-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added network policy to radar applications #107
Conversation
* main: Update appserver chart Fixed radar-connector env
Great PR! Please pay attention to the following items before merging: Files matching
This is an automatically generated QA checklist based on modified files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
How will these play with using external managed services? For instance we use
|
The relevant components have access to internet so they can send requests to external managed services. |
Some of the managed services we have are in the same VPC as the k8s nodes (not on the internet). I assume it will be fine with those too? |
The current default is blocking access to all private IPs, can you check if your managed resources have a public IP address to a private one? You can also add an exception to your external services in the network policy definition or disable them altogether. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good. Just a question on blocking of private IPs when egress to all internet is enabled.
Also, i don't see a value for enabling/disabling theses new policies (if we wanted to keep it as it is)
except: | ||
- 10.0.0.0/8 | ||
- 192.168.0.0/16 | ||
- 172.16.0.0/20 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are we blocking these private/local IPs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The policies will be enabled by default. If you want to disable them you can change the networkpolicy
value in production.yaml
to {}
.
The IPs are being blocked to prevent access to other pods and services in local network.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also accept incoming requests from management portal here? Since management portal needs the catalog server for source types?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! Good catch! Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we also need to allow access for monitoring and logging components?
kubernetes.io/metadata.name: '{{ .Release.Namespace }}' | ||
podSelector: | ||
matchLabels: | ||
app.kubernetes.io/name: radar-s3-connector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about other connectors?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems only only these two applications connect to catalog-server:
-> grep -r 'catalog-server' --exclude-dir=catalog-server charts
charts/management-portal/README.md:89:| catalogue_server | string | `"catalog-server"` | Hostname of the catalogue-server |
charts/management-portal/values.yaml:189:catalogue_server: catalog-server
charts/radar-s3-connector/README.md:68:| catalogServer.url | string | `"http://catalog-server:9010"` | Catalog server URL |
charts/radar-s3-connector/values.yaml:117: url: http://catalog-server:9010
kubernetes.io/metadata.name: '{{ .Release.Namespace }}' | ||
podSelector: | ||
matchLabels: | ||
app.kubernetes.io/name: '{{ .Values.catalogue_server }}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check spelling of catalog
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes catalog server is spelled like this in MP configuration
We have servicemonitor in a few applications but I don't know if we actually monitor them in prometheus, so they're not added here. Logging components doesn't connect to the pods so there is no need to mention it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks.
Solves RADAR-base/RADAR-Kubernetes#239
Unified applications labels
Now all applications will have same label key. Following applications have their labels standardized:
Added network policies
app-config
Accepts incoming requests from: nginx
Allowed to send requests to: management-portal, postgresql
app-config-frontend
Accepts incoming requests from: nginx
Allowed to send requests to: none
catalog-server
Accepts incoming requests from: none
Allowed to send requests to: internet, kafka, schema-registry
management-portal
Accepts incoming requests from: nginx, app-config, radar-appserver, radar-fitbit-connector, radar-gateway, radar-integration, radar-push-endpoint, radar-rest-sources-backend, radar-upload-connect-backend, radar-upload-source-connector
Allowed to send requests to: internet, catalog-server, postgresql
radar-appserver
Accepts incoming requests from: nginx
Allowed to send requests to: internet, management-portal, postgresql
radar-backend
Accepts incoming requests from: none
Allowed to send requests to: internet, zookeeper, kafka, schema-registry
radar-fitbit-connector
Accepts incoming requests from: none
Allowed to send requests to: internet, zookeeper, kafka, schema-registry, radar-rest-sources-backend, management-portal
radar-gateway
Accepts incoming requests from: nginx
Allowed to send requests to: kafka, schema-registry, management-portal
radar-home
Accepts incoming requests from: nginx
Allowed to send requests to: none
radar-integration
Accepts incoming requests from: nginx
Allowed to send requests to: internet, management-portal
radar-jdbc-connector
Accepts incoming requests from: none
Allowed to send requests to: kafka, schema-registry, timescaledb-postgresql
radar-jdbc-connector
Accepts incoming requests from: none
Allowed to send requests to: kafka, schema-registry, timescaledb-postgresql
radar-output
Accepts incoming requests from: none
Allowed to send requests to: internet, minio, redis
radar-push-endpoint
Accepts incoming requests from: nginx
Allowed to send requests to: internet, kafka, schema-registry, redis, radar-rest-sources-backend, management-portal
radar-rest-sources-authorizer
Accepts incoming requests from: nginx
Allowed to send requests to: none
radar-rest-sources-backend
Accepts incoming requests from: nginx, management-portal, radar-push-endpoint
Allowed to send requests to: postgres, redis, management-portal
radar-s3-connector
Accepts incoming requests from: none
Allowed to send requests to: internet, kafka, schema-registry, catalog-server, minio
radar-upload-connect-backend
Accepts incoming requests from: nginx
Allowed to send requests to: internet, postgres, management-portal
radar-upload-connect-frontend
Accepts incoming requests from: nginx
Allowed to send requests to: none
radar-upload-source-connector
Accepts incoming requests from: none
Allowed to send requests to: internet, kafka, zookeeper, schema-registry, management-portal, minio
s3-proxy
Accepts incoming requests from: radar-output, radar-s3-connector, radar-upload-source-connector
Allowed to send requests to: internet, minio
velero-s3-deployment
Accepts incoming requests from: none
Allowed to send requests to: internet, minio