feat(monitoring): add network policies

sighupio · Nov 5, 2024 · b1e2bfe · b1e2bfe
1 parent 52f2066
commit b1e2bfe
Show file tree

Hide file tree

Showing 14 changed files with 593 additions and 0 deletions.
diff --git a/templates/distribution/manifests/monitoring/kustomization.yaml.tpl b/templates/distribution/manifests/monitoring/kustomization.yaml.tpl
@@ -54,6 +54,10 @@ resources:
   - secrets/alertmanager.yml
 {{- end }}
 
+{{ if eq .spec.distribution.common.networkPoliciesEnabled true }}
+  - policies
+{{- end }}
+
 patchesStrategicMerge:
   - patches/infra-nodes.yml
 {{- if eq .spec.distribution.common.provider.type "eks" }}{{/* in EKS there are no files to monitor on nodes */}}

diff --git a/templates/distribution/manifests/monitoring/policies/alertmanager.yaml.tpl b/templates/distribution/manifests/monitoring/policies/alertmanager.yaml.tpl
@@ -0,0 +1,42 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/alertmanager-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: alertmanager-main
+  namespace: monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: prometheus
+    ports:
+    - port: 9093
+      protocol: TCP
+    - port: 8080
+      protocol: TCP
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: alertmanager
+    ports:
+    - port: 9094
+      protocol: TCP
+    - port: 9094
+      protocol: UDP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: alert-router
+      app.kubernetes.io/instance: main
+      app.kubernetes.io/name: alertmanager
+      app.kubernetes.io/part-of: kube-prometheus
+  policyTypes:
+  - Egress
+  - Ingress
+
diff --git a/templates/distribution/manifests/monitoring/policies/blackbox-exporter.yaml.tpl b/templates/distribution/manifests/monitoring/policies/blackbox-exporter.yaml.tpl
@@ -0,0 +1,32 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/blackboxExporter-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: blackbox-exporter
+  namespace: monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: prometheus
+    ports:
+    - port: 9115
+      protocol: TCP
+    - port: 19115
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: exporter
+      app.kubernetes.io/name: blackbox-exporter
+      app.kubernetes.io/part-of: kube-prometheus
+  policyTypes:
+  - Egress
+  - Ingress
+
diff --git a/templates/distribution/manifests/monitoring/policies/common.yaml.tpl b/templates/distribution/manifests/monitoring/policies/common.yaml.tpl
@@ -0,0 +1,38 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all
+  namespace: monitoring
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-access
+  namespace: monitoring
+spec:
+  podSelector:
+    matchLabels: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - protocol: UDP
+      port: 53
+
diff --git a/templates/distribution/manifests/monitoring/policies/grafana.yaml.tpl b/templates/distribution/manifests/monitoring/policies/grafana.yaml.tpl
@@ -0,0 +1,30 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/grafana-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: grafana
+  namespace: monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: prometheus
+    ports:
+    - port: 3000
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: grafana
+      app.kubernetes.io/name: grafana
+      app.kubernetes.io/part-of: kube-prometheus
+  policyTypes:
+  - Egress
+  - Ingress
+
diff --git a/templates/distribution/manifests/monitoring/policies/kube-state-metrics.yaml.tpl b/templates/distribution/manifests/monitoring/policies/kube-state-metrics.yaml.tpl
@@ -0,0 +1,32 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# source: https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/kubeStateMetrics-networkPolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: prometheus
+    ports:
+    - port: 8443
+      protocol: TCP
+    - port: 9443
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: exporter
+      app.kubernetes.io/name: kube-state-metrics
+      app.kubernetes.io/part-of: kube-prometheus
+  policyTypes:
+  - Egress
+  - Ingress
+
diff --git a/templates/distribution/manifests/monitoring/policies/kustomization.yaml.tpl b/templates/distribution/manifests/monitoring/policies/kustomization.yaml.tpl
@@ -0,0 +1,31 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+{{- $monitoringType := .spec.distribution.modules.monitoring.type }}
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - common.yml
+  - prometheus-operator.yaml
+  - kube-state-metrics.yaml
+  - node-exporter.yaml
+  - x509-exporter.yaml
+  - blackbox-exporter.yaml
+
+{{- if or (eq $monitoringType "prometheus") (eq $monitoringType "mimir") }}
+  - alertmanager.yaml
+  - prometheus-adapter.yaml
+  - grafana.yaml
+{{- end }}
+{{- if eq $monitoringType "prometheus" }}
+  - prometheus.yaml
+{{- end }}
+{{- if eq $monitoringType "mimir" }}
+  - mimir.yaml
+{{- if eq .spec.distribution.modules.monitoring.mimir.backend "minio" }}
+  - minio.yaml
+{{- end }}  
+{{- end }}
diff --git a/templates/distribution/manifests/monitoring/policies/mimir.yaml.tpl b/templates/distribution/manifests/monitoring/policies/mimir.yaml.tpl
@@ -0,0 +1,102 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: mimir-distributed-ingress-prometheus-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: mimir
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mimir
+  ingress:
+    - ports:
+        - port: 8080
+          protocol: TCP
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: mimir-distributed-discovery
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: mimir
+spec:
+  policyTypes:
+    - Ingress
+    - Egress
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mimir
+  ingress:
+    - ports:
+        - port: 9095
+          protocol: TCP
+        - port: 7946
+          protocol: TCP
+        - port: 8080
+          protocol: TCP
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mimir
+  egress:
+    - ports:
+        - port: 9095
+          protocol: TCP
+        - port: 7946
+          protocol: TCP
+        - port: 8080
+          protocol: TCP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mimir
+{{- if eq .spec.distribution.modules.monitoring.mimir.backend "minio" }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: mimir-distributed-egress-minio
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: mimir
+spec:
+  policyTypes:
+    - Egress
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: mimir
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: minio
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+      ports:
+          - port: 9000
+            protocol: TCP
+{{- end }}