From 5cf9b9f3d1f73631a319c7943bed3d73d43c5c06 Mon Sep 17 00:00:00 2001 From: olevski Date: Wed, 20 Nov 2024 09:44:38 +0100 Subject: [PATCH 01/18] feat: consolidate network policies --- .../renku/templates/network-policies.yaml | 562 ++++++++++++++++++ .../templates/notebooks/network-policy.yaml | 108 ---- .../secrets-storage/network-policy.yaml | 22 - helm-chart/renku/values.yaml | 5 + 4 files changed, 567 insertions(+), 130 deletions(-) delete mode 100644 helm-chart/renku/templates/notebooks/network-policy.yaml delete mode 100644 helm-chart/renku/templates/secrets-storage/network-policy.yaml diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 3aa0a88615..16fe1d8bb6 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -1,3 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all-ingress + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress {{- if not .Values.global.externalServices.postgresql.enabled }} --- apiVersion: networking.k8s.io/v1 @@ -91,3 +104,552 @@ spec: - protocol: TCP port: 9187 {{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-k8s-watcher + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }}-k8s-watcher + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + # Allow ingress to the k8s watcher from data services and notebooks + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-sessions + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + policyTypes: + - Ingress + ingress: + - from: + # Allow ssh ingress to sessions only for the ssh jump host + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }}-ssh + ports: + - port: ssh + protocol: TCP + - from: + # Allow ingress to the oauth2proxy for anyone + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 4180 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-sessions-v2 + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: AmaltheaSession + app.kubernetes.io/part-of: amaltheasession-operator + policyTypes: + - Ingress + ingress: + - from: + # Allow ingress to the authentication proxy port on a v2 session from anywhere + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + # This port is hardcoded in Amalthea as the port for the authentication proxy + port: 65535 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.fullname" . }}-secrets-storage + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.fullname" . }}-secrets-storage + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + # Only allow ingress to secrets storage from notebooks and data services + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: gateway-ingress-to-data-service + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: gateway-ingress-to-notebooks + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: gateway-ingress-to-core-service + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: gateway-ingress-to-knowledge-graph + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-kg +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: gateway-ingress-to-search-service + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.search.searchApi.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-search-api + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-uiserver-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "uiserver" + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-gateway-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +{{- if .Values.keycloakx.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-keycloak-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: keycloakx + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http + - protocol: TCP + port: https +{{- end }} +{{- if .Values.swagger.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-swagger-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku.name" . }}-swagger + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-webhook-service-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http-webhook-sv +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-ui-assets-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: ui + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-authz-from-data-service + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-authz + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http + - protocol: TCP + port: grpc +{{- if .Values.redis.install }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-redis-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: redis + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app.kubernetes.io/name: "uiserver" + app.kubernetes.io/instance: {{ .Release.Name }} + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.search.searchApi.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: redis +{{- end }} +{{- if .Values.solr.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-solr-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: solr + app.kubernetes.io/name: solr + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: search-api + - podSelector: + matchLabels: + app: search-provision + ports: + - protocol: TCP + port: http +{{- end }} +{{- if gt (.Values.networkPolicies.allowAllIngressFromPods | len) 0 }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-from-some-pods + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + {{- toYaml .Values.networkPolicies.allowAllIngressFromPods | nindent 8 }} +{{- end }} +{{- if gt (.Values.networkPolicies.allowAllIngressFromNamespaces | len) 0 }} +{{- if has .Release.Namespace .Values.networkPolicies.allowAllIngressFromNamespaces -}} +{{- fail "ERROR: You cannot allow all ingress from the Helm release namespace" -}} +{{- end -}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-from-some-namespaces + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchExpressions: + - key: namespace + operator: In + values: + {{- toYaml .Values.networkPolicies.allowAllIngressFromNamespaces | nindent 16 }} +{{- end }} diff --git a/helm-chart/renku/templates/notebooks/network-policy.yaml b/helm-chart/renku/templates/notebooks/network-policy.yaml deleted file mode 100644 index 7f954dad17..0000000000 --- a/helm-chart/renku/templates/notebooks/network-policy.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-k8s-watcher -spec: - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-k8s-watcher - release: {{ .Release.Name }} - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }} - release: {{ .Release.Name }} - - podSelector: - matchLabels: - app: renku-data-service - release: {{ .Release.Name }} - ports: - - protocol: TCP - port: http ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-ssh-jumphost -spec: - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-ssh - policyTypes: - - Egress - egress: - - to: - - podSelector: - matchLabels: - app.kubernetes.io/component: jupyterserver - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: amalthea - ports: - - port: ssh - protocol: TCP - - ports: - - protocol: UDP - port: 53 - - protocol: TCP - port: 53 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-sessions -spec: - podSelector: - matchLabels: - app.kubernetes.io/component: jupyterserver - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: amalthea - policyTypes: - - Ingress - - Egress - ingress: - - from: - # Allow ssh ingress to sessions only for the ssh jump host - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-ssh - ports: - - port: ssh - protocol: TCP - - from: - # Allow ingress to the oauth2proxy for anyone - - ipBlock: - cidr: 0.0.0.0/0 - ports: - - protocol: TCP - port: 4180 - egress: - - to: - # Allow DNS resolution (internal and external) - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - # Allow access to any port/protocol as long as it is directed - # outside of the cluster. This is done by excluding - # IP ranges which are reserved for private networking from - # the allowed range. - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - to: - # Allow access to data service - - podSelector: - matchLabels: - app: renku-data-service - ports: - - port: http - protocol: TCP - diff --git a/helm-chart/renku/templates/secrets-storage/network-policy.yaml b/helm-chart/renku/templates/secrets-storage/network-policy.yaml deleted file mode 100644 index dbd2381cb3..0000000000 --- a/helm-chart/renku/templates/secrets-storage/network-policy.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.fullname" . }}-secrets-storage -spec: - podSelector: - matchLabels: - app: {{ template "renku.fullname" . }}-secrets-storage - release: {{ .Release.Name }} - policyTypes: - - Ingress - ingress: - - from: - # Only allow ingress to secrets storage from notebooks - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }} - release: {{ .Release.Name }} - ports: - - protocol: TCP - port: http - diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index a1d9b47c3a..c1354b13e1 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -224,6 +224,11 @@ ingress: # - secretName: chart-example-tls # hosts: # - example.local +networkPolicies: + ## List of podSelector terms for pods in the release namespace that should be allowed all ingress to all services + allowAllIngressFromPods: [] + ## List of namespaces that should be allowed all ingress to all services + allowAllIngressFromNamespaces: [] ## Keycloak configuration keycloakx: ## Spawn a keycloak instance From 12afc5639035d99515d5f56f3a7e9db86166cb49 Mon Sep 17 00:00:00 2001 From: olevski Date: Wed, 20 Nov 2024 10:43:30 +0100 Subject: [PATCH 02/18] fix: allow ingress to acme http solver --- .../renku/templates/network-policies.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 16fe1d8bb6..44513ff244 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -653,3 +653,23 @@ spec: values: {{- toYaml .Values.networkPolicies.allowAllIngressFromNamespaces | nindent 16 }} {{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-to-acme-http-solver-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + acme.cert-manager.io/http01-solver: "true" + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 From b9843231043067e1245e9431201ce02163267cbf Mon Sep 17 00:00:00 2001 From: olevski Date: Wed, 20 Nov 2024 11:05:37 +0100 Subject: [PATCH 03/18] fix: allow data service jobs to access authz --- helm-chart/renku/templates/network-policies.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 44513ff244..20c91d13d4 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -510,7 +510,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: ingress-to-authz-from-data-service + name: ingress-to-authz-from-services labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -529,6 +529,10 @@ spec: matchLabels: app: renku-data-service release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: data-service-background-jobs + release: {{ .Release.Name }} ports: - protocol: TCP port: http From 6b37aefd0911c5ab1d7f6412eff088e078a94ee5 Mon Sep 17 00:00:00 2001 From: olevski Date: Wed, 20 Nov 2024 11:05:52 +0100 Subject: [PATCH 04/18] fix: allow graph to access jena --- .../renku/templates/network-policies.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 20c91d13d4..4369507dcb 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -677,3 +677,29 @@ spec: - from: - ipBlock: cidr: 0.0.0.0/0 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: graph-ingress-to-jena + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: jena + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: jena-http From dd973fa49014e71994c77aa652865a6fb9f6780f Mon Sep 17 00:00:00 2001 From: olevski Date: Wed, 20 Nov 2024 11:29:22 +0100 Subject: [PATCH 05/18] fix: give core cleanup jobs access to core --- .../templates/core/cache-cleanup-job.yaml | 3 ++ .../renku/templates/network-policies.yaml | 28 +++++++++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/helm-chart/renku/templates/core/cache-cleanup-job.yaml b/helm-chart/renku/templates/core/cache-cleanup-job.yaml index ea665eab0c..b851a1bb51 100644 --- a/helm-chart/renku/templates/core/cache-cleanup-job.yaml +++ b/helm-chart/renku/templates/core/cache-cleanup-job.yaml @@ -13,6 +13,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: core-cache-cleanup spec: containers: - name: {{ include "renku-core.fullname" $ }}-cache-cleanup-{{ $version.name }} diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 4369507dcb..9ed358fc83 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -532,12 +532,36 @@ spec: - podSelector: matchLabels: app: data-service-background-jobs - release: {{ .Release.Name }} ports: - protocol: TCP port: http - protocol: TCP port: grpc +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: core-cleanup-job-ingress-to-core-service + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: core-cache-cleanup + ports: + - protocol: TCP + port: http {{- if .Values.redis.install }} --- apiVersion: networking.k8s.io/v1 @@ -691,7 +715,7 @@ spec: podSelector: matchLabels: app.kubernetes.io/name: jena - release: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} policyTypes: - Ingress ingress: From 6fefd42e125c2faeb1e09f3e449d5d99956f007d Mon Sep 17 00:00:00 2001 From: olevski Date: Wed, 20 Nov 2024 11:32:13 +0100 Subject: [PATCH 06/18] fix: allow graph to access core services --- .../renku/templates/network-policies.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 9ed358fc83..262e34e982 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -307,6 +307,32 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy +metadata: + name: graph-ingress-to-core-service + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: name: gateway-ingress-to-knowledge-graph labels: From 24beaf34ba5ee518fc485646e07c2d32df3d0280 Mon Sep 17 00:00:00 2001 From: olevski Date: Wed, 20 Nov 2024 13:34:35 +0100 Subject: [PATCH 07/18] squashme: rename and cleanup --- .../renku/templates/network-policies.yaml | 130 ++++++++++++++++-- 1 file changed, 122 insertions(+), 8 deletions(-) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 262e34e982..c2fb9605c1 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -230,7 +230,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: gateway-ingress-to-data-service + name: ingress-to-data-service-from-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -256,7 +256,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: gateway-ingress-to-notebooks + name: ingress-to-notebooks-from-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -282,7 +282,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: gateway-ingress-to-core-service + name: ingress-to-core-service-from-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -308,7 +308,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: graph-ingress-to-core-service + name: ingress-to-core-service-from-graph labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -334,7 +334,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: gateway-ingress-to-knowledge-graph + name: ingress-to-knowledge-graph-from-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -360,7 +360,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: gateway-ingress-to-search-service + name: ingress-to-search-service-from-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -567,7 +567,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: core-cleanup-job-ingress-to-core-service + name: ingress-to-core-service-from-core-cleanup-job labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -731,7 +731,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: graph-ingress-to-jena + name: ingress-to-jena-from-services labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -750,6 +750,120 @@ spec: matchLabels: app: {{ template "renku.graph.knowledgeGraph.name" . }} release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} ports: - protocol: TCP port: jena-http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-event-log-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.tokenRepository.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-event-log +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-token-repository-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.tokenRepository.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-token-repo +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-triple-generator-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-triples-gn From 62065a4d044165f9f674f5742c62cc53c4d3fb2c Mon Sep 17 00:00:00 2001 From: olevski Date: Wed, 20 Nov 2024 14:02:04 +0100 Subject: [PATCH 08/18] fix: add ingress for commit event service --- helm-chart/renku/templates/network-policies.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index c2fb9605c1..9712220ca7 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -792,6 +792,10 @@ spec: matchLabels: app: {{ template "renku.graph.tokenRepository.name" . }} release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} ports: - protocol: TCP port: http-event-log @@ -830,6 +834,10 @@ spec: matchLabels: app: {{ template "renku.graph.knowledgeGraph.name" . }} release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} ports: - protocol: TCP port: http-token-repo From a7c6156f17ec707f522b11b4f61b8464ebb58082 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Wed, 20 Nov 2024 14:23:29 +0100 Subject: [PATCH 09/18] fix: enable triples generator and event log to call themselves --- helm-chart/renku/templates/network-policies.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 9712220ca7..55c4373ea8 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -796,6 +796,12 @@ spec: matchLabels: app: {{ template "renku.graph.commitEventService.name" . }} release: {{ .Release.Name }} + - podSelector: + matchLabels: + # The event log calls itself via a k8s service so if it is not allowed in the + # network policy like this then those requests fail. + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} ports: - protocol: TCP port: http-event-log @@ -872,6 +878,12 @@ spec: matchLabels: app: {{ template "renku.graph.knowledgeGraph.name" . }} release: {{ .Release.Name }} + - podSelector: + matchLabels: + # The triples generator calls itself via a k8s service so if it is not allowed in the + # network policy like this then those requests fail. + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} ports: - protocol: TCP port: http-triples-gn From 604d7ba69fdbf41b073e636b032124d4a8f2880d Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Wed, 20 Nov 2024 14:43:30 +0100 Subject: [PATCH 10/18] fix: allow ingress from event log to commit event svc --- .../renku/templates/network-policies.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 55c4373ea8..b36c415dbe 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -887,3 +887,29 @@ spec: ports: - protocol: TCP port: http-triples-gn +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-commit-events-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-commit-sv From 85bc33391bec8e783ba5df915e3599e82edb3fe8 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Wed, 20 Nov 2024 15:07:55 +0100 Subject: [PATCH 11/18] fix: allow ingress to data service from notebooks --- .../renku/templates/network-policies.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index b36c415dbe..8daa358fe1 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -913,3 +913,29 @@ spec: ports: - protocol: TCP port: http-commit-sv +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-data-service-from-notebooks + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http From 953ab52f1262489f2a4e073d01672970b36e4c83 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Wed, 20 Nov 2024 15:30:57 +0100 Subject: [PATCH 12/18] fix: allow ingress to data service from itself --- .../renku/templates/network-policies.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 8daa358fe1..693716ee8d 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -939,3 +939,32 @@ spec: ports: - protocol: TCP port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + # The notebooks code in data service calls data service via a K8s service + # and for this to succeed the network policy has to allow it. This can be + # removed when the notebooks code is completely migrated to the data service. + name: ingress-to-data-service-from-itself + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http From b21390afb9f0a3d217b7cc07877b864d38a13cbb Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Wed, 20 Nov 2024 15:54:00 +0100 Subject: [PATCH 13/18] squashme: minor fixes --- helm-chart/renku/templates/network-policies.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 693716ee8d..7ec370f1ef 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -208,7 +208,7 @@ metadata: spec: podSelector: matchLabels: - app: {{ template "renku.fullname" . }}-secrets-storage + app: renku-secrets-storage release: {{ .Release.Name }} policyTypes: - Ingress @@ -681,9 +681,9 @@ spec: {{- toYaml .Values.networkPolicies.allowAllIngressFromPods | nindent 8 }} {{- end }} {{- if gt (.Values.networkPolicies.allowAllIngressFromNamespaces | len) 0 }} -{{- if has .Release.Namespace .Values.networkPolicies.allowAllIngressFromNamespaces -}} -{{- fail "ERROR: You cannot allow all ingress from the Helm release namespace" -}} -{{- end -}} +{{- if has .Release.Namespace .Values.networkPolicies.allowAllIngressFromNamespaces }} +{{- fail "ERROR: You cannot allow all ingress from the Helm release namespace" }} +{{- end }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -702,7 +702,8 @@ spec: - from: - namespaceSelector: matchExpressions: - - key: namespace + # The kubernetes.io/metadata.name label is automatically added by k8s to every namespace + - key: kubernetes.io/metadata.name operator: In values: {{- toYaml .Values.networkPolicies.allowAllIngressFromNamespaces | nindent 16 }} From 2658f06884e83579b2331baaf38d9d4f4e3d90a5 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Thu, 21 Nov 2024 08:29:30 +0100 Subject: [PATCH 14/18] squashme: update changelog --- CHANGELOG.rst | 33 ++++++++++++++++++++--------- helm-chart/values.yaml.changelog.md | 5 +++++ 2 files changed, 28 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b7f942bc3c..b380d3c776 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,16 +6,28 @@ Renku 0.61.0 introduces a new version of Amalthea that supports running sessions with Docker images that do not contain Jupyter server. -NOTE to administrators: This upgrade introduces a brand new CRD for sessions. All services that support -sessions for Renku v2 will switch to this new CRD. Renku v1 sessions remain unchanged. -Therefore any old sessions for Renku v2 will not be visible to users after this upgrade. The sessions -themselves will not be immediately deleted and as long as users have saved links to their old sessions they -should be able to access their sessions and save data. However we recommend that administrators -notify users of the change and allow for enough time so that existing Renku v2 sessions can be saved and -cleaned up, rather than asking users to save the url to their sessions. In addition to users not being able -to see old Renku v2 sessions, they will also not be able to pause, resume or delete old Renku v2 sessions. -Therefore it's best if most sessions are properly saved and cleaned up before this update is rolled out. In order -to support the new CRD we have also created a new operator that will manage the new `amaltheasession` resources. +NOTES to administrators: + +- This upgrade introduces a brand new CRD for sessions. All services that support + sessions for Renku v2 will switch to this new CRD. Renku v1 sessions remain unchanged. + Therefore any old sessions for Renku v2 will not be visible to users after this upgrade. The sessions + themselves will not be immediately deleted and as long as users have saved links to their old sessions they + should be able to access their sessions and save data. However we recommend that administrators + notify users of the change and allow for enough time so that existing Renku v2 sessions can be saved and + cleaned up, rather than asking users to save the url to their sessions. In addition to users not being able + to see old Renku v2 sessions, they will also not be able to pause, resume or delete old Renku v2 sessions. + Therefore it's best if most sessions are properly saved and cleaned up before this update is rolled out. In order + to support the new CRD we have also created a new operator that will manage the new `amaltheasession` resources. + +- The network policies for Renku have been consolidated and revamped. The most notable change here is the + removal of the egress policy that prevented egress to internal IP addresses from sessions. Now we disallow + all ingress in the Renku release namespace by default and explicitly grant permissions to any pods that need + to access other pods inside the Renku release namespace. Two properties relevant to this have been added to the + Helm chart values file that allows administrators to grant access to all Renku services from a specific namespace + or to do the same for specific pods within the Renku namespace. These are not needed for Renku to function and the + default network policies should be sufficient, they have been added so that administrators can allow ingress for + other services that may not come with the Renku Helm chart such as logging or monitoring. This change will result in + the removal of some network policies and the creation of several new policies. User-Facing Changes ~~~~~~~~~~~~~~~~~~~ @@ -33,6 +45,7 @@ Internal Changes - **Data services**: Add support for OAuth storage providers - **Data services**: Move notebooks code to data services +- **Helm chart**: Consolidate and revamp network policies **Bug Fixes** diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index 54f4107b49..d65846f1c9 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,11 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.61.0 + +* NEW ``networkPolicies.allowAllIngressFromPods`` specify pod selectors that will allow the selected pods to access all other services in the Renku release namespace. +* NEW ``networkPolicies.allowAllIngressFromNamespaces`` specify a list of namespaces that should be allowed to access all other services in the Renku release namespace. + ## Upgrading to Renku 0.60.0 * NEW ``gateway.idleSessionTTLSeconds`` to set the session idle TTL in seconds. From 9683936616d44477d56c4ff0e403fe16e8713140 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Thu, 21 Nov 2024 08:45:54 +0100 Subject: [PATCH 15/18] fix: allow access to authz from users sync job --- helm-chart/renku/templates/network-policies.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 7ec370f1ef..42c10a6537 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -558,6 +558,9 @@ spec: - podSelector: matchLabels: app: data-service-background-jobs + - podSelector: + matchLabels: + app: data-service-total-users-sync ports: - protocol: TCP port: http From e9b11aa935fb060d97145e68ec0ecde011801588 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Thu, 21 Nov 2024 09:34:47 +0100 Subject: [PATCH 16/18] squashme: consolidate setup job network policy --- .../renku/templates/network-policies.yaml | 10 +++--- .../templates/setup-job-network-policy.yaml | 35 ------------------- 2 files changed, 6 insertions(+), 39 deletions(-) delete mode 100644 helm-chart/renku/templates/setup-job-network-policy.yaml diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 42c10a6537..8651251be3 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -94,13 +94,15 @@ spec: namespaceSelector: matchLabels: kubernetes.io/metadata.name: {{ .Release.Namespace }} + - podSelector: + matchLabels: + app: postgres-setup + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} ports: - protocol: TCP port: 5432 - - from: - - podSelector: {} - namespaceSelector: {} - ports: - protocol: TCP port: 9187 {{- end }} diff --git a/helm-chart/renku/templates/setup-job-network-policy.yaml b/helm-chart/renku/templates/setup-job-network-policy.yaml deleted file mode 100644 index 736a0713da..0000000000 --- a/helm-chart/renku/templates/setup-job-network-policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if not .Values.global.externalServices.postgresql.enabled }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.fullname" . }}-setup-job - labels: - app: {{ template "renku.name" . }} - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: postgresql - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: postgres-setup - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - ports: - - protocol: TCP - port: 5432 - - from: - - podSelector: {} - namespaceSelector: {} - ports: - - protocol: TCP - port: 9187 -{{- end }} From 042f3bb6d6aec3f7348bcab065e699ad7158af07 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Thu, 21 Nov 2024 15:20:34 +0100 Subject: [PATCH 17/18] fix: close egress from sessions except for the release namespace --- .../renku/templates/network-policies.yaml | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 8651251be3..afa2c2a0f9 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -974,3 +974,122 @@ spec: ports: - protocol: TCP port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-all-egress-from-sessions-v1 +spec: + egress: [] + podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-all-egress-from-sessions-v2 +spec: + egress: [] + podSelector: + matchLabels: + app.kubernetes.io/created-by: controller-manager + app.kubernetes.io/name: AmaltheaSession + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-only-egress-for-sessions-that-target-this-namespace-v1 +spec: + egress: + - to: + - namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - {{ .Release.Namespace | quote }} + podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-only-egress-for-sessions-that-target-this-namespace-v2 +spec: + egress: + - to: + - namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - {{ .Release.Namespace | quote }} + podSelector: + matchLabels: + app.kubernetes.io/created-by: controller-manager + app.kubernetes.io/name: AmaltheaSession + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-only-egress-for-sessions-for-name-resolution-v1 +spec: + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-only-egress-for-sessions-for-name-resolution-v2 +spec: + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/created-by: controller-manager + app.kubernetes.io/name: AmaltheaSession + policyTypes: + - Egress From 8fc5da196e96c0c289ea5db5c4c72f1807c87c40 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Fri, 22 Nov 2024 07:25:13 +0100 Subject: [PATCH 18/18] fix: egress to dns and external ips for sessions --- .../renku/templates/network-policies.yaml | 114 ++++++++---------- 1 file changed, 52 insertions(+), 62 deletions(-) diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index afa2c2a0f9..6dc5ac286e 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -978,78 +978,39 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: deny-all-egress-from-sessions-v1 -spec: - egress: [] - podSelector: - matchLabels: - app.kubernetes.io/component: jupyterserver - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: amalthea - policyTypes: - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: deny-all-egress-from-sessions-v2 -spec: - egress: [] - podSelector: - matchLabels: - app.kubernetes.io/created-by: controller-manager - app.kubernetes.io/name: AmaltheaSession - policyTypes: - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-only-egress-for-sessions-that-target-this-namespace-v1 -spec: - egress: - - to: - - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - - {{ .Release.Namespace | quote }} - podSelector: - matchLabels: - app.kubernetes.io/component: jupyterserver - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: amalthea - policyTypes: - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-only-egress-for-sessions-that-target-this-namespace-v2 + # Needed for secret mounting + name: ingress-to-data-service-from-v1-sessions + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} spec: - egress: - - to: - - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - - {{ .Release.Namespace | quote }} podSelector: matchLabels: - app.kubernetes.io/created-by: controller-manager - app.kubernetes.io/name: AmaltheaSession + app: renku-data-service + release: {{ .Release.Name }} policyTypes: - - Egress + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + ports: + - protocol: TCP + port: http --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-only-egress-for-sessions-for-name-resolution-v1 + name: egress-from-renku-v1-sessions spec: egress: - to: + # DNS resolution - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system @@ -1061,6 +1022,23 @@ spec: protocol: UDP - port: 53 protocol: TCP + - to: + # Allow access to any port/protocol as long as it is directed + # outside of the cluster. This is done by excluding + # IP ranges which are reserved for private networking from + # the allowed range. + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - to: + # Allow access to data service, needed for secret mounting + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} podSelector: matchLabels: app.kubernetes.io/component: jupyterserver @@ -1072,10 +1050,11 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-only-egress-for-sessions-for-name-resolution-v2 + name: egress-from-renku-v2-sessions spec: egress: - to: + # DNS resolution - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system @@ -1087,6 +1066,17 @@ spec: protocol: UDP - port: 53 protocol: TCP + - to: + # Allow access to any port/protocol as long as it is directed + # outside of the cluster. This is done by excluding + # IP ranges which are reserved for private networking from + # the allowed range. + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 podSelector: matchLabels: app.kubernetes.io/created-by: controller-manager