Skip to content

WiP: PSAP-1178: Add NetworkPolicy k8s resources #1323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

WiP: PSAP-1178: Add NetworkPolicy k8s resources #1323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions assets/tuned/manifests/ds-tuned.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ spec:
openshift.io/required-scc: privileged
labels:
openshift-app: tuned
name: tuned
spec:
serviceAccountName: tuned
containers:
Expand Down
78 changes: 78 additions & 0 deletions manifests/55-network-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# NOTE: NetworkPolicy behaviour for hostNetwork pods (tuned) is undefined
# https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-and-hostnetwork-pods
# Add rules for tuned pods even though most network plugins are unable to
# distinguish hostNetwork pod traffic from all other traffic.

# The "default" policy for a namespace which denies all ingress and egress traffic.
# This ensures that even pods that aren't selected by any other NetworkPolicy will
# not be allowed ingress or egress traffic.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress

# Allow access to the API server.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-api-server
namespace: openshift-cluster-node-tuning-operator
spec:
egress:
- ports:
- port: 6443
protocol: TCP
podSelector:
matchExpressions:
- { key: name, operator: In, values: [cluster-node-tuning-operator, tuned] }
policyTypes:
- Egress

# Allow access to the metrics server from openshift-monitoring namespace.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-metrics-traffic
namespace: openshift-cluster-node-tuning-operator
spec:
ingress:
- ports:
- port: 60000
protocol: TCP
# In theory, only access from the openshift-monitoring namespace is needed.
# However, our e2e tests access the server from ns/openshift-cluster-node-tuning-operator.
# from:
# - namespaceSelector:
# matchLabels:
# name: openshift-monitoring
podSelector:
matchLabels:
name: cluster-node-tuning-operator
policyTypes:
- Ingress

# Allow access to the webhook server.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-webhook-traffic
namespace: openshift-cluster-node-tuning-operator
spec:
ingress:
- ports:
- port: 4343
protocol: TCP
podSelector:
matchLabels:
name: cluster-node-tuning-operator
policyTypes:
- Ingress