From 559d3d00db2a461f4cbb7a413ef73268ee814646 Mon Sep 17 00:00:00 2001 From: LH Date: Fri, 10 Nov 2023 15:51:11 +0100 Subject: [PATCH] fix: Network policies for pgsql clusters (#29) --- apps/common/templates/_labels.tpl | 4 +- .../_network-policies-postgresql.tpl | 80 +++++++++++++++++++ apps/cyberchef/templates/deployment.yml | 2 +- apps/cyberchef/templates/network-policy.yml | 2 +- .../network-policy-postgresql-clusters.yml | 39 --------- .../network-policy-postgresql-jobs.yml | 15 ---- ...stom-network-policy-postgresql-cluster.yml | 29 +------ apps/pomerium/values.lab.yml | 2 +- 8 files changed, 87 insertions(+), 86 deletions(-) create mode 100644 apps/common/templates/_network-policies-postgresql.tpl delete mode 100644 apps/network-policies/templates/network-policy-postgresql-clusters.yml delete mode 100644 apps/network-policies/templates/network-policy-postgresql-jobs.yml diff --git a/apps/common/templates/_labels.tpl b/apps/common/templates/_labels.tpl index d1d7f78c3..e5dc6c74d 100644 --- a/apps/common/templates/_labels.tpl +++ b/apps/common/templates/_labels.tpl @@ -7,6 +7,6 @@ helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} {{- end }} {{- define "common.pod-labels" }} -app.kubernetes.io/name: {{ $.Chart.Name }} -app.kubernetes.io/instance: {{ $.Release.Name }} +app.kubernetes.io/name: {{ .Chart.Name }} +app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} \ No newline at end of file diff --git a/apps/common/templates/_network-policies-postgresql.tpl b/apps/common/templates/_network-policies-postgresql.tpl new file mode 100644 index 000000000..794c7acab --- /dev/null +++ b/apps/common/templates/_network-policies-postgresql.tpl @@ -0,0 +1,80 @@ +{{- define "common.network-policy-postgresql-cluster" }} +{{- $appPodSelector := .AppPodSelector }} +{{- with .Root }} +{{- $clusterName := .Release.Name }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $clusterName }}-postgresql-cluster + labels: + {{- include "common.resource-labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + cnpg.io/podRole: instance + cnpg.io/cluster: {{ $clusterName }} + policyTypes: + - Ingress + - Egress + egress: + # Allow cluster instances to talk to Kube API + {{- include "common.egress-kubeapi" . | indent 4 }} + ingress: + - ports: + - protocol: TCP + port: 5432 + from: + # Accept traffic from postgresql jobs related to the same cluster + - podSelector: + matchExpressions: + - key: cnpg.io/jobRole + operator: Exists + - key: cnpg.io/cluster + operator: In + values: + - {{ $clusterName }} + # Accept traffic from other cluster instances + - podSelector: + matchLabels: + cnpg.io/podRole: instance + cnpg.io/cluster: {{ $clusterName }} + + {{- if $appPodSelector }} + # Accept traffic from consuming app + - podSelector: {{ $appPodSelector | toYaml | nindent 12 }} + {{- end }} + + # Accept traffic from operator in postgresql-system namespace + - ports: + - protocol: TCP + port: 8000 + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: postgresql-system + podSelector: + matchLabels: + app.kubernetes.io/name: cloudnative-pg +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $clusterName }}-postgresql-jobs + labels: + {{- include "common.resource-labels" . | indent 4 }} +spec: + podSelector: + matchExpressions: + - key: cnpg.io/jobRole + operator: Exists + - key: cnpg.io/cluster + operator: In + values: + - {{ $clusterName }} + policyTypes: + - Egress + egress: + # Allow jobs to talk to Kube API + {{- include "common.egress-kubeapi" . | indent 4 }} +{{- end }} +{{- end }} diff --git a/apps/cyberchef/templates/deployment.yml b/apps/cyberchef/templates/deployment.yml index c24c2649f..3ff7f9380 100644 --- a/apps/cyberchef/templates/deployment.yml +++ b/apps/cyberchef/templates/deployment.yml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }} - namespace: {{ $.Release.Namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "common.resource-labels" . | indent 4 }} spec: diff --git a/apps/cyberchef/templates/network-policy.yml b/apps/cyberchef/templates/network-policy.yml index fe57f5891..223cb1b37 100644 --- a/apps/cyberchef/templates/network-policy.yml +++ b/apps/cyberchef/templates/network-policy.yml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ .Release.Name }} - namespace: {{ $.Release.Namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "common.resource-labels" . | indent 4 }} spec: diff --git a/apps/network-policies/templates/network-policy-postgresql-clusters.yml b/apps/network-policies/templates/network-policy-postgresql-clusters.yml deleted file mode 100644 index 84c6c1678..000000000 --- a/apps/network-policies/templates/network-policy-postgresql-clusters.yml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: postgresql-clusters - labels: - {{- include "common.resource-labels" . | indent 4 }} -spec: - podSelector: - matchExpressions: - - key: cnpg.io/cluster - operator: Exists - - key: cnpg.io/podRole - operator: In - values: - - instance - policyTypes: - - Ingress - ingress: - # Accept traffic from postgresql jobs in the same namespace - - ports: - - protocol: TCP - port: 5432 - from: - - podSelector: - matchExpressions: - - key: cnpg.io/jobRole - operator: Exists - - # Accept traffic from operator in postgresql-system namespace - - ports: - - protocol: TCP - port: 8000 - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: postgresql-system - podSelector: - matchLabels: - app.kubernetes.io/name: cloudnative-pg \ No newline at end of file diff --git a/apps/network-policies/templates/network-policy-postgresql-jobs.yml b/apps/network-policies/templates/network-policy-postgresql-jobs.yml deleted file mode 100644 index 21f0050fe..000000000 --- a/apps/network-policies/templates/network-policy-postgresql-jobs.yml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: postgresql-jobs - labels: - {{- include "common.resource-labels" . | indent 4 }} -spec: - podSelector: - matchExpressions: - - key: cnpg.io/jobRole - operator: Exists - policyTypes: - - Egress - egress: - {{- include "common.egress-kubeapi" . | indent 4 }} diff --git a/apps/pomerium/templates/custom-network-policy-postgresql-cluster.yml b/apps/pomerium/templates/custom-network-policy-postgresql-cluster.yml index 23cd3f8cc..27d4d735a 100644 --- a/apps/pomerium/templates/custom-network-policy-postgresql-cluster.yml +++ b/apps/pomerium/templates/custom-network-policy-postgresql-cluster.yml @@ -1,27 +1,2 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ .Release.Name }}-postgresql - namespace: {{ $.Release.Namespace }} - labels: - {{- include "common.resource-labels" . | indent 4 }} -spec: - podSelector: - matchExpressions: - - key: cnpg.io/cluster - operator: In - values: - - {{ $.Release.Name }} - policyTypes: - - Ingress - ingress: - # Accept traffic from pomerium - - ports: - - protocol: TCP - port: 5432 - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: pomerium - app.kubernetes.io/instance: {{ .Release.Name }} - \ No newline at end of file +{{- $appPodSelector := (dict "matchLabels" (include "common.pod-labels" . | fromYaml)) }} +{{ include "common.network-policy-postgresql-cluster" (dict "Root" . "AppPodSelector" $appPodSelector) }} \ No newline at end of file diff --git a/apps/pomerium/values.lab.yml b/apps/pomerium/values.lab.yml index 5262fb446..a7eb4cf5b 100644 --- a/apps/pomerium/values.lab.yml +++ b/apps/pomerium/values.lab.yml @@ -18,4 +18,4 @@ postgresql: size: 10Gi storageClass: local-path-provisioner-services-db accessModes: - - ReadWriteMany \ No newline at end of file + - ReadWriteMany