Remove pod CIDR restrictions from NetPols for published TCP ports (#1975

)

Signed-off-by: Grant Linville <[email protected]>

docs/docs/30-installation/02-options.md

@@ -95,11 +95,18 @@ The default installation of Acorn will automatically create and sync any storage
 If an admin would rather manually manage the volume classes and not have these generated ones, then the `--manage-volume-classes` installation flag is available. The generated volume classes are not generated if this flag is used, and are deleted when the flag is set on an existing Acorn installation. If the flag is again switched off with `--manage-volume-classes=false`, then the volume classes will be generated again.
 
 ## Kubernetes NetworkPolicies
-Acorn can automatically create and manage Kubernetes [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to isolate Acorn projects on the network level. This behavior can be enabled by passing `--network-policies=true` to `acorn install`, and can later be disabled by passing `--network-policies=false`.
+Acorn can automatically create and manage Kubernetes [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to isolate Acorn projects on the network level.
+This behavior can be enabled by passing `--network-policies=true` to `acorn install`, and can later be disabled by passing `--network-policies=false`.
 
-When NetworkPolicies are enabled, Acorn workloads that publish ports that use HTTP will be allowed to receive traffic from internal (other pods in the cluster) and external (through the cluster's ingress) sources. To secure this further, you can require all traffic to Acorn workloads flow through your ingress by specifying the `--ingress-controller-namespace` parameter during installation.
+When NetworkPolicies are enabled, Acorn workloads that publish ports that use HTTP will be allowed to receive traffic from internal (other pods in the cluster) and external (through the cluster's ingress) sources.
+To secure this further, you can require all traffic to Acorn workloads flow through your ingress by specifying the `--ingress-controller-namespace` parameter during installation.
 
-To allow traffic from a specific namespace to all Acorn apps in the cluster, use `--allow-traffic-from-namespace=<namespace>`. This is useful if there is a monitoring namespace, for example, that needs to be able to connect to all the pods created by Acorn in order to scrape metrics.
+:::caution
+Acorn workloads that publish ports that use TCP will be allowed to receive traffic from any source, whether it comes from outside or inside of the cluster.
+:::
+
+To allow traffic from a specific namespace to all Acorn apps in the cluster, use `--allow-traffic-from-namespace=<namespace>`.
+This is useful if there is a monitoring namespace, for example, that needs to be able to connect to all the pods created by Acorn in order to scrape metrics.
 
 ## Working with external LoadBalancer controllers
 If you are using an external `LoadBalancer` controller that requires annotations on `LoadBalancer` Services to operate, such as the `aws-load-balancer-controller`, you can pass the `--service-lb-annotation` flag to `acorn install`. This will cause Acorn to add the specified annotations to all `LoadBalancer` Services it creates. The value of the flag should be a comma-separated list of key-value pairs, where the key is the annotation name and the value is the annotation value. For example:

pkg/controller/networkpolicy/networkpolicy.go

@@ -217,7 +217,8 @@ func ForIngress(req router.Request, resp router.Response) error {
 }
 
 // ForService creates a Kubernetes NetworkPolicy to allow traffic to published TCP/UDP ports
-// on Acorn apps that are exposed with LoadBalancer Services.
+// on Acorn apps that are exposed with LoadBalancer Services. This NetworkPolicy will allow
+// traffic from all IP addresses.
 func ForService(req router.Request, resp router.Response) error {
 	cfg, err := config.Get(req.Ctx, req.Client)
 	if err != nil {
@@ -242,12 +243,6 @@ func ForService(req router.Request, resp router.Response) error {
 		return nil
 	}
 
-	// build the ipBlock for the NetPol
-	ipBlock, err := buildExternalIPBlock(req)
-	if err != nil {
-		return err
-	}
-
 	// build the port slice for the NetPol
 	var netPolPorts []networkingv1.NetworkPolicyPort
 	for _, port := range service.Spec.Ports {
@@ -273,25 +268,9 @@ func ForService(req router.Request, resp router.Response) error {
 				MatchLabels: service.Spec.Selector, // the NetPol will target the same pods that the service targets
 			},
 			Ingress: []networkingv1.NetworkPolicyIngressRule{{
-				From: []networkingv1.NetworkPolicyPeer{
-					{
-						IPBlock: ipBlock,
-					},
-					{
-						NamespaceSelector: &metav1.LabelSelector{
-							MatchLabels: map[string]string{
-								"kubernetes.io/metadata.name": "kube-system",
-							},
-						},
-					},
-					{
-						NamespaceSelector: &metav1.LabelSelector{
-							MatchLabels: map[string]string{
-								"kubernetes.io/metadata.name": "acorn-system",
-							},
-						},
-					},
-				},
+				From: []networkingv1.NetworkPolicyPeer{{
+					IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"},
+				}},
 				Ports: netPolPorts,
 			}},
 			PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},

pkg/controller/networkpolicy/testdata/networkpolicy/service/expected.golden

@@ -11,14 +11,6 @@ spec:
   - from:
     - ipBlock:
         cidr: 0.0.0.0/0
-        except:
-        - 10.42.0.0/24
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: kube-system
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: acorn-system
     ports:
     - port: 8080
       protocol: TCP