From 494b84d03868b9c64f4e8463c3b09767570a4bea Mon Sep 17 00:00:00 2001 From: ArthurSens Date: Sat, 5 Mar 2022 20:47:11 +0000 Subject: [PATCH 1/7] .github/workflows: Use cilium on e2e-test Signed-off-by: ArthurSens --- .github/workflows/ci.yaml | 20 +++++++++++++++- .github/workflows/kind/config.yml | 6 +++++ .gitignore | 2 +- .../codespaces/prepare-kind.sh | 23 +++++++++++++++---- 4 files changed, 45 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/kind/config.yml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 592fda25..7f51fdbb 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -94,7 +94,25 @@ jobs: with: version: ${{ env.kind-version }} image: ${{ matrix.kind-image }} - wait: 300s + wait: 10s # Without default CNI, control-plane doesn't get ready until Cilium is installed + config: .github/workflows/kind/config.yml + - name: Setup Helm + uses: azure/setup-helm@v1 + - name: Install Cilium + run: | + helm repo add cilium https://helm.cilium.io/ + helm install cilium cilium/cilium --version 1.9.13 \ + --namespace kube-system \ + --set nodeinit.enabled=true \ + --set kubeProxyReplacement=partial \ + --set hostServices.enabled=false \ + --set externalIPs.enabled=true \ + --set nodePort.enabled=true \ + --set hostPort.enabled=true \ + --set bpf.masquerade=false \ + --set image.pullPolicy=IfNotPresent \ + --set ipam.mode=kubernetes \ + --set operator.replicas=1 - name: Wait for cluster to finish bootstraping run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s - name: Create kube-prometheus stack diff --git a/.github/workflows/kind/config.yml b/.github/workflows/kind/config.yml new file mode 100644 index 00000000..e0ac61d5 --- /dev/null +++ b/.github/workflows/kind/config.yml @@ -0,0 +1,6 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +networking: + disableDefaultCNI: true + podSubnet: "10.10.0.0/16" + serviceSubnet: "10.11.0.0/16" diff --git a/.gitignore b/.gitignore index cf9dc350..cebe81d2 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ vendor/ crdschemas/ developer-workspace/gitpod/_output -kind \ No newline at end of file +developer-workspace/codespaces/kind \ No newline at end of file diff --git a/developer-workspace/codespaces/prepare-kind.sh b/developer-workspace/codespaces/prepare-kind.sh index 21bbf5af..5ee6f547 100755 --- a/developer-workspace/codespaces/prepare-kind.sh +++ b/developer-workspace/codespaces/prepare-kind.sh @@ -9,12 +9,27 @@ if [[ $? != 0 ]]; then | cut -d : -f 2,3 \ | tr -d \" \ | wget -qi - - mv kind-linux-amd64 kind && chmod +x kind + mv kind-linux-amd64 developer-workspace/codespaces/kind && chmod +x developer-workspace/codespaces/kind + export PATH=$PATH:$PWD/developer-workspace/codespaces fi -cluster_created=$($PWD/kind get clusters 2>&1) +cluster_created=$($PWD/developer-workspace/codespaces/kind get clusters 2>&1) if [[ "$cluster_created" == "No kind clusters found." ]]; then - $PWD/kind create cluster + $PWD/developer-workspace/codespaces/kind create cluster --config $PWD/.github/workflows/kind/config.yml else echo "Cluster '$cluster_created' already present" -fi \ No newline at end of file +fi + +helm repo add --force-update cilium https://helm.cilium.io/ +helm install cilium cilium/cilium --version 1.9.13 \ + --namespace kube-system \ + --set nodeinit.enabled=true \ + --set kubeProxyReplacement=partial \ + --set hostServices.enabled=false \ + --set externalIPs.enabled=true \ + --set nodePort.enabled=true \ + --set hostPort.enabled=true \ + --set bpf.masquerade=false \ + --set image.pullPolicy=IfNotPresent \ + --set ipam.mode=kubernetes \ + --set operator.replicas=1 \ No newline at end of file From fddf642de7f369006133758a506c63cf25474ee9 Mon Sep 17 00:00:00 2001 From: paulfantom Date: Mon, 1 Nov 2021 10:44:50 +0100 Subject: [PATCH 2/7] jsonnet: add networkpolicies for components accessed by prometheus (cherry picked from commit f8c00b9963cc63a3cf98dd1c825943d4df92d9c4) (cherry picked from commit f09b8e5de2e46db85f090549d37eeb878a81842f) --- .../components/blackbox-exporter.libsonnet | 24 +++++++++++++++++++ .../components/kube-state-metrics.libsonnet | 24 +++++++++++++++++++ .../components/node-exporter.libsonnet | 24 +++++++++++++++++++ .../components/prometheus-adapter.libsonnet | 15 ++++++++++++ .../prometheusAdapter-networkPolicy.yaml | 23 ++++++++++++++++++ 5 files changed, 110 insertions(+) create mode 100644 manifests/prometheusAdapter-networkPolicy.yaml diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet index 162bd9a6..1b3c7653 100644 --- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet @@ -250,6 +250,30 @@ function(params) { }, }, + networkPolicy: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: bb.service.metadata, + spec: { + podSelector: { + matchLabels: bb._config.selectorLabels, + }, + ingress: [{ + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, + }, + }], + ports: std.map(function(o) { + port: o.port, + protocol: 'TCP', + }, bb.service.spec.ports), + }], + }, + }, + service: { apiVersion: 'v1', kind: 'Service', diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet index 5162141e..4d7fe2d3 100644 --- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet +++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet @@ -124,6 +124,30 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- image: ksm._config.kubeRbacProxyImage, }), + networkPolicy: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: ksm.service.metadata, + spec: { + podSelector: { + matchLabels: ksm._config.selectorLabels, + }, + ingress: [{ + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, + }, + }], + ports: std.map(function(o) { + port: o.port, + protocol: 'TCP', + }, ksm.service.spec.ports), + }], + }, + }, + deployment+: { spec+: { template+: { diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet index 2d1deb96..c4276b0b 100644 --- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet +++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet @@ -160,6 +160,30 @@ function(params) { }, }, + networkPolicy: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: ne.service.metadata, + spec: { + podSelector: { + matchLabels: ne._config.selectorLabels, + }, + ingress: [{ + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, + }, + }], + ports: std.map(function(o) { + port: o.port, + protocol: 'TCP', + }, ne.service.spec.ports), + }], + }, + }, + daemonset: local nodeExporter = { name: ne._config.name, diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet index 1ac3aced..cbeeb06a 100644 --- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet +++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet @@ -206,6 +206,21 @@ function(params) { }, }, + networkPolicy: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: pa.service.metadata, + spec: { + podSelector: { + matchLabels: pa._config.selectorLabels, + }, + policyTypes: ['Egress', 'Ingress'], + egress: [{}], + // Prometheus-adapter needs ingress allowed so HPAs can request metrics from it. + ingress: [{}], + }, + }, + deployment: local c = { name: pa._config.name, diff --git a/manifests/prometheusAdapter-networkPolicy.yaml b/manifests/prometheusAdapter-networkPolicy.yaml new file mode 100644 index 00000000..d4636dff --- /dev/null +++ b/manifests/prometheusAdapter-networkPolicy.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: metrics-adapter + app.kubernetes.io/name: prometheus-adapter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 0.9.1 + name: prometheus-adapter + namespace: monitoring +spec: + egress: + - {} + ingress: + - {} + podSelector: + matchLabels: + app.kubernetes.io/component: metrics-adapter + app.kubernetes.io/name: prometheus-adapter + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress From 030dec7656f9dfc62f39c931a0e0c0133bee259e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krupa=20=28paulfantom=29?= Date: Fri, 3 Dec 2021 17:36:33 +0100 Subject: [PATCH 3/7] *: add example for disabling NetworkPolicies (cherry picked from commit b4bf38ba6c0f4ad34bc080b0c655454c3ab1fbdb) (cherry picked from commit c21bf4fbfa478fd163c091054d9fcc98836d7045) --- examples/networkpolicies-disabled.jsonnet | 25 +++++++++++++ .../addons/networkpolicies-disabled.libsonnet | 35 +++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 examples/networkpolicies-disabled.jsonnet create mode 100644 jsonnet/kube-prometheus/addons/networkpolicies-disabled.libsonnet diff --git a/examples/networkpolicies-disabled.jsonnet b/examples/networkpolicies-disabled.jsonnet new file mode 100644 index 00000000..a90da5da --- /dev/null +++ b/examples/networkpolicies-disabled.jsonnet @@ -0,0 +1,25 @@ +local kp = (import 'kube-prometheus/main.libsonnet') + + (import 'kube-prometheus/addons/networkpolicies-disabled.libsonnet') + { + values+:: { + common+: { + namespace: 'monitoring', + }, + }, +}; + +{ + ['setup/' + resource]: kp[component][resource] + for component in std.objectFields(kp) + for resource in std.filter( + function(resource) + kp[component][resource].kind == 'CustomResourceDefinition' || kp[component][resource].kind == 'Namespace', std.objectFields(kp[component]) + ) +} + +{ + [component + '-' + resource]: kp[component][resource] + for component in std.objectFields(kp) + for resource in std.filter( + function(resource) + kp[component][resource].kind != 'CustomResourceDefinition' && kp[component][resource].kind != 'Namespace', std.objectFields(kp[component]) + ) +} diff --git a/jsonnet/kube-prometheus/addons/networkpolicies-disabled.libsonnet b/jsonnet/kube-prometheus/addons/networkpolicies-disabled.libsonnet new file mode 100644 index 00000000..7f2ae603 --- /dev/null +++ b/jsonnet/kube-prometheus/addons/networkpolicies-disabled.libsonnet @@ -0,0 +1,35 @@ +// Disables creation of NetworkPolicies + +{ + blackboxExporter+: { + networkPolicies:: {}, + }, + + kubeStateMetrics+: { + networkPolicies:: {}, + }, + + nodeExporter+: { + networkPolicies:: {}, + }, + + prometheusAdapter+: { + networkPolicies:: {}, + }, + + alertmanager+: { + networkPolicies:: {}, + }, + + grafana+: { + networkPolicies:: {}, + }, + + prometheus+: { + networkPolicies:: {}, + }, + + prometheusOperator+: { + networkPolicies:: {}, + }, +} From ea158da23f4cbe6f34bd75ebe1a2f8251c9dcd13 Mon Sep 17 00:00:00 2001 From: Arthur Silva Sens Date: Thu, 17 Feb 2022 08:24:45 +0000 Subject: [PATCH 4/7] Add networkPolicies for alertmanager, grafana, prometheus-operator and prometheus Signed-off-by: GitHub (cherry picked from commit 86e16b539cc57710b50f4692848cab5645e3d2bc) --- .../components/alertmanager.libsonnet | 26 +++++++++++++++ .../components/grafana.libsonnet | 26 +++++++++++++++ .../components/prometheus-operator.libsonnet | 26 +++++++++++++++ .../components/prometheus.libsonnet | 26 +++++++++++++++ kustomization.yaml | 4 +++ manifests/alertmanager-networkPolicy.yaml | 33 +++++++++++++++++++ manifests/grafana-networkPolicy.yaml | 29 ++++++++++++++++ manifests/kubeStateMetrics-networkPolicy.yaml | 31 +++++++++++++++++ manifests/nodeExporter-networkPolicy.yaml | 29 ++++++++++++++++ manifests/prometheus-networkPolicy.yaml | 33 +++++++++++++++++++ .../prometheusOperator-networkPolicy.yaml | 29 ++++++++++++++++ 11 files changed, 292 insertions(+) create mode 100644 manifests/alertmanager-networkPolicy.yaml create mode 100644 manifests/grafana-networkPolicy.yaml create mode 100644 manifests/kubeStateMetrics-networkPolicy.yaml create mode 100644 manifests/nodeExporter-networkPolicy.yaml create mode 100644 manifests/prometheus-networkPolicy.yaml create mode 100644 manifests/prometheusOperator-networkPolicy.yaml diff --git a/jsonnet/kube-prometheus/components/alertmanager.libsonnet b/jsonnet/kube-prometheus/components/alertmanager.libsonnet index a2f29e67..7dc43b3b 100644 --- a/jsonnet/kube-prometheus/components/alertmanager.libsonnet +++ b/jsonnet/kube-prometheus/components/alertmanager.libsonnet @@ -103,6 +103,32 @@ function(params) { }, }, + networkPolicy: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: am.service.metadata, + spec: { + podSelector: { + matchLabels: am._config.selectorLabels, + }, + policyTypes: ['Egress', 'Ingress'], + egress: [{}], + ingress: [{ + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, + }, + }], + ports: std.map(function(o) { + port: o.port, + protocol: 'TCP', + }, am.service.spec.ports), + }], + }, + }, + secret: { apiVersion: 'v1', kind: 'Secret', diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet index 6ea80dd4..f6df20e0 100644 --- a/jsonnet/kube-prometheus/components/grafana.libsonnet +++ b/jsonnet/kube-prometheus/components/grafana.libsonnet @@ -84,6 +84,32 @@ function(params) }, }, + networkPolicy: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: g.service.metadata, + spec: { + podSelector: { + matchLabels: g._config.selectorLabels, + }, + policyTypes: ['Egress', 'Ingress'], + egress: [{}], + ingress: [{ + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, + }, + }], + ports: std.map(function(o) { + port: o.port, + protocol: 'TCP', + }, g.service.spec.ports), + }], + }, + }, + // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged. // 'readOnlyRootFilesystem: true' and extra volumeMounts can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged. diff --git a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet index d95d854e..7d4bc0a3 100644 --- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet +++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet @@ -72,6 +72,32 @@ function(params) }, }, + networkPolicy: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: po.service.metadata, + spec: { + podSelector: { + matchLabels: po._config.selectorLabels, + }, + policyTypes: ['Egress', 'Ingress'], + egress: [{}], + ingress: [{ + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, + }, + }], + ports: std.map(function(o) { + port: o.port, + protocol: 'TCP', + }, po.service.spec.ports), + }], + }, + }, + service+: { spec+: { ports: [ diff --git a/jsonnet/kube-prometheus/components/prometheus.libsonnet b/jsonnet/kube-prometheus/components/prometheus.libsonnet index c21a65a9..461a4253 100644 --- a/jsonnet/kube-prometheus/components/prometheus.libsonnet +++ b/jsonnet/kube-prometheus/components/prometheus.libsonnet @@ -94,6 +94,32 @@ function(params) { }, }, + networkPolicy: { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: p.service.metadata, + spec: { + podSelector: { + matchLabels: p._config.selectorLabels, + }, + policyTypes: ['Egress', 'Ingress'], + egress: [{}], + ingress: [{ + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, + }, + }], + ports: std.map(function(o) { + port: o.port, + protocol: 'TCP', + }, p.service.spec.ports), + }], + }, + }, + serviceAccount: { apiVersion: 'v1', kind: 'ServiceAccount', diff --git a/kustomization.yaml b/kustomization.yaml index 084af1b1..c79bca6b 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./manifests/alertmanager-alertmanager.yaml +- ./manifests/alertmanager-networkPolicy.yaml - ./manifests/alertmanager-podDisruptionBudget.yaml - ./manifests/alertmanager-prometheusRule.yaml - ./manifests/alertmanager-secret.yaml @@ -20,6 +21,7 @@ resources: - ./manifests/grafana-dashboardDefinitions.yaml - ./manifests/grafana-dashboardSources.yaml - ./manifests/grafana-deployment.yaml +- ./manifests/grafana-networkPolicy.yaml - ./manifests/grafana-prometheusRule.yaml - ./manifests/grafana-service.yaml - ./manifests/grafana-serviceAccount.yaml @@ -47,6 +49,7 @@ resources: - ./manifests/nodeExporter-serviceMonitor.yaml - ./manifests/prometheus-clusterRole.yaml - ./manifests/prometheus-clusterRoleBinding.yaml +- ./manifests/prometheus-networkPolicy.yaml - ./manifests/prometheus-podDisruptionBudget.yaml - ./manifests/prometheus-prometheus.yaml - ./manifests/prometheus-prometheusRule.yaml @@ -73,6 +76,7 @@ resources: - ./manifests/prometheusOperator-clusterRole.yaml - ./manifests/prometheusOperator-clusterRoleBinding.yaml - ./manifests/prometheusOperator-deployment.yaml +- ./manifests/prometheusOperator-networkPolicy.yaml - ./manifests/prometheusOperator-prometheusRule.yaml - ./manifests/prometheusOperator-service.yaml - ./manifests/prometheusOperator-serviceAccount.yaml diff --git a/manifests/alertmanager-networkPolicy.yaml b/manifests/alertmanager-networkPolicy.yaml new file mode 100644 index 00000000..d9f01424 --- /dev/null +++ b/manifests/alertmanager-networkPolicy.yaml @@ -0,0 +1,33 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: alert-router + app.kubernetes.io/instance: main + app.kubernetes.io/name: alertmanager + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 0.23.0 + name: alertmanager-main + namespace: monitoring +spec: + egress: + - {} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: 9093 + protocol: TCP + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: alert-router + app.kubernetes.io/instance: main + app.kubernetes.io/name: alertmanager + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress diff --git a/manifests/grafana-networkPolicy.yaml b/manifests/grafana-networkPolicy.yaml new file mode 100644 index 00000000..d842725e --- /dev/null +++ b/manifests/grafana-networkPolicy.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: grafana + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 8.3.6 + name: grafana + namespace: monitoring +spec: + egress: + - {} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: 3000 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: grafana + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress diff --git a/manifests/kubeStateMetrics-networkPolicy.yaml b/manifests/kubeStateMetrics-networkPolicy.yaml new file mode 100644 index 00000000..e295e722 --- /dev/null +++ b/manifests/kubeStateMetrics-networkPolicy.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 2.3.0 + name: kube-state-metrics + namespace: monitoring +spec: + egress: + - {} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress diff --git a/manifests/nodeExporter-networkPolicy.yaml b/manifests/nodeExporter-networkPolicy.yaml new file mode 100644 index 00000000..1d229158 --- /dev/null +++ b/manifests/nodeExporter-networkPolicy.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 1.3.1 + name: node-exporter + namespace: monitoring +spec: + egress: + - {} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: 9100 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: node-exporter + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress diff --git a/manifests/prometheus-networkPolicy.yaml b/manifests/prometheus-networkPolicy.yaml new file mode 100644 index 00000000..189c0529 --- /dev/null +++ b/manifests/prometheus-networkPolicy.yaml @@ -0,0 +1,33 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/instance: k8s + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 2.33.3 + name: prometheus-k8s + namespace: monitoring +spec: + egress: + - {} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: 9090 + protocol: TCP + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/instance: k8s + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress diff --git a/manifests/prometheusOperator-networkPolicy.yaml b/manifests/prometheusOperator-networkPolicy.yaml new file mode 100644 index 00000000..d9244c6a --- /dev/null +++ b/manifests/prometheusOperator-networkPolicy.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 0.54.0 + name: prometheus-operator + namespace: monitoring +spec: + egress: + - {} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: prometheus-operator + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress From acaf2fe0e722d4dabf460bbb26f351854c5dd90a Mon Sep 17 00:00:00 2001 From: Arthur Silva Sens Date: Thu, 17 Feb 2022 22:09:15 +0000 Subject: [PATCH 5/7] Adjust Kubescape threshold Signed-off-by: GitHub (cherry picked from commit 233a8ac3e947af8fca6524aae4fa4a514e6279ca) --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 97662e7a..7f39f92b 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s MDOX_VALIDATE_CONFIG?=.mdox.validate.yaml MD_FILES_TO_FORMAT=$(shell find docs developer-workspace examples experimental jsonnet manifests -name "*.md") $(shell ls *.md) -KUBESCAPE_THRESHOLD=9 +KUBESCAPE_THRESHOLD=1 all: generate fmt test docs From 3f3b56e247d74a1d27ef62d20c8b224f7db0dfe6 Mon Sep 17 00:00:00 2001 From: Arthur Silva Sens Date: Fri, 18 Feb 2022 15:56:39 +0000 Subject: [PATCH 6/7] alertmanager/networkPolicy: Allow cluster peer-to-peer communication Signed-off-by: GitHub (cherry picked from commit df68b8d1da5d2d91b9502d4be67063c2c497e0cb) --- .../components/alertmanager.libsonnet | 43 +++++++++++++------ manifests/alertmanager-networkPolicy.yaml | 9 ++++ 2 files changed, 40 insertions(+), 12 deletions(-) diff --git a/jsonnet/kube-prometheus/components/alertmanager.libsonnet b/jsonnet/kube-prometheus/components/alertmanager.libsonnet index 7dc43b3b..364b1a35 100644 --- a/jsonnet/kube-prometheus/components/alertmanager.libsonnet +++ b/jsonnet/kube-prometheus/components/alertmanager.libsonnet @@ -113,19 +113,38 @@ function(params) { }, policyTypes: ['Egress', 'Ingress'], egress: [{}], - ingress: [{ - from: [{ - podSelector: { - matchLabels: { - 'app.kubernetes.io/name': 'prometheus', + ingress: [ + { + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'prometheus', + }, }, - }, - }], - ports: std.map(function(o) { - port: o.port, - protocol: 'TCP', - }, am.service.spec.ports), - }], + }], + ports: std.map(function(o) { + port: o.port, + protocol: 'TCP', + }, am.service.spec.ports), + }, + // Alertmanager cluster peer-to-peer communication + { + from: [{ + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'alertmanager', + }, + }, + }], + ports: [{ + port: 9094, + protocol: 'TCP', + }, { + port: 9094, + protocol: 'UDP', + }], + }, + ], }, }, diff --git a/manifests/alertmanager-networkPolicy.yaml b/manifests/alertmanager-networkPolicy.yaml index d9f01424..11b1a992 100644 --- a/manifests/alertmanager-networkPolicy.yaml +++ b/manifests/alertmanager-networkPolicy.yaml @@ -22,6 +22,15 @@ spec: protocol: TCP - port: 8080 protocol: TCP + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + ports: + - port: 9094 + protocol: TCP + - port: 9094 + protocol: UDP podSelector: matchLabels: app.kubernetes.io/component: alert-router From 3ad08674b38a31ee75a564dda03fa659fc80c110 Mon Sep 17 00:00:00 2001 From: paulfantom Date: Mon, 1 Nov 2021 10:45:47 +0100 Subject: [PATCH 7/7] manifests: regenerate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: paulfantom Signed-off-by: Paweł Krupa (paulfantom) (cherry picked from commit d3ea3147a8fa643413fbcba368c0de88aec8f7eb) (cherry picked from commit d24c347b2742d9474c8f441f2831262c63b8c79b) --- .../components/blackbox-exporter.libsonnet | 2 ++ .../components/kube-state-metrics.libsonnet | 2 ++ .../components/node-exporter.libsonnet | 2 ++ kustomization.yaml | 4 +++ manifests/blackboxExporter-networkPolicy.yaml | 31 +++++++++++++++++++ manifests/grafana-networkPolicy.yaml | 2 +- manifests/kubeStateMetrics-networkPolicy.yaml | 2 +- manifests/prometheus-networkPolicy.yaml | 2 +- .../prometheusOperator-networkPolicy.yaml | 2 +- 9 files changed, 45 insertions(+), 4 deletions(-) create mode 100644 manifests/blackboxExporter-networkPolicy.yaml diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet index 1b3c7653..24deb175 100644 --- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet @@ -258,6 +258,8 @@ function(params) { podSelector: { matchLabels: bb._config.selectorLabels, }, + policyTypes: ['Egress', 'Ingress'], + egress: [{}], ingress: [{ from: [{ podSelector: { diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet index 4d7fe2d3..5893588f 100644 --- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet +++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet @@ -132,6 +132,8 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- podSelector: { matchLabels: ksm._config.selectorLabels, }, + policyTypes: ['Egress', 'Ingress'], + egress: [{}], ingress: [{ from: [{ podSelector: { diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet index c4276b0b..8de79f18 100644 --- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet +++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet @@ -168,6 +168,8 @@ function(params) { podSelector: { matchLabels: ne._config.selectorLabels, }, + policyTypes: ['Egress', 'Ingress'], + egress: [{}], ingress: [{ from: [{ podSelector: { diff --git a/kustomization.yaml b/kustomization.yaml index c79bca6b..ffdf7b68 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -13,6 +13,7 @@ resources: - ./manifests/blackboxExporter-clusterRoleBinding.yaml - ./manifests/blackboxExporter-configuration.yaml - ./manifests/blackboxExporter-deployment.yaml +- ./manifests/blackboxExporter-networkPolicy.yaml - ./manifests/blackboxExporter-service.yaml - ./manifests/blackboxExporter-serviceAccount.yaml - ./manifests/blackboxExporter-serviceMonitor.yaml @@ -30,6 +31,7 @@ resources: - ./manifests/kubeStateMetrics-clusterRole.yaml - ./manifests/kubeStateMetrics-clusterRoleBinding.yaml - ./manifests/kubeStateMetrics-deployment.yaml +- ./manifests/kubeStateMetrics-networkPolicy.yaml - ./manifests/kubeStateMetrics-prometheusRule.yaml - ./manifests/kubeStateMetrics-service.yaml - ./manifests/kubeStateMetrics-serviceAccount.yaml @@ -43,6 +45,7 @@ resources: - ./manifests/nodeExporter-clusterRole.yaml - ./manifests/nodeExporter-clusterRoleBinding.yaml - ./manifests/nodeExporter-daemonset.yaml +- ./manifests/nodeExporter-networkPolicy.yaml - ./manifests/nodeExporter-prometheusRule.yaml - ./manifests/nodeExporter-service.yaml - ./manifests/nodeExporter-serviceAccount.yaml @@ -68,6 +71,7 @@ resources: - ./manifests/prometheusAdapter-clusterRoleServerResources.yaml - ./manifests/prometheusAdapter-configMap.yaml - ./manifests/prometheusAdapter-deployment.yaml +- ./manifests/prometheusAdapter-networkPolicy.yaml - ./manifests/prometheusAdapter-podDisruptionBudget.yaml - ./manifests/prometheusAdapter-roleBindingAuthReader.yaml - ./manifests/prometheusAdapter-service.yaml diff --git a/manifests/blackboxExporter-networkPolicy.yaml b/manifests/blackboxExporter-networkPolicy.yaml new file mode 100644 index 00000000..8a6873aa --- /dev/null +++ b/manifests/blackboxExporter-networkPolicy.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: blackbox-exporter + app.kubernetes.io/part-of: kube-prometheus + app.kubernetes.io/version: 0.19.0 + name: blackbox-exporter + namespace: monitoring +spec: + egress: + - {} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: 9115 + protocol: TCP + - port: 19115 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: blackbox-exporter + app.kubernetes.io/part-of: kube-prometheus + policyTypes: + - Egress + - Ingress diff --git a/manifests/grafana-networkPolicy.yaml b/manifests/grafana-networkPolicy.yaml index d842725e..a5dd2aef 100644 --- a/manifests/grafana-networkPolicy.yaml +++ b/manifests/grafana-networkPolicy.yaml @@ -5,7 +5,7 @@ metadata: app.kubernetes.io/component: grafana app.kubernetes.io/name: grafana app.kubernetes.io/part-of: kube-prometheus - app.kubernetes.io/version: 8.3.6 + app.kubernetes.io/version: 8.4.3 name: grafana namespace: monitoring spec: diff --git a/manifests/kubeStateMetrics-networkPolicy.yaml b/manifests/kubeStateMetrics-networkPolicy.yaml index e295e722..711077a2 100644 --- a/manifests/kubeStateMetrics-networkPolicy.yaml +++ b/manifests/kubeStateMetrics-networkPolicy.yaml @@ -5,7 +5,7 @@ metadata: app.kubernetes.io/component: exporter app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/part-of: kube-prometheus - app.kubernetes.io/version: 2.3.0 + app.kubernetes.io/version: 2.4.1 name: kube-state-metrics namespace: monitoring spec: diff --git a/manifests/prometheus-networkPolicy.yaml b/manifests/prometheus-networkPolicy.yaml index 189c0529..eb2a4eb7 100644 --- a/manifests/prometheus-networkPolicy.yaml +++ b/manifests/prometheus-networkPolicy.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/instance: k8s app.kubernetes.io/name: prometheus app.kubernetes.io/part-of: kube-prometheus - app.kubernetes.io/version: 2.33.3 + app.kubernetes.io/version: 2.33.4 name: prometheus-k8s namespace: monitoring spec: diff --git a/manifests/prometheusOperator-networkPolicy.yaml b/manifests/prometheusOperator-networkPolicy.yaml index d9244c6a..b7c0dba1 100644 --- a/manifests/prometheusOperator-networkPolicy.yaml +++ b/manifests/prometheusOperator-networkPolicy.yaml @@ -5,7 +5,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/name: prometheus-operator app.kubernetes.io/part-of: kube-prometheus - app.kubernetes.io/version: 0.54.0 + app.kubernetes.io/version: 0.54.1 name: prometheus-operator namespace: monitoring spec: