diff --git a/CHANGELOG.md b/CHANGELOG.md index c6d59a8..2ee0cbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ We use *breaking* word for marking changes that are not backward compatible (rel - [#308](https://github.com/thanos-io/kube-thanos/pull/308) Recive: add store limits flags - [#310](https://github.com/thanos-io/kube-thanos/pull/310) Ruler: Add host anti-affinity to ruler - [#313](https://github.com/thanos-io/kube-thanos/pull/313) Add per-container SecurityContext +- [#315](https://github.com/thanos-io/kube-thanos/pull/315) adding networkpolicy for thanos components ### Fixed diff --git a/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet b/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet index 2450dc2..fe39ef8 100644 --- a/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet @@ -60,6 +60,38 @@ function(params) { assert std.isNumber(tb.config.replicas) && tb.config.replicas >= 0 : 'thanos bucket replicas has to be number >= 0', assert std.isObject(tb.config.resources), + networkPolicy: { + kind: 'NetworkPolicy', + apiVersion: 'networking.k8s.io/v1', + metadata: { + name: 'thanos-bucket', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-bucket', + }, + }, + egress: [{}], // Allow all outside egress to connect to object storage + ingress: [{ + from: [{ + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': cfg.namespace, + }, + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-query', + }, + }, + }], + }], + policyTypes: ['Egress'], + }, + }, + service: { apiVersion: 'v1', kind: 'Service', diff --git a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet index 5ff37d5..8343606 100644 --- a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet @@ -15,6 +15,38 @@ function(params) { assert std.isBoolean(tc.config.serviceMonitor), assert std.isArray(tc.config.deduplicationReplicaLabels), + networkPolicy: { + kind: 'NetworkPolicy', + apiVersion: 'networking.k8s.io/v1', + metadata: { + name: 'thanos-compact', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-compact', + }, + }, + egress: [{}], // Allow all outside egress to connect to object storage + ingress: [{ + from: [{ + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': cfg.namespace, + }, + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-query', + }, + }, + }], + }], + policyTypes: ['Egress'], + }, + }, + service: { apiVersion: 'v1', kind: 'Service', diff --git a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet index de64aa8..dd140f5 100644 --- a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet @@ -117,6 +117,38 @@ function(params) { assert std.isBoolean(tqf.config.serviceMonitor), assert std.isNumber(tqf.config.maxRetries) && tqf.config.maxRetries >= 0 : 'thanos query frontend maxRetries has to be number >= 0', + networkPolicy: { + kind: 'NetworkPolicy', + apiVersion: 'networking.k8s.io/v1', + metadata: { + name: 'thanos-query-frontend', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-query-frontend', + }, + }, + egress: [{}], // Allow all outside egress to connect + ingress: [{ + from: [{ + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': cfg.namespace, + }, + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-query', + }, + }, + }], + }], + policyTypes: ['Egress'], + }, + }, + service: { apiVersion: 'v1', kind: 'Service', diff --git a/jsonnet/kube-thanos/kube-thanos-query.libsonnet b/jsonnet/kube-thanos/kube-thanos-query.libsonnet index 973b062..876425c 100644 --- a/jsonnet/kube-thanos/kube-thanos-query.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-query.libsonnet @@ -81,6 +81,38 @@ function(params) { assert std.isBoolean(tq.config.autoDownsampling), assert std.isBoolean(tq.config.useThanosEngine), + networkPolicy: { + kind: 'NetworkPolicy', + apiVersion: 'networking.k8s.io/v1', + metadata: { + name: 'thanos-query', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-store', + }, + }, + egress: [{}], // Allow all outside egress to connect to object storage + ingress: [{ + from: [{ + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': cfg.namespace, + }, + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-store', + }, + }, + }], + }], + policyTypes: ['Egress'], + }, + }, + service: { apiVersion: 'v1', kind: 'Service', diff --git a/jsonnet/kube-thanos/kube-thanos-receive.libsonnet b/jsonnet/kube-thanos/kube-thanos-receive.libsonnet index 56233f8..82fe7e6 100644 --- a/jsonnet/kube-thanos/kube-thanos-receive.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-receive.libsonnet @@ -16,6 +16,38 @@ function(params) { assert std.isObject(tr.config.receiveLimitsConfigFile), assert std.isObject(tr.config.storeLimits), + networkPolicy: { + kind: 'NetworkPolicy', + apiVersion: 'networking.k8s.io/v1', + metadata: { + name: 'thanos-receive', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-receive', + }, + }, + egress: [{}], // Allow all outside egress to connect + ingress: [{ + from: [{ + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': cfg.namespace, + }, + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-query', + }, + }, + }], + }], + policyTypes: ['Egress'], + }, + }, + service: { apiVersion: 'v1', kind: 'Service', diff --git a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet index c4a06cd..487badc 100644 --- a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet @@ -85,6 +85,37 @@ function(params) { assert std.isObject(tr.config.volumeClaimTemplate), assert !std.objectHas(tr.config.volumeClaimTemplate, 'spec') || std.assertEqual(tr.config.volumeClaimTemplate.spec.accessModes, ['ReadWriteOnce']) : 'thanos rule PVC accessMode can only be ReadWriteOnce', + networkPolicy: { + kind: 'NetworkPolicy', + apiVersion: 'networking.k8s.io/v1', + metadata: { + name: 'thanos-rule', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-rule', + }, + }, + egress: [{}], // Allow all outside egress to connect + ingress: [{ + from: [{ + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': cfg.namespace, + }, + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-query', + }, + }, + }], + }], + policyTypes: ['Egress'], + }, + }, service: { apiVersion: 'v1', diff --git a/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet b/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet index 5640d3a..a04d86b 100644 --- a/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet @@ -32,6 +32,38 @@ function(params) { local tsc = self, config:: defaults + params, + networkPolicy: { + kind: 'NetworkPolicy', + apiVersion: 'networking.k8s.io/v1', + metadata: { + name: 'thanos-sidecar', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-sidecar', + }, + }, + egress: [{}], // Allow all outside egress to connect + ingress: [{ + from: [{ + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': cfg.namespace, + }, + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-query', + }, + }, + }], + }], + policyTypes: ['Egress'], + }, + }, + service: { apiVersion: 'v1', kind: 'Service', diff --git a/jsonnet/kube-thanos/kube-thanos-store.libsonnet b/jsonnet/kube-thanos/kube-thanos-store.libsonnet index 8ab36e5..0793f19 100644 --- a/jsonnet/kube-thanos/kube-thanos-store.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-store.libsonnet @@ -31,6 +31,38 @@ function(params) { assert std.isObject(ts.config.volumeClaimTemplate), assert !std.objectHas(ts.config.volumeClaimTemplate, 'spec') || std.assertEqual(ts.config.volumeClaimTemplate.spec.accessModes, ['ReadWriteOnce']) : 'thanos store PVC accessMode can only be ReadWriteOnce', + networkPolicy: { + kind: 'NetworkPolicy', + apiVersion: 'networking.k8s.io/v1', + metadata: { + name: 'thanos-store', + namespace: cfg.namespace, + }, + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-store', + }, + }, + egress: [{}], // Allow all outside egress to connect to object storage + ingress: [{ + from: [{ + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': cfg.namespace, + }, + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'thanos-query', + }, + }, + }], + }], + policyTypes: ['Egress'], + }, + }, + service: { apiVersion: 'v1', kind: 'Service',