From 7ae0890a7567d45480219ef09637038e30c153d8 Mon Sep 17 00:00:00 2001 From: Grant Linville Date: Tue, 25 Jul 2023 16:45:51 -0400 Subject: [PATCH] Remove pod CIDR restrictions from NetPols for published TCP ports (#1975) Signed-off-by: Grant Linville --- docs/docs/30-installation/02-options.md | 13 ++++++-- pkg/controller/networkpolicy/networkpolicy.go | 31 +++---------------- .../networkpolicy/service/expected.golden | 8 ----- 3 files changed, 15 insertions(+), 37 deletions(-) diff --git a/docs/docs/30-installation/02-options.md b/docs/docs/30-installation/02-options.md index c5901fe0d..0467bb2ea 100644 --- a/docs/docs/30-installation/02-options.md +++ b/docs/docs/30-installation/02-options.md @@ -95,11 +95,18 @@ The default installation of Acorn will automatically create and sync any storage If an admin would rather manually manage the volume classes and not have these generated ones, then the `--manage-volume-classes` installation flag is available. The generated volume classes are not generated if this flag is used, and are deleted when the flag is set on an existing Acorn installation. If the flag is again switched off with `--manage-volume-classes=false`, then the volume classes will be generated again. ## Kubernetes NetworkPolicies -Acorn can automatically create and manage Kubernetes [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to isolate Acorn projects on the network level. This behavior can be enabled by passing `--network-policies=true` to `acorn install`, and can later be disabled by passing `--network-policies=false`. +Acorn can automatically create and manage Kubernetes [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to isolate Acorn projects on the network level. +This behavior can be enabled by passing `--network-policies=true` to `acorn install`, and can later be disabled by passing `--network-policies=false`. -When NetworkPolicies are enabled, Acorn workloads that publish ports that use HTTP will be allowed to receive traffic from internal (other pods in the cluster) and external (through the cluster's ingress) sources. To secure this further, you can require all traffic to Acorn workloads flow through your ingress by specifying the `--ingress-controller-namespace` parameter during installation. +When NetworkPolicies are enabled, Acorn workloads that publish ports that use HTTP will be allowed to receive traffic from internal (other pods in the cluster) and external (through the cluster's ingress) sources. +To secure this further, you can require all traffic to Acorn workloads flow through your ingress by specifying the `--ingress-controller-namespace` parameter during installation. -To allow traffic from a specific namespace to all Acorn apps in the cluster, use `--allow-traffic-from-namespace=`. This is useful if there is a monitoring namespace, for example, that needs to be able to connect to all the pods created by Acorn in order to scrape metrics. +:::caution +Acorn workloads that publish ports that use TCP will be allowed to receive traffic from any source, whether it comes from outside or inside of the cluster. +::: + +To allow traffic from a specific namespace to all Acorn apps in the cluster, use `--allow-traffic-from-namespace=`. +This is useful if there is a monitoring namespace, for example, that needs to be able to connect to all the pods created by Acorn in order to scrape metrics. ## Working with external LoadBalancer controllers If you are using an external `LoadBalancer` controller that requires annotations on `LoadBalancer` Services to operate, such as the `aws-load-balancer-controller`, you can pass the `--service-lb-annotation` flag to `acorn install`. This will cause Acorn to add the specified annotations to all `LoadBalancer` Services it creates. The value of the flag should be a comma-separated list of key-value pairs, where the key is the annotation name and the value is the annotation value. For example: diff --git a/pkg/controller/networkpolicy/networkpolicy.go b/pkg/controller/networkpolicy/networkpolicy.go index 8e8d5d8fe..190328479 100644 --- a/pkg/controller/networkpolicy/networkpolicy.go +++ b/pkg/controller/networkpolicy/networkpolicy.go @@ -217,7 +217,8 @@ func ForIngress(req router.Request, resp router.Response) error { } // ForService creates a Kubernetes NetworkPolicy to allow traffic to published TCP/UDP ports -// on Acorn apps that are exposed with LoadBalancer Services. +// on Acorn apps that are exposed with LoadBalancer Services. This NetworkPolicy will allow +// traffic from all IP addresses. func ForService(req router.Request, resp router.Response) error { cfg, err := config.Get(req.Ctx, req.Client) if err != nil { @@ -242,12 +243,6 @@ func ForService(req router.Request, resp router.Response) error { return nil } - // build the ipBlock for the NetPol - ipBlock, err := buildExternalIPBlock(req) - if err != nil { - return err - } - // build the port slice for the NetPol var netPolPorts []networkingv1.NetworkPolicyPort for _, port := range service.Spec.Ports { @@ -273,25 +268,9 @@ func ForService(req router.Request, resp router.Response) error { MatchLabels: service.Spec.Selector, // the NetPol will target the same pods that the service targets }, Ingress: []networkingv1.NetworkPolicyIngressRule{{ - From: []networkingv1.NetworkPolicyPeer{ - { - IPBlock: ipBlock, - }, - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "kubernetes.io/metadata.name": "kube-system", - }, - }, - }, - { - NamespaceSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "kubernetes.io/metadata.name": "acorn-system", - }, - }, - }, - }, + From: []networkingv1.NetworkPolicyPeer{{ + IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}, + }}, Ports: netPolPorts, }}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, diff --git a/pkg/controller/networkpolicy/testdata/networkpolicy/service/expected.golden b/pkg/controller/networkpolicy/testdata/networkpolicy/service/expected.golden index 2eeb23a0b..0258f2288 100644 --- a/pkg/controller/networkpolicy/testdata/networkpolicy/service/expected.golden +++ b/pkg/controller/networkpolicy/testdata/networkpolicy/service/expected.golden @@ -11,14 +11,6 @@ spec: - from: - ipBlock: cidr: 0.0.0.0/0 - except: - - 10.42.0.0/24 - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: acorn-system ports: - port: 8080 protocol: TCP