add longhorn netpol

Signed-off-by: Nathan Pawelek <[email protected]>
npawelek · Jan 5, 2024 · 35e49a9 · 35e49a9
1 parent c73ccbe
commit 35e49a9
Show file tree

Hide file tree

Showing 11 changed files with 195 additions and 0 deletions.
diff --git a/kubernetes/apps/longhorn-system/kustomization.yaml b/kubernetes/apps/longhorn-system/kustomization.yaml
@@ -3,5 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./namespace.yaml
+  - ./networkpolicies
+  - ./networkpolicy.yaml
   - ./longhorn/ks.yaml
   - ./secret.yaml
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/kustomization.yaml b/kubernetes/apps/longhorn-system/networkpolicies/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./networkpolicy-admission-webhook.yaml
+  - ./networkpolicy-backing-image-data-source.yaml
+  - ./networkpolicy-backing-image-manager.yaml
+  - ./networkpolicy-conversion-webhook.yaml
+  - ./networkpolicy-instance-manager.yaml
+  - ./networkpolicy-manager.yaml
+  - ./networkpolicy-recovery-backend.yaml
+  - ./networkpolicy-ui.yaml
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-admission-webhook.yaml b/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-admission-webhook.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-longhorn-admission-webhook
+  namespace: longhorn-system
+spec:
+  endpointSelector:
+    matchLabels:
+      app: longhorn-manager
+  ingress:
+    - toPorts:
+        - ports:
+            - port: "9502"
+              protocol: TCP
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-backing-image-data-source.yaml b/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-backing-image-data-source.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-longhorn-backing-image-data-source
+  namespace: longhorn-system
+spec:
+  endpointSelector:
+    matchLabels:
+      longhorn.io/component: backing-image-data-source
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app: longhorn-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: instance-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: backing-image-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: backing-image-data-source
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-backing-image-manager.yaml b/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-backing-image-manager.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-longhorn-backing-image-manager
+  namespace: longhorn-system
+spec:
+  endpointSelector:
+    matchLabels:
+      longhorn.io/component: backing-image-manager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app: longhorn-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: instance-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: backing-image-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: backing-image-data-source
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-conversion-webhook.yaml b/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-conversion-webhook.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-longhorn-conversion-webhook
+  namespace: longhorn-system
+spec:
+  endpointSelector:
+    matchLabels:
+      app: longhorn-manager
+  ingress:
+    - toPorts:
+        - ports:
+            - port: "9501"
+              protocol: TCP
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-instance-manager.yaml b/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-instance-manager.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-longhorn-instance-manager
+  namespace: longhorn-system
+spec:
+  endpointSelector:
+    matchLabels:
+      longhorn.io/component: instance-manager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app: longhorn-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: instance-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: backing-image-manager
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/component: backing-image-data-source
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-manager.yaml b/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-manager.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-longhorn-manager
+  namespace: longhorn-system
+spec:
+  endpointSelector:
+    matchLabels:
+      app: longhorn-manager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app: longhorn-manager
+    - fromEndpoints:
+        - matchLabels:
+            app: longhorn-ui
+    - fromEndpoints:
+        - matchLabels:
+            app: longhorn-csi-plugin
+    - fromEndpoints:
+        - matchLabels:
+            longhorn.io/managed-by: longhorn-manager
+          matchExpressions:
+            - key: recurring-job.longhorn.io
+              operator: Exists
+    - fromEndpoints:
+        - matchExpressions:
+            - key: longhorn.io/job-task
+              operator: Exists
+    - fromEndpoints:
+        - matchLabels:
+            app: longhorn-driver-deployer
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-recovery-backend.yaml b/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-recovery-backend.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-longhorn-recovery-backend
+  namespace: longhorn-system
+spec:
+  endpointSelector:
+    matchLabels:
+      app: longhorn-manager
+  ingress:
+    - toPorts:
+        - ports:
+            - port: "9503"
+              protocol: TCP
diff --git a/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-ui.yaml b/kubernetes/apps/longhorn-system/networkpolicies/networkpolicy-ui.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-longhorn-ui
+  namespace: longhorn-system
+spec:
+  endpointSelector:
+    matchLabels:
+      app: longhorn-ui
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-internal
+            io.kubernetes.pod.namespace: ingress
+      toPorts:
+        - ports:
+            - port: "8000"
+              protocol: TCP
+        - ports:
+            - port: "80"
+              protocol: TCP
diff --git a/kubernetes/apps/longhorn-system/networkpolicy.yaml b/kubernetes/apps/longhorn-system/networkpolicy.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: longhorn-system
+spec:
+  endpointSelector: {}
+  ingress:
+    - {}
+  egress:
+    - {}