netpol: allowedIngressPorts and interNamespaceAccessLabels config added with defaults retaining 0.9.1 current behavior

CHANGELOG.md

@@ -4,7 +4,7 @@ Here you can find upgrade changes in between releases and upgrade instructions.
 
 ## [0.10]
 
-### [0.10.0]
+### [0.10.0-beta.1] (UNRELEASED)
 
 #### Breaking changes:
 
@@ -16,17 +16,17 @@ Here you can find upgrade changes in between releases and upgrade instructions.
   known to be needed, with the exception of the user pods outgoing
   communication, where all outgoing communication is allowed by default.
 
-  Note that these network policies only influence network communication in a
+  Note that these NetworkPolicies only influence network communication in a
   Kubernetes cluster if a NetworkPolicy controller enforce them, such as Calico.
 
-  With network policies enabled, you may require additional configuration,
-  especially for deployments that include additional components that access
-  JupyterHub pods directly (i.e. not through the `proxy-public` service).
-
   See the [security
   documentation](https://zero-to-jupyterhub.readthedocs.io/en/latest/administrator/security.html#kubernetes-network-policies)
   for more details on this.
 
+- The Helm chart configuration `proxy.networkPolicy` has been removed,
+  `proxy.chp.networkPolicy` (proxy pod) and `proxy.traefik.networkPolicy`
+  (autohttps pod) must be used instead.
+
 ## [0.9]
 
 ### [0.9.0] - 2020-04-15

dev-config.yaml

@@ -25,13 +25,13 @@ proxy:
     extraEnv:
       - name: LEGO_CA_CERTIFICATES
         value: /etc/pebble/root-cert.pem
-  networkPolicy:
-    egress: []  # overrides allowance of 0.0.0.0/0
   chp:
     resources:
       requests:
         memory: 0
         cpu: 0
+    networkPolicy:
+      egress: []  # overrides allowance of 0.0.0.0/0
 
 hub:
   cookieSecret: cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc

jupyterhub/schema.yaml

@@ -191,6 +191,57 @@ properties:
               pullSecrets:
                 - my-k8s-secret-with-image-registry-credentials
               ```
+      networkPolicy: &networkPolicy-spec
+        type: object
+        description: |
+          This configuration regards the creation and configuration of a k8s
+          _NetworkPolicy resource_.
+        properties:
+          enabled:
+            type: bool
+            description: |
+              Toggle the creation of the NetworkPolicy resource for this pod.
+          ingress:
+            type: list
+            description: |
+              Additional ingress rules to add except those that is known to be needed by the respective pods in the Helm chart.
+          egress:
+            type: list
+            description: |
+              Additional egress rules to add except those that is known to be needed by  the respective pods in the Helm chart.
+
+              The default value of this egress is to allow all traffic, except for the `singleuser.networkPolicy.egress`, which is also limiting access to a metadata server that can be exploited.
+
+              If you want to restrict egress, you can override this permissive default to be an empty list.
+          interNamespaceAccessLabels:
+            type: string
+            enum:
+              - accept
+              - ignore
+            description: |
+              This configuration option determines if both namespaces and pods
+              in other namespaces, that have specific access labels, should be
+              accepted to allow ingress (set to `accept`), or, if the labels are
+              to be ignored when applied outside the local namespace (set to
+              `ignore`).
+
+              The available access labels for respective NetworkPolicy resources
+              are:
+
+              - `hub.jupyter.org/network-access-hub: "true"` (hub)
+              - `hub.jupyter.org/network-access-proxy-http: "true"` (proxy.chp, proxy.traefik)
+              - `hub.jupyter.org/network-access-proxy-api: "true"` (proxy.chp)
+              - `hub.jupyter.org/network-access-singleuser: "true"` (singleuser)
+          allowedIngressPorts:
+            type: list
+            description: |
+              A rule to allow ingress on these ports will be added no matter
+              what the origin of the request is. The default setting for
+              `proxy.chp` and `proxy.traefik`'s networkPolicy configuration is
+              `[http, https]`, while it is `[]` for other networkPolicies.
+
+              Note that these port names or numbers target a Pod's port name or
+              number, not a k8s Service's port name or number.
       db:
         type: object
         properties:
@@ -535,6 +586,7 @@ properties:
           Configure the configurable-http-proxy (chp) pod managed by jupyterhub to route traffic
           both to itself and to user pods.
         properties:
+          networkPolicy: *networkPolicy-spec
           extraCommandLineFlags:
             type: list
             description: |
@@ -806,6 +858,7 @@ properties:
 
               See the [Kubernetes docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
               to learn more about labels.
+          networkPolicy: *networkPolicy-spec
           extraEnv:
             type: object
             description: |
@@ -880,6 +933,7 @@ properties:
     description: |
       Options for customizing the environment that is provided to the users after they log in.
     properties:
+      networkPolicy: *networkPolicy-spec
       podNameTemplate:
         type: string
         description: |

jupyterhub/templates/NOTES.txt

@@ -38,6 +38,11 @@ WARNING: Configuring proxy.https without setting proxy.https.enabled to true is
 {{- end }}
 
 
+{{- if .Values.proxy.networkPolicy }}
+{{- fail "DEPRECATION: proxy.networkPolicy has been renamed to proxy.chp.networkPolicy" }}
+{{- end }}
+
+
 {{- if .Values.hub.extraConfigMap }}{{ println }}
 DEPRECATION: hub.extraConfigMap is deprecated in jupyterhub chart 0.8.
 Use top-level `custom` instead:

jupyterhub/templates/hub/netpol.yaml

@@ -13,17 +13,49 @@ spec:
     - Ingress
     - Egress
 
+  # IMPORTANT:
+  # NetworkPolicy's ingress "from" and egress "to" rule specifications require
+  # great attention to detail. A quick summary is:
+  #
+  # 1. You can provide "from"/"to" rules that provide access either ports or a
+  #    subset of ports.
+  # 2. You can for each "from"/"to" rule provide any number of
+  #    "sources"/"destinations" of four different kinds.
+  #    - podSelector                        - targets pods with a certain label in the same namespace as the NetworkPolicy
+  #    - namespaceSelector                  - targets all pods running in namespaces with a certain label
+  #    - namespaceSelector and podSelector  - targets pods with a certain label running in namespaces with a certain label
+  #    - ipBlock                            - targets network traffic from/to a set of IP address ranges
+  #
+  # Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors
+  #
   ingress:
+    {{- with .Values.hub.networkPolicy.allowedIngressPorts }}
+    # allow incoming traffic to these ports independent of source
+    - ports:
+      {{- range $port := . }}
+      - port: {{ $port }}
+      {{- end }}
+    {{- end }}
+
     # allowed pods (hub.jupyter.org/network-access-hub) --> hub
     - ports:
         - port: http
       from:
+        # source 1 - labeled pods
         - podSelector:
             matchLabels:
               hub.jupyter.org/network-access-hub: "true"
+        {{- if eq .Values.hub.networkPolicy.interNamespaceAccessLabels "accept" }}
+          namespaceSelector:
+            matchLabels: {}   # without this, the podSelector would only consider pods in the local namespace
+        # source 2 - pods in labeled namespaces
+        - namespaceSelector:
+            matchLabels:
+              hub.jupyter.org/network-access-hub: "true"
+        {{- end }}
 
     {{- with .Values.hub.networkPolicy.ingress }}
-    # default: nothing --> hub
+    # depends, but default is nothing --> hub
     {{- . | toYaml | trimSuffix "\n" | nindent 4 }}
     {{- end }}
 
@@ -45,15 +77,15 @@ spec:
               {{- $_ := merge (dict "componentLabel" "singleuser-server") . }}
               {{- include "jupyterhub.matchLabels" $_ | nindent 14 }}
 
-    # hub -> Kubernetes internal DNS
+    # hub --> Kubernetes internal DNS
     - ports:
         - protocol: UDP
           port: 53
         - protocol: TCP
           port: 53
 
     {{- with .Values.hub.networkPolicy.egress }}
-    # hub --> default: everything
+    # hub --> depends, but the default is everything
     {{- . | toYaml | trimSuffix "\n" | nindent 4 }}
     {{- end }}
 {{- end }}

jupyterhub/templates/proxy/autohttps/netpol.yaml

@@ -0,0 +1,86 @@
+{{- $HTTPS := .Values.proxy.https.enabled -}}
+{{- $autoHTTPS := and $HTTPS (and (eq .Values.proxy.https.type "letsencrypt") .Values.proxy.https.hosts) -}}
+{{- if and $autoHTTPS .Values.proxy.traefik.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: autohttps
+  labels:
+    {{- include "jupyterhub.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "jupyterhub.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+
+  # IMPORTANT:
+  # NetworkPolicy's ingress "from" and egress "to" rule specifications require
+  # great attention to detail. A quick summary is:
+  #
+  # 1. You can provide "from"/"to" rules that provide access either ports or a
+  #    subset of ports.
+  # 2. You can for each "from"/"to" rule provide any number of
+  #    "sources"/"destinations" of four different kinds.
+  #    - podSelector                        - targets pods with a certain label in the same namespace as the NetworkPolicy
+  #    - namespaceSelector                  - targets all pods running in namespaces with a certain label
+  #    - namespaceSelector and podSelector  - targets pods with a certain label running in namespaces with a certain label
+  #    - ipBlock                            - targets network traffic from/to a set of IP address ranges
+  #
+  # Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors
+  #
+  ingress:
+    {{- with .Values.proxy.traefik.networkPolicy.allowedIngressPorts }}
+    # allow incoming traffic to these ports independent of source
+    - ports:
+      {{- range $port := . }}
+      - port: {{ $port }}
+      {{- end }}
+    {{- end }}
+
+    # allowed pods (hub.jupyter.org/network-access-proxy-http) --> proxy (http/https port)
+    - ports:
+        - port: http
+        - port: https
+      from:
+        # source 1 - labeled pods
+        - podSelector:
+            matchLabels:
+              hub.jupyter.org/network-access-proxy-http: "true"
+        {{- if eq .Values.proxy.traefik.networkPolicy.interNamespaceAccessLabels "accept" }}
+          namespaceSelector:
+            matchLabels: {}   # without this, the podSelector would only consider pods in the local namespace
+        # source 2 - pods in labeled namespaces
+        - namespaceSelector:
+            matchLabels:
+              hub.jupyter.org/network-access-proxy-http: "true"
+        {{- end }}
+
+    {{- with .Values.proxy.traefik.networkPolicy.ingress}}
+    # depends, but default is nothing --> proxy
+    {{- . | toYaml | trimSuffix "\n" | nindent 4 }}
+    {{- end }}
+
+  egress:
+    # autohttps --> proxy (http port)
+    - ports:
+        - port: 8000
+      to:
+        - podSelector:
+            matchLabels:
+              {{- $_ := merge (dict "componentLabel" "proxy") . }}
+              {{- include "jupyterhub.matchLabels" $_ | nindent 14 }}
+
+    # autohttps --> Kubernetes internal DNS
+    - ports:
+      - protocol: UDP
+        port: 53
+      - protocol: TCP
+        port: 53
+
+    {{- with .Values.proxy.traefik.networkPolicy.egress }}
+    # autohttps --> depends, but the default is everything
+    {{- . | toYaml | trimSuffix "\n" | nindent 4 }}
+    {{- end }}
+{{- end }}

jupyterhub/templates/proxy/netpol.yaml

@@ -2,7 +2,7 @@
 {{- $autoHTTPS := and $HTTPS (and (eq .Values.proxy.https.type "letsencrypt") .Values.proxy.https.hosts) -}}
 {{- $manualHTTPS := and $HTTPS (eq .Values.proxy.https.type "manual") -}}
 {{- $manualHTTPSwithsecret := and $HTTPS (eq .Values.proxy.https.type "secret") -}}
-{{- if .Values.proxy.networkPolicy.enabled -}}
+{{- if .Values.proxy.chp.networkPolicy.enabled -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -17,28 +17,69 @@ spec:
     - Ingress
     - Egress
 
+  # IMPORTANT:
+  # NetworkPolicy's ingress "from" and egress "to" rule specifications require
+  # great attention to detail. A quick summary is:
+  #
+  # 1. You can provide "from"/"to" rules that provide access either ports or a
+  #    subset of ports.
+  # 2. You can for each "from"/"to" rule provide any number of
+  #    "sources"/"destinations" of four different kinds.
+  #    - podSelector                        - targets pods with a certain label in the same namespace as the NetworkPolicy
+  #    - namespaceSelector                  - targets all pods running in namespaces with a certain label
+  #    - namespaceSelector and podSelector  - targets pods with a certain label running in namespaces with a certain label
+  #    - ipBlock                            - targets network traffic from/to a set of IP address ranges
+  #
+  # Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors
+  #
   ingress:
+    {{- with .Values.proxy.chp.networkPolicy.allowedIngressPorts }}
+    # allow incoming traffic to these ports independent of source
+    - ports:
+      {{- range $port := . }}
+      - port: {{ $port }}
+      {{- end }}
+    {{- end }}
+
     # allowed pods (hub.jupyter.org/network-access-proxy-http) --> proxy (http/https port)
     - ports:
         - port: http
         {{- if or $manualHTTPS $manualHTTPSwithsecret }}
         - port: https
         {{- end }}
       from:
+        # source 1 - labeled pods
         - podSelector:
             matchLabels:
               hub.jupyter.org/network-access-proxy-http: "true"
+        {{- if eq .Values.proxy.chp.networkPolicy.interNamespaceAccessLabels "accept" }}
+          namespaceSelector:
+            matchLabels: {}   # without this, the podSelector would only consider pods in the local namespace
+        # source 2 - pods in labeled namespaces
+        - namespaceSelector:
+            matchLabels:
+              hub.jupyter.org/network-access-proxy-http: "true"
+        {{- end }}
 
     # allowed pods (hub.jupyter.org/network-access-proxy-api) --> proxy (api port)
     - ports:
         - port: api
       from:
+        # source 1 - labeled pods
         - podSelector:
             matchLabels:
               hub.jupyter.org/network-access-proxy-api: "true"
+        {{- if eq .Values.proxy.chp.networkPolicy.interNamespaceAccessLabels "accept" }}
+          namespaceSelector:
+            matchLabels: {}   # without this, the podSelector would only consider pods in the local namespace
+        # source 2 - pods in labeled namespaces
+        - namespaceSelector:
+            matchLabels:
+              hub.jupyter.org/network-access-proxy-api: "true"
+        {{- end }}
 
-    {{- with .Values.proxy.networkPolicy.ingress}}
-    # default: nothing --> proxy
+    {{- with .Values.proxy.chp.networkPolicy.ingress}}
+    # depends, but default is nothing --> proxy
     {{- . | toYaml | trimSuffix "\n" | nindent 4 }}
     {{- end }}
 
@@ -61,15 +102,15 @@ spec:
               {{- $_ := merge (dict "componentLabel" "singleuser-server") . }}
               {{- include "jupyterhub.matchLabels" $_ | nindent 14 }}
 
-    # proxy -> Kubernetes internal DNS
+    # proxy --> Kubernetes internal DNS
     - ports:
       - protocol: UDP
         port: 53
       - protocol: TCP
         port: 53
 
-    {{- with .Values.proxy.networkPolicy.egress }}
-    # proxy --> default: everything
+    {{- with .Values.proxy.chp.networkPolicy.egress }}
+    # proxy --> depends, but the default is everything
     {{- . | toYaml | trimSuffix "\n" | nindent 4 }}
     {{- end }}
 {{- end }}