easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1650 from ArthurSens/as/network-policies

Browse Source 
Adds NetworkPolicies to all components of Kube-prometheus
This commit is contained in:
Arthur Silva Sens
2022-04-05 09:47:05 +01:00
committed by GitHub
parent a182d78794 3ad08674b3
commit 01004de76c
24 changed files with 577 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.github/workflows/ci.yaml vendored
View File

@@ -97,7 +97,25 @@ jobs:
with: with:
version: ${{ env.kind-version }} version: ${{ env.kind-version }}
image: ${{ matrix.kind-image }} image: ${{ matrix.kind-image }}
wait: 300s wait: 10s # Without default CNI, control-plane doesn't get ready until Cilium is installed
config: .github/workflows/kind/config.yml
- name: Setup Helm
uses: azure/setup-helm@v1
- name: Install Cilium
run: |
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.9.13 \
--namespace kube-system \
--set nodeinit.enabled=true \
--set kubeProxyReplacement=partial \
--set hostServices.enabled=false \
--set externalIPs.enabled=true \
--set nodePort.enabled=true \
--set hostPort.enabled=true \
--set bpf.masquerade=false \
--set image.pullPolicy=IfNotPresent \
--set ipam.mode=kubernetes \
--set operator.replicas=1
- name: Wait for cluster to finish bootstraping - name: Wait for cluster to finish bootstraping
run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s
- name: Create kube-prometheus stack - name: Create kube-prometheus stack

6
.github/workflows/kind/config.yml vendored Normal file
View File

@@ -0,0 +1,6 @@
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
disableDefaultCNI: true
podSubnet: "10.10.0.0/16"
serviceSubnet: "10.11.0.0/16"

2
.gitignore vendored
View File

@@ -6,4 +6,4 @@ vendor/
crdschemas/ crdschemas/
developer-workspace/gitpod/_output developer-workspace/gitpod/_output
kind developer-workspace/codespaces/kind

2
Makefile
View File

@@ -17,7 +17,7 @@ JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s
MDOX_VALIDATE_CONFIG?=.mdox.validate.yaml MDOX_VALIDATE_CONFIG?=.mdox.validate.yaml
MD_FILES_TO_FORMAT=$(shell find docs developer-workspace examples experimental jsonnet manifests -name "*.md") $(shell ls *.md) MD_FILES_TO_FORMAT=$(shell find docs developer-workspace examples experimental jsonnet manifests -name "*.md") $(shell ls *.md)
KUBESCAPE_THRESHOLD=9 KUBESCAPE_THRESHOLD=1
all: generate fmt test docs all: generate fmt test docs

21
developer-workspace/codespaces/prepare-kind.sh
View File

@@ -9,12 +9,27 @@ if [[ $? != 0 ]]; then
| cut -d : -f 2,3 \ | cut -d : -f 2,3 \
| tr -d \" \ | tr -d \" \
| wget -qi - | wget -qi -
mv kind-linux-amd64 kind && chmod +x kind mv kind-linux-amd64 developer-workspace/codespaces/kind && chmod +x developer-workspace/codespaces/kind
export PATH=$PATH:$PWD/developer-workspace/codespaces
fi fi
cluster_created=$($PWD/kind get clusters 2>&1) cluster_created=$($PWD/developer-workspace/codespaces/kind get clusters 2>&1)
if [[ "$cluster_created" == "No kind clusters found." ]]; then if [[ "$cluster_created" == "No kind clusters found." ]]; then
$PWD/kind create cluster $PWD/developer-workspace/codespaces/kind create cluster --config $PWD/.github/workflows/kind/config.yml
else else
echo "Cluster '$cluster_created' already present" echo "Cluster '$cluster_created' already present"
fi fi
helm repo add --force-update cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.9.13 \
--namespace kube-system \
--set nodeinit.enabled=true \
--set kubeProxyReplacement=partial \
--set hostServices.enabled=false \
--set externalIPs.enabled=true \
--set nodePort.enabled=true \
--set hostPort.enabled=true \
--set bpf.masquerade=false \
--set image.pullPolicy=IfNotPresent \
--set ipam.mode=kubernetes \
--set operator.replicas=1

25
examples/networkpolicies-disabled.jsonnet Normal file
View File

@@ -0,0 +1,25 @@
local kp = (import 'kube-prometheus/main.libsonnet') +
(import 'kube-prometheus/addons/networkpolicies-disabled.libsonnet') + {
values+:: {
common+: {
namespace: 'monitoring',
},
},
};
{
['setup/' + resource]: kp[component][resource]
for component in std.objectFields(kp)
for resource in std.filter(
function(resource)
kp[component][resource].kind == 'CustomResourceDefinition' || kp[component][resource].kind == 'Namespace', std.objectFields(kp[component])
)
} +
{
[component + '-' + resource]: kp[component][resource]
for component in std.objectFields(kp)
for resource in std.filter(
function(resource)
kp[component][resource].kind != 'CustomResourceDefinition' && kp[component][resource].kind != 'Namespace', std.objectFields(kp[component])
)
}

35
jsonnet/kube-prometheus/addons/networkpolicies-disabled.libsonnet Normal file
View File

@@ -0,0 +1,35 @@
// Disables creation of NetworkPolicies
{
blackboxExporter+: {
networkPolicies:: {},
},
kubeStateMetrics+: {
networkPolicies:: {},
},
nodeExporter+: {
networkPolicies:: {},
},
prometheusAdapter+: {
networkPolicies:: {},
},
alertmanager+: {
networkPolicies:: {},
},
grafana+: {
networkPolicies:: {},
},
prometheus+: {
networkPolicies:: {},
},
prometheusOperator+: {
networkPolicies:: {},
},
}

45
jsonnet/kube-prometheus/components/alertmanager.libsonnet
View File

@@ -103,6 +103,51 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: am.service.metadata,
spec: {
podSelector: {
matchLabels: am._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [
{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, am.service.spec.ports),
},
// Alertmanager cluster peer-to-peer communication
{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'alertmanager',
},
},
}],
ports: [{
port: 9094,
protocol: 'TCP',
}, {
port: 9094,
protocol: 'UDP',
}],
},
],
},
},
secret: { secret: {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'Secret', kind: 'Secret',

26
jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
View File

@@ -250,6 +250,32 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: bb.service.metadata,
spec: {
podSelector: {
matchLabels: bb._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, bb.service.spec.ports),
}],
},
},
service: { service: {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'Service', kind: 'Service',

26
jsonnet/kube-prometheus/components/grafana.libsonnet
View File

@@ -84,6 +84,32 @@ function(params)
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: g.service.metadata,
spec: {
podSelector: {
matchLabels: g._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, g.service.spec.ports),
}],
},
},
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged. // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' and extra volumeMounts can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged. // 'readOnlyRootFilesystem: true' and extra volumeMounts can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.

26
jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
View File

@@ -124,6 +124,32 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage, image: ksm._config.kubeRbacProxyImage,
}), }),
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: ksm.service.metadata,
spec: {
podSelector: {
matchLabels: ksm._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, ksm.service.spec.ports),
}],
},
},
deployment+: { deployment+: {
spec+: { spec+: {
template+: { template+: {

26
jsonnet/kube-prometheus/components/node-exporter.libsonnet
View File

@@ -160,6 +160,32 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: ne.service.metadata,
spec: {
podSelector: {
matchLabels: ne._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, ne.service.spec.ports),
}],
},
},
daemonset: daemonset:
local nodeExporter = { local nodeExporter = {
name: ne._config.name, name: ne._config.name,

15
jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
View File

@@ -206,6 +206,21 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: pa.service.metadata,
spec: {
podSelector: {
matchLabels: pa._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
// Prometheus-adapter needs ingress allowed so HPAs can request metrics from it.
ingress: [{}],
},
},
deployment: deployment:
local c = { local c = {
name: pa._config.name, name: pa._config.name,

26
jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
View File

@@ -72,6 +72,32 @@ function(params)
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: po.service.metadata,
spec: {
podSelector: {
matchLabels: po._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, po.service.spec.ports),
}],
},
},
service+: { service+: {
spec+: { spec+: {
ports: [ ports: [

26
jsonnet/kube-prometheus/components/prometheus.libsonnet
View File

@@ -94,6 +94,32 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: p.service.metadata,
spec: {
podSelector: {
matchLabels: p._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, p.service.spec.ports),
}],
},
},
serviceAccount: { serviceAccount: {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ServiceAccount', kind: 'ServiceAccount',

8
kustomization.yaml
View File

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./manifests/alertmanager-alertmanager.yaml - ./manifests/alertmanager-alertmanager.yaml
- ./manifests/alertmanager-networkPolicy.yaml
- ./manifests/alertmanager-podDisruptionBudget.yaml - ./manifests/alertmanager-podDisruptionBudget.yaml
- ./manifests/alertmanager-prometheusRule.yaml - ./manifests/alertmanager-prometheusRule.yaml
- ./manifests/alertmanager-secret.yaml - ./manifests/alertmanager-secret.yaml
@@ -12,6 +13,7 @@ resources:
- ./manifests/blackboxExporter-clusterRoleBinding.yaml - ./manifests/blackboxExporter-clusterRoleBinding.yaml
- ./manifests/blackboxExporter-configuration.yaml - ./manifests/blackboxExporter-configuration.yaml
- ./manifests/blackboxExporter-deployment.yaml - ./manifests/blackboxExporter-deployment.yaml
- ./manifests/blackboxExporter-networkPolicy.yaml
- ./manifests/blackboxExporter-service.yaml - ./manifests/blackboxExporter-service.yaml
- ./manifests/blackboxExporter-serviceAccount.yaml - ./manifests/blackboxExporter-serviceAccount.yaml
- ./manifests/blackboxExporter-serviceMonitor.yaml - ./manifests/blackboxExporter-serviceMonitor.yaml
@@ -20,6 +22,7 @@ resources:
- ./manifests/grafana-dashboardDefinitions.yaml - ./manifests/grafana-dashboardDefinitions.yaml
- ./manifests/grafana-dashboardSources.yaml - ./manifests/grafana-dashboardSources.yaml
- ./manifests/grafana-deployment.yaml - ./manifests/grafana-deployment.yaml
- ./manifests/grafana-networkPolicy.yaml
- ./manifests/grafana-prometheusRule.yaml - ./manifests/grafana-prometheusRule.yaml
- ./manifests/grafana-service.yaml - ./manifests/grafana-service.yaml
- ./manifests/grafana-serviceAccount.yaml - ./manifests/grafana-serviceAccount.yaml
@@ -28,6 +31,7 @@ resources:
- ./manifests/kubeStateMetrics-clusterRole.yaml - ./manifests/kubeStateMetrics-clusterRole.yaml
- ./manifests/kubeStateMetrics-clusterRoleBinding.yaml - ./manifests/kubeStateMetrics-clusterRoleBinding.yaml
- ./manifests/kubeStateMetrics-deployment.yaml - ./manifests/kubeStateMetrics-deployment.yaml
- ./manifests/kubeStateMetrics-networkPolicy.yaml
- ./manifests/kubeStateMetrics-prometheusRule.yaml - ./manifests/kubeStateMetrics-prometheusRule.yaml
- ./manifests/kubeStateMetrics-service.yaml - ./manifests/kubeStateMetrics-service.yaml
- ./manifests/kubeStateMetrics-serviceAccount.yaml - ./manifests/kubeStateMetrics-serviceAccount.yaml
@@ -41,12 +45,14 @@ resources:
- ./manifests/nodeExporter-clusterRole.yaml - ./manifests/nodeExporter-clusterRole.yaml
- ./manifests/nodeExporter-clusterRoleBinding.yaml - ./manifests/nodeExporter-clusterRoleBinding.yaml
- ./manifests/nodeExporter-daemonset.yaml - ./manifests/nodeExporter-daemonset.yaml
- ./manifests/nodeExporter-networkPolicy.yaml
- ./manifests/nodeExporter-prometheusRule.yaml - ./manifests/nodeExporter-prometheusRule.yaml
- ./manifests/nodeExporter-service.yaml - ./manifests/nodeExporter-service.yaml
- ./manifests/nodeExporter-serviceAccount.yaml - ./manifests/nodeExporter-serviceAccount.yaml
- ./manifests/nodeExporter-serviceMonitor.yaml - ./manifests/nodeExporter-serviceMonitor.yaml
- ./manifests/prometheus-clusterRole.yaml - ./manifests/prometheus-clusterRole.yaml
- ./manifests/prometheus-clusterRoleBinding.yaml - ./manifests/prometheus-clusterRoleBinding.yaml
- ./manifests/prometheus-networkPolicy.yaml
- ./manifests/prometheus-podDisruptionBudget.yaml - ./manifests/prometheus-podDisruptionBudget.yaml
- ./manifests/prometheus-prometheus.yaml - ./manifests/prometheus-prometheus.yaml
- ./manifests/prometheus-prometheusRule.yaml - ./manifests/prometheus-prometheusRule.yaml
@@ -65,6 +71,7 @@ resources:
- ./manifests/prometheusAdapter-clusterRoleServerResources.yaml - ./manifests/prometheusAdapter-clusterRoleServerResources.yaml
- ./manifests/prometheusAdapter-configMap.yaml - ./manifests/prometheusAdapter-configMap.yaml
- ./manifests/prometheusAdapter-deployment.yaml - ./manifests/prometheusAdapter-deployment.yaml
- ./manifests/prometheusAdapter-networkPolicy.yaml
- ./manifests/prometheusAdapter-podDisruptionBudget.yaml - ./manifests/prometheusAdapter-podDisruptionBudget.yaml
- ./manifests/prometheusAdapter-roleBindingAuthReader.yaml - ./manifests/prometheusAdapter-roleBindingAuthReader.yaml
- ./manifests/prometheusAdapter-service.yaml - ./manifests/prometheusAdapter-service.yaml
@@ -73,6 +80,7 @@ resources:
- ./manifests/prometheusOperator-clusterRole.yaml - ./manifests/prometheusOperator-clusterRole.yaml
- ./manifests/prometheusOperator-clusterRoleBinding.yaml - ./manifests/prometheusOperator-clusterRoleBinding.yaml
- ./manifests/prometheusOperator-deployment.yaml - ./manifests/prometheusOperator-deployment.yaml
- ./manifests/prometheusOperator-networkPolicy.yaml
- ./manifests/prometheusOperator-prometheusRule.yaml - ./manifests/prometheusOperator-prometheusRule.yaml
- ./manifests/prometheusOperator-service.yaml - ./manifests/prometheusOperator-service.yaml
- ./manifests/prometheusOperator-serviceAccount.yaml - ./manifests/prometheusOperator-serviceAccount.yaml

42
manifests/alertmanager-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: alert-router
app.kubernetes.io/instance: main
app.kubernetes.io/name: alertmanager
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.23.0
name: alertmanager-main
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 9093
protocol: TCP
- port: 8080
protocol: TCP
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: alertmanager
ports:
- port: 9094
protocol: TCP
- port: 9094
protocol: UDP
podSelector:
matchLabels:
app.kubernetes.io/component: alert-router
app.kubernetes.io/instance: main
app.kubernetes.io/name: alertmanager
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

31
manifests/blackboxExporter-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: blackbox-exporter
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.19.0
name: blackbox-exporter
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 9115
protocol: TCP
- port: 19115
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: blackbox-exporter
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

29
manifests/grafana-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: grafana
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 8.4.3
name: grafana
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 3000
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: grafana
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

31
manifests/kubeStateMetrics-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: kube-state-metrics
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 2.4.1
name: kube-state-metrics
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 8443
protocol: TCP
- port: 9443
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: kube-state-metrics
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

29
manifests/nodeExporter-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: node-exporter
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 1.3.1
name: node-exporter
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 9100
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: node-exporter
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

33
manifests/prometheus-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 2.33.4
name: prometheus-k8s
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 9090
protocol: TCP
- port: 8080
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

23
manifests/prometheusAdapter-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: metrics-adapter
app.kubernetes.io/name: prometheus-adapter
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.9.1
name: prometheus-adapter
namespace: monitoring
spec:
egress:
- {}
ingress:
- {}
podSelector:
matchLabels:
app.kubernetes.io/component: metrics-adapter
app.kubernetes.io/name: prometheus-adapter
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

29
manifests/prometheusOperator-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.54.1
name: prometheus-operator
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 8443
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress