From 04a5e87f3a386d2999df39f664cd239a93ddc0aa Mon Sep 17 00:00:00 2001 From: Alex Tugarev Date: Wed, 30 Nov 2022 10:23:43 +0000 Subject: [PATCH] [iam] add networkpolicy --- .../testdata/render/aws-setup/output.golden | 39 +++++++++++++ .../testdata/render/azure-setup/output.golden | 39 +++++++++++++ .../render/customization/output.golden | 39 +++++++++++++ .../render/external-registry/output.golden | 39 +++++++++++++ .../testdata/render/gcp-setup/output.golden | 39 +++++++++++++ .../testdata/render/http-proxy/output.golden | 39 +++++++++++++ .../testdata/render/kind-meta/output.golden | 39 +++++++++++++ .../testdata/render/kind-webapp/output.golden | 39 +++++++++++++ .../cmd/testdata/render/minimal/output.golden | 39 +++++++++++++ .../testdata/render/shortname/output.golden | 39 +++++++++++++ .../statefulset-customization/output.golden | 39 +++++++++++++ .../use-pod-security-policies/output.golden | 39 +++++++++++++ .../render/vsxproxy-pvc/output.golden | 39 +++++++++++++ .../workspace-requests-limits/output.golden | 39 +++++++++++++ .../pkg/components/iam/networkpolicy.go | 55 +++++++++++++++++++ .../installer/pkg/components/iam/objects.go | 1 + 16 files changed, 602 insertions(+) create mode 100644 install/installer/pkg/components/iam/networkpolicy.go diff --git a/install/installer/cmd/testdata/render/aws-setup/output.golden b/install/installer/cmd/testdata/render/aws-setup/output.golden index f6753083ceab92..bea75470ebf25a 100644 --- a/install/installer/cmd/testdata/render/aws-setup/output.golden +++ b/install/installer/cmd/testdata/render/aws-setup/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2118,6 +2147,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/azure-setup/output.golden b/install/installer/cmd/testdata/render/azure-setup/output.golden index 2aed85497a226d..945833cec7e435 100644 --- a/install/installer/cmd/testdata/render/azure-setup/output.golden +++ b/install/installer/cmd/testdata/render/azure-setup/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2124,6 +2153,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index 13914d79950ba6..3028927571fb62 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2570,6 +2599,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index feffd3593a2bdb..ae75b6b37e8a5f 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2171,6 +2200,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/gcp-setup/output.golden b/install/installer/cmd/testdata/render/gcp-setup/output.golden index 9f7ae5fcb1f517..4a806297f01952 100644 --- a/install/installer/cmd/testdata/render/gcp-setup/output.golden +++ b/install/installer/cmd/testdata/render/gcp-setup/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2102,6 +2131,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/http-proxy/output.golden b/install/installer/cmd/testdata/render/http-proxy/output.golden index 2afcfa604748d9..32ed637174cbdf 100644 --- a/install/installer/cmd/testdata/render/http-proxy/output.golden +++ b/install/installer/cmd/testdata/render/http-proxy/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2280,6 +2309,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/kind-meta/output.golden b/install/installer/cmd/testdata/render/kind-meta/output.golden index e97f2571c111ad..de9145564b549e 100644 --- a/install/installer/cmd/testdata/render/kind-meta/output.golden +++ b/install/installer/cmd/testdata/render/kind-meta/output.golden @@ -67,6 +67,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -1824,6 +1853,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/kind-webapp/output.golden b/install/installer/cmd/testdata/render/kind-webapp/output.golden index 02bfb36e05bcc3..6b292928afe863 100644 --- a/install/installer/cmd/testdata/render/kind-webapp/output.golden +++ b/install/installer/cmd/testdata/render/kind-webapp/output.golden @@ -46,6 +46,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy messagebus # Source: rabbitmq/charts/rabbitmq/templates/networkpolicy.yaml @@ -1203,6 +1232,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index 7d40dbae35ae10..3cd998a900772f 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2277,6 +2306,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/shortname/output.golden b/install/installer/cmd/testdata/render/shortname/output.golden index aa82a17679bae8..a3275ae2c91de7 100644 --- a/install/installer/cmd/testdata/render/shortname/output.golden +++ b/install/installer/cmd/testdata/render/shortname/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2277,6 +2306,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index 7757f8e18b6629..4e2089be4e7e6c 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2289,6 +2318,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden index 46e51ac3a2c8cc..955284ac3d10cb 100644 --- a/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden +++ b/install/installer/cmd/testdata/render/use-pod-security-policies/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2565,6 +2594,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden index 6c284d41d0b289..73d74894a364cc 100644 --- a/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden +++ b/install/installer/cmd/testdata/render/vsxproxy-pvc/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2279,6 +2308,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden index a4b8af77e6b402..b97aca5c03392e 100644 --- a/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden +++ b/install/installer/cmd/testdata/render/workspace-requests-limits/output.golden @@ -86,6 +86,35 @@ spec: policyTypes: - Ingress +--- +# networking.k8s.io/v1/NetworkPolicy iam +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default +spec: + ingress: + - from: + - podSelector: + matchLabels: + component: proxy + ports: + - port: 9001 + protocol: TCP + - port: 9002 + protocol: TCP + podSelector: + matchLabels: + app: gitpod + component: iam + policyTypes: + - Ingress + --- # networking.k8s.io/v1/NetworkPolicy ide-metrics apiVersion: networking.k8s.io/v1 @@ -2280,6 +2309,16 @@ data: name: iam namespace: default --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + creationTimestamp: null + labels: + app: gitpod + component: iam + name: iam + namespace: default + --- apiVersion: v1 kind: ConfigMap metadata: diff --git a/install/installer/pkg/components/iam/networkpolicy.go b/install/installer/pkg/components/iam/networkpolicy.go new file mode 100644 index 00000000000000..813f7796d3f961 --- /dev/null +++ b/install/installer/pkg/components/iam/networkpolicy.go @@ -0,0 +1,55 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package iam + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + networkingv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/intstr" +) + +func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) { + labels := common.DefaultLabels(Component) + + return []runtime.Object{ + &networkingv1.NetworkPolicy{ + TypeMeta: common.TypeMetaNetworkPolicy, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: labels, + }, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{MatchLabels: labels}, + PolicyTypes: []networkingv1.PolicyType{"Ingress"}, + Ingress: []networkingv1.NetworkPolicyIngressRule{ + { + Ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: common.TCPProtocol, + Port: &intstr.IntOrString{IntVal: GRPCContainerPort}, + }, + { + Protocol: common.TCPProtocol, + Port: &intstr.IntOrString{IntVal: HTTPContainerPort}, + }, + }, + From: []networkingv1.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "component": common.ProxyComponent, + }, + }, + }, + }, + }, + }, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/iam/objects.go b/install/installer/pkg/components/iam/objects.go index 9e861886b9f91c..83f99ecc7b2d47 100644 --- a/install/installer/pkg/components/iam/objects.go +++ b/install/installer/pkg/components/iam/objects.go @@ -16,5 +16,6 @@ func Objects(ctx *common.RenderContext) ([]runtime.Object, error) { rolebinding, common.DefaultServiceAccount(Component), service, + networkpolicy, )(ctx) }