From 3903229d7be3d8beb0d53ce029989c684006edee Mon Sep 17 00:00:00 2001
From: Harsh Pratap Singh <harshpratapsingh8210@gmail.com>
Date: Sat, 6 Jan 2024 21:50:15 +0530
Subject: [PATCH 1/3] adding networkpolicy for thanos components

Signed-off-by: Harsh Pratap Singh <harshpratapsingh8210@gmail.com>
---
 .../kube-thanos/kube-thanos-bucket.libsonnet  | 32 +++++++++++++++++++
 .../kube-thanos/kube-thanos-compact.libsonnet | 32 +++++++++++++++++++
 .../kube-thanos-query-frontend.libsonnet      | 32 +++++++++++++++++++
 .../kube-thanos/kube-thanos-query.libsonnet   | 32 +++++++++++++++++++
 .../kube-thanos/kube-thanos-receive.libsonnet | 32 +++++++++++++++++++
 .../kube-thanos/kube-thanos-rule.libsonnet    | 31 ++++++++++++++++++
 .../kube-thanos/kube-thanos-sidecar.libsonnet | 32 +++++++++++++++++++
 .../kube-thanos/kube-thanos-store.libsonnet   | 32 +++++++++++++++++++
 8 files changed, 255 insertions(+)

diff --git a/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet b/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet
index 2450dc2..fe39ef8 100644
--- a/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet
@@ -60,6 +60,38 @@ function(params) {
   assert std.isNumber(tb.config.replicas) && tb.config.replicas >= 0 : 'thanos bucket replicas has to be number >= 0',
   assert std.isObject(tb.config.resources),
 
+  networkPolicy: {
+    kind: 'NetworkPolicy',
+    apiVersion: 'networking.k8s.io/v1',
+    metadata: {
+      name: 'thanos-bucket',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/name': 'thanos-bucket',
+        },
+      },
+      egress: [{}],  // Allow all outside egress to connect to object storage
+      ingress: [{
+        from: [{
+          namespaceSelector: {
+            matchLabels: {
+              'kubernetes.io/metadata.name': cfg.namespace,
+            },
+          },
+          podSelector: {
+            matchLabels: {
+              'app.kubernetes.io/name': 'thanos-query',
+            },
+          },
+        }],
+      }],
+      policyTypes: ['Egress'],
+    },
+  },
+
   service: {
     apiVersion: 'v1',
     kind: 'Service',
diff --git a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
index 5ff37d5..4a26629 100644
--- a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
@@ -15,6 +15,38 @@ function(params) {
   assert std.isBoolean(tc.config.serviceMonitor),
   assert std.isArray(tc.config.deduplicationReplicaLabels),
 
+  networkPolicy: {
+    kind: 'NetworkPolicy',
+    apiVersion: 'networking.k8s.io/v1',
+    metadata: {
+      name: 'thanos-compact',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/name': 'thanos-compact',
+        },
+      },
+      egress: [{}],  // Allow all outside egress to connect to object storage
+      ingress: [{
+        from: [{
+          namespaceSelector: {
+            matchLabels: {
+              'kubernetes.io/metadata.name': cfg.namespace,
+            },
+          },
+          podSelector: {
+            matchLabels: {
+              'app.kubernetes.io/name': 'thanos-query',
+            },
+          },
+        }],
+      }],
+      policyTypes: ['Egress'],
+    },
+  }
+
   service: {
     apiVersion: 'v1',
     kind: 'Service',
diff --git a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
index de64aa8..8616976 100644
--- a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
@@ -117,6 +117,38 @@ function(params) {
   assert std.isBoolean(tqf.config.serviceMonitor),
   assert std.isNumber(tqf.config.maxRetries) && tqf.config.maxRetries >= 0 : 'thanos query frontend maxRetries has to be number >= 0',
 
+  networkPolicy: {
+    kind: 'NetworkPolicy',
+    apiVersion: 'networking.k8s.io/v1',
+    metadata: {
+      name: 'thanos-query-frontend',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/name': 'thanos-query-frontend',
+        },
+      },
+      egress: [{}],  // Allow all outside egress to connect
+      ingress: [{
+        from: [{
+          namespaceSelector: {
+            matchLabels: {
+              'kubernetes.io/metadata.name': cfg.namespace,
+            },
+          },
+          podSelector: {
+            matchLabels: {
+              'app.kubernetes.io/name': 'thanos-query',
+            },
+          },
+        }],
+      }],
+      policyTypes: ['Egress'],
+    },
+  }
+
   service: {
     apiVersion: 'v1',
     kind: 'Service',
diff --git a/jsonnet/kube-thanos/kube-thanos-query.libsonnet b/jsonnet/kube-thanos/kube-thanos-query.libsonnet
index 973b062..876425c 100644
--- a/jsonnet/kube-thanos/kube-thanos-query.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-query.libsonnet
@@ -81,6 +81,38 @@ function(params) {
   assert std.isBoolean(tq.config.autoDownsampling),
   assert std.isBoolean(tq.config.useThanosEngine),
 
+  networkPolicy: {
+    kind: 'NetworkPolicy',
+    apiVersion: 'networking.k8s.io/v1',
+    metadata: {
+      name: 'thanos-query',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/name': 'thanos-store',
+        },
+      },
+      egress: [{}],  // Allow all outside egress to connect to object storage
+      ingress: [{
+        from: [{
+          namespaceSelector: {
+            matchLabels: {
+              'kubernetes.io/metadata.name': cfg.namespace,
+            },
+          },
+          podSelector: {
+            matchLabels: {
+              'app.kubernetes.io/name': 'thanos-store',
+            },
+          },
+        }],
+      }],
+      policyTypes: ['Egress'],
+    },
+  },
+
   service: {
     apiVersion: 'v1',
     kind: 'Service',
diff --git a/jsonnet/kube-thanos/kube-thanos-receive.libsonnet b/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
index 56233f8..4509788 100644
--- a/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
@@ -16,6 +16,38 @@ function(params) {
   assert std.isObject(tr.config.receiveLimitsConfigFile),
   assert std.isObject(tr.config.storeLimits),
 
+  networkPolicy: {
+    kind: 'NetworkPolicy',
+    apiVersion: 'networking.k8s.io/v1',
+    metadata: {
+      name: 'thanos-receive',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/name': 'thanos-receive',
+        },
+      },
+      egress: [{}],  // Allow all outside egress to connect
+      ingress: [{
+        from: [{
+          namespaceSelector: {
+            matchLabels: {
+              'kubernetes.io/metadata.name': cfg.namespace,
+            },
+          },
+          podSelector: {
+            matchLabels: {
+              'app.kubernetes.io/name': 'thanos-query',
+            },
+          },
+        }],
+      }],
+      policyTypes: ['Egress'],
+    },
+  }
+
   service: {
     apiVersion: 'v1',
     kind: 'Service',
diff --git a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
index c4a06cd..0a03a50 100644
--- a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
@@ -85,6 +85,37 @@ function(params) {
   assert std.isObject(tr.config.volumeClaimTemplate),
   assert !std.objectHas(tr.config.volumeClaimTemplate, 'spec') || std.assertEqual(tr.config.volumeClaimTemplate.spec.accessModes, ['ReadWriteOnce']) : 'thanos rule PVC accessMode can only be ReadWriteOnce',
 
+  networkPolicy: {
+    kind: 'NetworkPolicy',
+    apiVersion: 'networking.k8s.io/v1',
+    metadata: {
+      name: 'thanos-rule',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/name': 'thanos-rule',
+        },
+      },
+      egress: [{}],  // Allow all outside egress to connect
+      ingress: [{
+        from: [{
+          namespaceSelector: {
+            matchLabels: {
+              'kubernetes.io/metadata.name': cfg.namespace,
+            },
+          },
+          podSelector: {
+            matchLabels: {
+              'app.kubernetes.io/name': 'thanos-query',
+            },
+          },
+        }],
+      }],
+      policyTypes: ['Egress'],
+    },
+  }
 
   service: {
     apiVersion: 'v1',
diff --git a/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet b/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet
index 5640d3a..50223fe 100644
--- a/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet
@@ -32,6 +32,38 @@ function(params) {
   local tsc = self,
   config:: defaults + params,
 
+  networkPolicy: {
+    kind: 'NetworkPolicy',
+    apiVersion: 'networking.k8s.io/v1',
+    metadata: {
+      name: 'thanos-sidecar',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/name': 'thanos-sidecar',
+        },
+      },
+      egress: [{}],  // Allow all outside egress to connect
+      ingress: [{
+        from: [{
+          namespaceSelector: {
+            matchLabels: {
+              'kubernetes.io/metadata.name': cfg.namespace,
+            },
+          },
+          podSelector: {
+            matchLabels: {
+              'app.kubernetes.io/name': 'thanos-query',
+            },
+          },
+        }],
+      }],
+      policyTypes: ['Egress'],
+    },
+  }
+
   service: {
     apiVersion: 'v1',
     kind: 'Service',
diff --git a/jsonnet/kube-thanos/kube-thanos-store.libsonnet b/jsonnet/kube-thanos/kube-thanos-store.libsonnet
index 8ab36e5..0793f19 100644
--- a/jsonnet/kube-thanos/kube-thanos-store.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-store.libsonnet
@@ -31,6 +31,38 @@ function(params) {
   assert std.isObject(ts.config.volumeClaimTemplate),
   assert !std.objectHas(ts.config.volumeClaimTemplate, 'spec') || std.assertEqual(ts.config.volumeClaimTemplate.spec.accessModes, ['ReadWriteOnce']) : 'thanos store PVC accessMode can only be ReadWriteOnce',
 
+  networkPolicy: {
+    kind: 'NetworkPolicy',
+    apiVersion: 'networking.k8s.io/v1',
+    metadata: {
+      name: 'thanos-store',
+      namespace: cfg.namespace,
+    },
+    spec: {
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/name': 'thanos-store',
+        },
+      },
+      egress: [{}],  // Allow all outside egress to connect to object storage
+      ingress: [{
+        from: [{
+          namespaceSelector: {
+            matchLabels: {
+              'kubernetes.io/metadata.name': cfg.namespace,
+            },
+          },
+          podSelector: {
+            matchLabels: {
+              'app.kubernetes.io/name': 'thanos-query',
+            },
+          },
+        }],
+      }],
+      policyTypes: ['Egress'],
+    },
+  },
+
   service: {
     apiVersion: 'v1',
     kind: 'Service',

From 6dd92846c685b618fc3031b5fd5438a42ef27d32 Mon Sep 17 00:00:00 2001
From: Harsh Pratap Singh <harshpratapsingh8210@gmail.com>
Date: Tue, 16 Jan 2024 21:01:30 +0530
Subject: [PATCH 2/3] fixing commas Signed-off-by: Harsh Pratap Singh
 <harshpratapsingh8210@gmail.com>

---
 jsonnet/kube-thanos/kube-thanos-compact.libsonnet        | 2 +-
 jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet | 2 +-
 jsonnet/kube-thanos/kube-thanos-receive.libsonnet        | 2 +-
 jsonnet/kube-thanos/kube-thanos-rule.libsonnet           | 2 +-
 jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet        | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
index 4a26629..8343606 100644
--- a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
@@ -45,7 +45,7 @@ function(params) {
       }],
       policyTypes: ['Egress'],
     },
-  }
+  },
 
   service: {
     apiVersion: 'v1',
diff --git a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
index 8616976..dd140f5 100644
--- a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
@@ -147,7 +147,7 @@ function(params) {
       }],
       policyTypes: ['Egress'],
     },
-  }
+  },
 
   service: {
     apiVersion: 'v1',
diff --git a/jsonnet/kube-thanos/kube-thanos-receive.libsonnet b/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
index 4509788..82fe7e6 100644
--- a/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
@@ -46,7 +46,7 @@ function(params) {
       }],
       policyTypes: ['Egress'],
     },
-  }
+  },
 
   service: {
     apiVersion: 'v1',
diff --git a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
index 0a03a50..487badc 100644
--- a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
@@ -115,7 +115,7 @@ function(params) {
       }],
       policyTypes: ['Egress'],
     },
-  }
+  },
 
   service: {
     apiVersion: 'v1',
diff --git a/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet b/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet
index 50223fe..a04d86b 100644
--- a/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-sidecar.libsonnet
@@ -62,7 +62,7 @@ function(params) {
       }],
       policyTypes: ['Egress'],
     },
-  }
+  },
 
   service: {
     apiVersion: 'v1',

From 7b22d2ff07240acb387fe9da38f6266cd469a03e Mon Sep 17 00:00:00 2001
From: Harsh Pratap Singh <harshpratapsingh8210@gmail.com>
Date: Tue, 16 Jan 2024 21:35:44 +0530
Subject: [PATCH 3/3] adding changelog entry Signed-off-by: Harsh Pratap Singh
 <harshpratapsingh8210@gmail.com>

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c6d59a8..2ee0cbc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ We use *breaking* word for marking changes that are not backward compatible (rel
 - [#308](https://github.com/thanos-io/kube-thanos/pull/308) Recive: add store limits flags
 - [#310](https://github.com/thanos-io/kube-thanos/pull/310) Ruler: Add host anti-affinity to ruler
 - [#313](https://github.com/thanos-io/kube-thanos/pull/313) Add per-container SecurityContext
+- [#315](https://github.com/thanos-io/kube-thanos/pull/315)  adding networkpolicy for thanos components
 
 ### Fixed