easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add networkPolicies for alertmanager, grafana, prometheus-operator and prometheus

Browse Source 
Signed-off-by: GitHub <noreply@github.com>
(cherry picked from commit 86e16b539cc57710b50f4692848cab5645e3d2bc)
This commit is contained in:
Arthur Silva Sens
2022-02-17 08:24:45 +00:00
committed by ArthurSens
parent 030dec7656
commit ea158da23f
11 changed files with 292 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
jsonnet/kube-prometheus/components/alertmanager.libsonnet
View File

@@ -103,6 +103,32 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: am.service.metadata,
spec: {
podSelector: {
matchLabels: am._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, am.service.spec.ports),
}],
},
},
secret: { secret: {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'Secret', kind: 'Secret',

26
jsonnet/kube-prometheus/components/grafana.libsonnet
View File

@@ -84,6 +84,32 @@ function(params)
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: g.service.metadata,
spec: {
podSelector: {
matchLabels: g._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, g.service.spec.ports),
}],
},
},
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged. // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' and extra volumeMounts can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged. // 'readOnlyRootFilesystem: true' and extra volumeMounts can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.

26
jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
View File

@@ -72,6 +72,32 @@ function(params)
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: po.service.metadata,
spec: {
podSelector: {
matchLabels: po._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, po.service.spec.ports),
}],
},
},
service+: { service+: {
spec+: { spec+: {
ports: [ ports: [

26
jsonnet/kube-prometheus/components/prometheus.libsonnet
View File

@@ -94,6 +94,32 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: p.service.metadata,
spec: {
podSelector: {
matchLabels: p._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, p.service.spec.ports),
}],
},
},
serviceAccount: { serviceAccount: {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ServiceAccount', kind: 'ServiceAccount',

4
kustomization.yaml
View File

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./manifests/alertmanager-alertmanager.yaml - ./manifests/alertmanager-alertmanager.yaml
- ./manifests/alertmanager-networkPolicy.yaml
- ./manifests/alertmanager-podDisruptionBudget.yaml - ./manifests/alertmanager-podDisruptionBudget.yaml
- ./manifests/alertmanager-prometheusRule.yaml - ./manifests/alertmanager-prometheusRule.yaml
- ./manifests/alertmanager-secret.yaml - ./manifests/alertmanager-secret.yaml
@@ -20,6 +21,7 @@ resources:
- ./manifests/grafana-dashboardDefinitions.yaml - ./manifests/grafana-dashboardDefinitions.yaml
- ./manifests/grafana-dashboardSources.yaml - ./manifests/grafana-dashboardSources.yaml
- ./manifests/grafana-deployment.yaml - ./manifests/grafana-deployment.yaml
- ./manifests/grafana-networkPolicy.yaml
- ./manifests/grafana-prometheusRule.yaml - ./manifests/grafana-prometheusRule.yaml
- ./manifests/grafana-service.yaml - ./manifests/grafana-service.yaml
- ./manifests/grafana-serviceAccount.yaml - ./manifests/grafana-serviceAccount.yaml
@@ -47,6 +49,7 @@ resources:
- ./manifests/nodeExporter-serviceMonitor.yaml - ./manifests/nodeExporter-serviceMonitor.yaml
- ./manifests/prometheus-clusterRole.yaml - ./manifests/prometheus-clusterRole.yaml
- ./manifests/prometheus-clusterRoleBinding.yaml - ./manifests/prometheus-clusterRoleBinding.yaml
- ./manifests/prometheus-networkPolicy.yaml
- ./manifests/prometheus-podDisruptionBudget.yaml - ./manifests/prometheus-podDisruptionBudget.yaml
- ./manifests/prometheus-prometheus.yaml - ./manifests/prometheus-prometheus.yaml
- ./manifests/prometheus-prometheusRule.yaml - ./manifests/prometheus-prometheusRule.yaml
@@ -73,6 +76,7 @@ resources:
- ./manifests/prometheusOperator-clusterRole.yaml - ./manifests/prometheusOperator-clusterRole.yaml
- ./manifests/prometheusOperator-clusterRoleBinding.yaml - ./manifests/prometheusOperator-clusterRoleBinding.yaml
- ./manifests/prometheusOperator-deployment.yaml - ./manifests/prometheusOperator-deployment.yaml
- ./manifests/prometheusOperator-networkPolicy.yaml
- ./manifests/prometheusOperator-prometheusRule.yaml - ./manifests/prometheusOperator-prometheusRule.yaml
- ./manifests/prometheusOperator-service.yaml - ./manifests/prometheusOperator-service.yaml
- ./manifests/prometheusOperator-serviceAccount.yaml - ./manifests/prometheusOperator-serviceAccount.yaml

33
manifests/alertmanager-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: alert-router
app.kubernetes.io/instance: main
app.kubernetes.io/name: alertmanager
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.23.0
name: alertmanager-main
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 9093
protocol: TCP
- port: 8080
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: alert-router
app.kubernetes.io/instance: main
app.kubernetes.io/name: alertmanager
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

29
manifests/grafana-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: grafana
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 8.3.6
name: grafana
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 3000
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: grafana
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

31
manifests/kubeStateMetrics-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: kube-state-metrics
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 2.3.0
name: kube-state-metrics
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 8443
protocol: TCP
- port: 9443
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: kube-state-metrics
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

29
manifests/nodeExporter-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: node-exporter
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 1.3.1
name: node-exporter
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 9100
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: node-exporter
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

33
manifests/prometheus-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 2.33.3
name: prometheus-k8s
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 9090
protocol: TCP
- port: 8080
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress

29
manifests/prometheusOperator-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.54.0
name: prometheus-operator
namespace: monitoring
spec:
egress:
- {}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ports:
- port: 8443
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress