Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-23550: Add NetworkPolicy to Tenant Helm chart #1767

Merged
merged 25 commits into from
Apr 28, 2024
Merged

ROX-23550: Add NetworkPolicy to Tenant Helm chart #1767

merged 25 commits into from
Apr 28, 2024

Conversation

ebensh
Copy link
Collaborator

@ebensh ebensh commented Apr 16, 2024
edited
Loading

Description

Add NetworkPolicy's to the Fleetshard Sync Tenant Helm chart. Their creation is guarded by the new secureTenantNetwork configuration option.

These policies effectively replace and improve the ACS Operator's default NetworkPolicy's.

Where possible, I have tried to optimize per https://docs.openshift.com/container-platform/4.14/networking/network_policy/about-network-policy.html#nw-networkpolicy-optimize-ovn_about-network-policy

Document discussing the changes: https://docs.google.com/document/d/15-rlsU_wDsv6TX_2hKHNFir82W1T9Ov1SOnRSha1VUY/edit

Checklist (Definition of Done)

  • Unit and integration tests added
  • Added test description under Test manual
  • Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
  • CI and all relevant tests are passing
  • Add the ticket number to the PR title if available, i.e. ROX-12345: ...
  • Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
  • Add secret to app-interface Vault or Secrets Manager if necessary
  • RDS changes were e2e tested manually
  • Check AWS limits are reasonable for changes provisioning new resources
  • (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment

Test manual

TODO: Add manual testing efforts

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup
make verify lint binary test test/integration

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 16, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from 18e13c3 to 57d1638 Compare April 16, 2024 22:03
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from 57d1638 to d0a3e29 Compare April 16, 2024 22:28
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from d0a3e29 to a747436 Compare April 17, 2024 14:40
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from a747436 to de84746 Compare April 17, 2024 14:47
kylape
kylape reviewed Apr 17, 2024
View reviewed changes
Copy link
Contributor

@kylape kylape left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you ever find out if we can disable network policy creation in the operator? Also, do we need scanner v4 network policies, too?

I'll try to applly these network policies later today and see if I can test them out.

fleetshard/pkg/central/charts/data/tenant-resources/templates/network-policy.yaml Outdated Show resolved Hide resolved
fleetshard/pkg/central/charts/data/tenant-resources/templates/network-policy.yaml Outdated Show resolved Hide resolved
fleetshard/pkg/central/charts/data/tenant-resources/templates/network-policy.yaml Outdated Show resolved Hide resolved
fleetshard/pkg/central/charts/data/tenant-resources/templates/network-policy.yaml Outdated Show resolved Hide resolved
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from de84746 to 6a86fa7 Compare April 18, 2024 13:47
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from 6a86fa7 to 1287f6d Compare April 18, 2024 13:58
@ebensh ebensh changed the title Add NetworkPolicy and EgressFirewall to Tenant Helm chart Add NetworkPolicy to Tenant Helm chart Apr 18, 2024
@ebensh ebensh marked this pull request as ready for review April 18, 2024 14:01
@ebensh ebensh changed the title Add NetworkPolicy to Tenant Helm chart ROX-23550: Add NetworkPolicy to Tenant Helm chart Apr 18, 2024
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from 1287f6d to 8e76deb Compare April 18, 2024 21:00
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from 8e76deb to f06e759 Compare April 18, 2024 21:56
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from f06e759 to 548d49e Compare April 18, 2024 22:05
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from 548d49e to a0df19b Compare April 18, 2024 22:06
ebensh added 20 commits April 26, 2024 14:39
@ebensh
Add scanner-v4 egress
65c23fc
@ebensh
Add ingress to Central from scanner v2 and v4
92dd64a
@ebensh
Add egress from scanner-v4 indexer and matcher to db
02b4011
@ebensh
Add secure_tenant_network flag to Fleetshard Sync to control whether …
0d3a97c 
…NetworkPolicies and EgressFirewalls are generated.
@ebensh
Add piping for parameter to helm chart and test rendering to ensure n…
d9bb5f0 
…etwork policies are written
@ebensh
Add secureTenantNetwork to fleetshardSync in its helm chart
5d966e0
@ebensh
Allow centrall egress to scanner-v4
b51b5ff
@ebensh
Allow Central to connect to audit-logs-aggrgeator
7db109f
@ebensh
Allow egress from central to openshift API on 443/6443.
97733ed
@ebensh
Only set NO_PROXY and other env variables if *not* securing the tenan…
f27a674 
…t network in fleetshard sync
@ebensh
Address Ben Bennett's comments - clarify comments, parameterize RDS r…
9f3a5ea 
…ange for later use
@ebensh
Add comments on Central's uses of Kube API
2a560db
@ebensh
pre-commit run --all-files
2d798e1
@ebensh
Fix = to :
e81cb87
@ebensh
Allow monitoring from openshift-monitoring namespace. Fix missing por…
4f8c8d2 
…ts from scanner to central.
@ebensh
Fix indenting on cidr range except blocks
ca7d098
@ebensh
Fix namespaceSelector for kube API and audit logs
f26397c
@ebensh
Split network policies by service piece
d270229
@ebensh
Fix new lines
7b4deab
@ebensh
Fix indent width for include of cidr block exceptions
0678aae
@ebensh ebensh force-pushed the evan/rox-23550-create-network-policies branch from 623597f to 0678aae Compare April 26, 2024 12:41
@ebensh ebensh requested a review from vladbologa April 26, 2024 12:45
@openshift-ci openshift-ci bot added the lgtm label Apr 26, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 26, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ebensh, kovayur, vladbologa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [ebensh,kovayur,vladbologa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ebensh ebensh merged commit 78bc2d9 into main Apr 28, 2024
7 checks passed
@ebensh ebensh deleted the evan/rox-23550-create-network-policies branch April 28, 2024 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vladbologa vladbologa vladbologa approved these changes

@kovayur kovayur kovayur approved these changes

@kylape kylape Awaiting requested review from kylape

@knobunc knobunc Awaiting requested review from knobunc

Assignees

@kovayur kovayur

@vladbologa vladbologa

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ebensh @kylape @kovayur @knobunc @vladbologa