Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added network policy to radar applications #107

Merged
merged 5 commits into from
Dec 1, 2023
Merged

Added network policy to radar applications #107

merged 5 commits into from
Dec 1, 2023

Conversation

keyvaann
Copy link
Collaborator

@keyvaann keyvaann commented Nov 9, 2023

Solves RADAR-base/RADAR-Kubernetes#239

Unified applications labels

Now all applications will have same label key. Following applications have their labels standardized:

  • management-portal
  • radar-appserver
  • radar-backend
  • radar-fitbit-connector
  • radar-gateway
  • radar-integration
  • radar-output
  • radar-push-endpoint
  • radar-rest-sources-authorizer
  • radar-rest-sources-backend
  • radar-s3-connector
  • radar-upload-connect-backend
  • radar-upload-connect-frontend
  • radar-upload-source-connector
  • s3-proxy

Added network policies

app-config

Accepts incoming requests from: nginx
Allowed to send requests to: management-portal, postgresql

app-config-frontend

Accepts incoming requests from: nginx
Allowed to send requests to: none

catalog-server

Accepts incoming requests from: none
Allowed to send requests to: internet, kafka, schema-registry

management-portal

Accepts incoming requests from: nginx, app-config, radar-appserver, radar-fitbit-connector, radar-gateway, radar-integration, radar-push-endpoint, radar-rest-sources-backend, radar-upload-connect-backend, radar-upload-source-connector
Allowed to send requests to: internet, catalog-server, postgresql

radar-appserver

Accepts incoming requests from: nginx
Allowed to send requests to: internet, management-portal, postgresql

radar-backend

Accepts incoming requests from: none
Allowed to send requests to: internet, zookeeper, kafka, schema-registry

radar-fitbit-connector

Accepts incoming requests from: none
Allowed to send requests to: internet, zookeeper, kafka, schema-registry, radar-rest-sources-backend, management-portal

radar-gateway

Accepts incoming requests from: nginx
Allowed to send requests to: kafka, schema-registry, management-portal

radar-home

Accepts incoming requests from: nginx
Allowed to send requests to: none

radar-integration

Accepts incoming requests from: nginx
Allowed to send requests to: internet, management-portal

radar-jdbc-connector

Accepts incoming requests from: none
Allowed to send requests to: kafka, schema-registry, timescaledb-postgresql

radar-jdbc-connector

Accepts incoming requests from: none
Allowed to send requests to: kafka, schema-registry, timescaledb-postgresql

radar-output

Accepts incoming requests from: none
Allowed to send requests to: internet, minio, redis

radar-push-endpoint

Accepts incoming requests from: nginx
Allowed to send requests to: internet, kafka, schema-registry, redis, radar-rest-sources-backend, management-portal

radar-rest-sources-authorizer

Accepts incoming requests from: nginx
Allowed to send requests to: none

radar-rest-sources-backend

Accepts incoming requests from: nginx, management-portal, radar-push-endpoint
Allowed to send requests to: postgres, redis, management-portal

radar-s3-connector

Accepts incoming requests from: none
Allowed to send requests to: internet, kafka, schema-registry, catalog-server, minio

radar-upload-connect-backend

Accepts incoming requests from: nginx
Allowed to send requests to: internet, postgres, management-portal

radar-upload-connect-frontend

Accepts incoming requests from: nginx
Allowed to send requests to: none

radar-upload-source-connector

Accepts incoming requests from: none
Allowed to send requests to: internet, kafka, zookeeper, schema-registry, management-portal, minio

s3-proxy

Accepts incoming requests from: radar-output, radar-s3-connector, radar-upload-source-connector
Allowed to send requests to: internet, minio

velero-s3-deployment

Accepts incoming requests from: none
Allowed to send requests to: internet, minio

Copy link

github-actions bot commented Nov 9, 2023

Great PR! Please pay attention to the following items before merging:

Files matching charts/*/values.yaml:

  • Is the PR adding a new container? Please reviewer, add it to the models (internal process)
  • Is the PR adding a new parameter? Please, ensure it’s documented in the README.md

This is an automatically generated QA checklist based on modified files.

Copy link
Collaborator

@Bdegraaf1234 Bdegraaf1234 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@yatharthranjan
Copy link
Member

yatharthranjan commented Nov 22, 2023

How will these play with using external managed services? For instance we use

  1. kafka -> Managed Service for Kafka
  2. postgres -> AWS RDS postgres
  3. minio -> AWS S3

@keyvaann
Copy link
Collaborator Author

How will these play with using external managed services? For instance we use

  1. kafka -> Managed Service for Kafka
  2. postgres -> AWS RDS postgres
  3. minio -> AWS S3

The relevant components have access to internet so they can send requests to external managed services.

@yatharthranjan
Copy link
Member

Some of the managed services we have are in the same VPC as the k8s nodes (not on the internet). I assume it will be fine with those too?

@keyvaann
Copy link
Collaborator Author

The current default is blocking access to all private IPs, can you check if your managed resources have a public IP address to a private one? You can also add an exception to your external services in the network policy definition or disable them altogether.

Copy link
Member

@yatharthranjan yatharthranjan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good. Just a question on blocking of private IPs when egress to all internet is enabled.
Also, i don't see a value for enabling/disabling theses new policies (if we wanted to keep it as it is)

except:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/20
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we blocking these private/local IPs?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The policies will be enabled by default. If you want to disable them you can change the networkpolicy value in production.yaml to {}.
The IPs are being blocked to prevent access to other pods and services in local network.

Copy link
Member

@mpgxvii mpgxvii Nov 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also accept incoming requests from management portal here? Since management portal needs the catalog server for source types?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! Good catch! Thank you!

Copy link
Member

@yatharthranjan yatharthranjan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also need to allow access for monitoring and logging components?

kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
podSelector:
matchLabels:
app.kubernetes.io/name: radar-s3-connector
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about other connectors?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems only only these two applications connect to catalog-server:

-> grep -r 'catalog-server' --exclude-dir=catalog-server charts
charts/management-portal/README.md:89:| catalogue_server | string | `"catalog-server"` | Hostname of the catalogue-server |
charts/management-portal/values.yaml:189:catalogue_server: catalog-server
charts/radar-s3-connector/README.md:68:| catalogServer.url | string | `"http://catalog-server:9010"` | Catalog server URL |
charts/radar-s3-connector/values.yaml:117:  url: http://catalog-server:9010

kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
podSelector:
matchLabels:
app.kubernetes.io/name: '{{ .Values.catalogue_server }}'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

check spelling of catalog

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes catalog server is spelled like this in MP configuration

@keyvaann
Copy link
Collaborator Author

Do we also need to allow access for monitoring and logging components?

We have servicemonitor in a few applications but I don't know if we actually monitor them in prometheus, so they're not added here. Logging components doesn't connect to the pods so there is no need to mention it.

Copy link
Member

@yatharthranjan yatharthranjan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks.

@keyvaann keyvaann merged commit d0ad32b into main Dec 1, 2023
4 checks passed
@keyvaann keyvaann deleted the networkpolicy branch December 1, 2023 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants