|
||||||
|
namespace: null
|
||||||
|
name: ingress
|
||||||
|
hosts:
|
||||||
|
default: ingress
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 80
|
||||||
|
|
||||||
network_policy:
|
network_policy:
|
||||||
horizon:
|
horizon:
|
||||||
|
@ -20,3 +20,34 @@ network_policy:
|
|||||||
protocol: TCP
|
protocol: TCP
|
||||||
- port: 443
|
- port: 443
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: neutron
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: nova
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: glance
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: cinder
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: keystone
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: heat
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
@ -1210,19 +1210,30 @@ endpoints:
|
|||||||
default: 24224
|
default: 24224
|
||||||
metrics:
|
metrics:
|
||||||
default: 24220
|
default: 24220
|
||||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
||||||
# They are using to enable the Egress K8s network policy.
|
# They are using to enable the Egress K8s network policy.
|
||||||
k8s:
|
kube_dns:
|
||||||
port:
|
|
||||||
api:
|
|
||||||
default: 6443
|
|
||||||
internal: 5000
|
|
||||||
default:
|
|
||||||
namespace: default
|
|
||||||
kube_system:
|
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
kube_public:
|
name: kubernetes-dns
|
||||||
namespace: kube-public
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
ingress:
|
||||||
|
namespace: null
|
||||||
|
name: ingress
|
||||||
|
hosts:
|
||||||
|
default: ingress
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 80
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
|
@ -63,17 +63,10 @@ network_policy:
|
|||||||
port: 5000
|
port: 5000
|
||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 35357
|
port: 35357
|
||||||
# egress:
|
egress:
|
||||||
# - to:
|
- to:
|
||||||
# - namespaceSelector:
|
- ipBlock:
|
||||||
# matchLabels:
|
cidr: $API_ADDR/32
|
||||||
# name: ceph
|
ports:
|
||||||
# - to:
|
- protocol: TCP
|
||||||
# - podSelector:
|
port: $API_PORT
|
||||||
# matchLabels:
|
|
||||||
# application: ceph
|
|
||||||
# - ports:
|
|
||||||
# - port: 53
|
|
||||||
# protocol: UDP
|
|
||||||
# - port: 53
|
|
||||||
# protocol: TCP
|
|
||||||
|
@ -2303,20 +2303,30 @@ endpoints:
|
|||||||
api:
|
api:
|
||||||
default: 6385
|
default: 6385
|
||||||
public: 80
|
public: 80
|
||||||
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
||||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
|
||||||
# They are using to enable the Egress K8s network policy.
|
# They are using to enable the Egress K8s network policy.
|
||||||
k8s:
|
kube_dns:
|
||||||
port:
|
|
||||||
api:
|
|
||||||
default: 6443
|
|
||||||
internal: 5000
|
|
||||||
default:
|
|
||||||
namespace: default
|
|
||||||
kube_system:
|
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
kube_public:
|
name: kubernetes-dns
|
||||||
namespace: kube-public
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
ingress:
|
||||||
|
namespace: null
|
||||||
|
name: ingress
|
||||||
|
hosts:
|
||||||
|
default: ingress
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 80
|
||||||
|
|
||||||
network_policy:
|
network_policy:
|
||||||
neutron:
|
neutron:
|
||||||
|
@ -1,2 +1,11 @@
|
|||||||
manifests:
|
manifests:
|
||||||
network_policy: true
|
network_policy: true
|
||||||
|
network_policy:
|
||||||
|
neutron:
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
@ -2122,19 +2122,30 @@ endpoints:
|
|||||||
default: 24224
|
default: 24224
|
||||||
metrics:
|
metrics:
|
||||||
default: 24220
|
default: 24220
|
||||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
|
||||||
# They are using to enable the Egress K8s network policy.
|
# They are using to enable the Egress K8s network policy.
|
||||||
k8s:
|
kube_dns:
|
||||||
port:
|
|
||||||
api:
|
|
||||||
default: 6443
|
|
||||||
internal: 5000
|
|
||||||
default:
|
|
||||||
namespace: default
|
|
||||||
kube_system:
|
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
kube_public:
|
name: kubernetes-dns
|
||||||
namespace: kube-public
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
ingress:
|
||||||
|
namespace: null
|
||||||
|
name: ingress
|
||||||
|
hosts:
|
||||||
|
default: ingress
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 80
|
||||||
|
|
||||||
pod:
|
pod:
|
||||||
user:
|
user:
|
||||||
|
@ -1,2 +1,19 @@
|
|||||||
manifests:
|
manifests:
|
||||||
network_policy: true
|
network_policy: true
|
||||||
|
network_policy:
|
||||||
|
nova:
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
placement:
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
16
tools/deployment/common/env-variables.sh
Normal file
16
tools/deployment/common/env-variables.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
export API_ADDR=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].addresses[0].ip')
|
||||||
|
export API_PORT=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].ports[0].port')
|
@ -60,7 +60,8 @@ function override_file_args () {
|
|||||||
for FILE in $(combination ${1//,/ } | uniq | tac); do
|
for FILE in $(combination ${1//,/ } | uniq | tac); do
|
||||||
FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
|
FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
|
||||||
if [ -f "${FILE_PATH}" ]; then
|
if [ -f "${FILE_PATH}" ]; then
|
||||||
OVERRIDE_ARGS+=" --values=${FILE_PATH} "
|
envsubst < ${FILE_PATH} > /tmp/${HELM_CHART}-${FILE}.yaml
|
||||||
|
OVERRIDE_ARGS+=" --values=/tmp/${HELM_CHART}-${FILE}.yaml "
|
||||||
fi
|
fi
|
||||||
echoerr "${FILE_PATH}"
|
echoerr "${FILE_PATH}"
|
||||||
done
|
done
|
||||||
@ -68,4 +69,5 @@ function override_file_args () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
|
echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
|
||||||
|
source ../openstack-helm/tools/deployment/common/env-variables.sh
|
||||||
override_file_args "${OSH_FEATURE_MIX}"
|
override_file_args "${OSH_FEATURE_MIX}"
|
||||||
|
Loading…
Reference in New Issue
Block a user