Add user custom network policy (#2078)

* add user custom network policy template * add appPort to access grafana from host * add kube-system as egress allow for agent * add network policy settings as an example * add stern in dev container * add schema comments * add network policy enabled to ci helm values * add cluster role to deploy network policy * style: Format code with prettier and gofumpt * remove unnecesary network policy ci settings * add pyroscope to ingress rule --------- Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>
vdaas · Jun 21, 2023 · b0bf240 · b0bf240
1 parent cb1d401
commit b0bf240
Show file tree

Hide file tree

Showing 12 changed files with 66 additions and 3 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -11,5 +11,6 @@
     }
   },
   "postCreateCommand": "go version",
-  "postAttachCommand": "sudo ln -s $(pwd)/cmd/agent/core/ngt/sample.yaml /etc/server/config.yaml"
+  "postAttachCommand": "sudo ln -s $(pwd)/cmd/agent/core/ngt/sample.yaml /etc/server/config.yaml",
+  "appPort": "3000:3000"
 }
diff --git a/.github/helm/values/values-lb.yaml b/.github/helm/values/values-lb.yaml
@@ -17,6 +17,8 @@
 defaults:
   logging:
     level: info
+  networkPolicy:
+    enabled: true
 
 gateway:
   lb:

diff --git a/.github/valdrelease/valdrelease.yaml b/.github/valdrelease/valdrelease.yaml
@@ -22,6 +22,8 @@ spec:
   defaults:
     logging:
       level: info
+    networkPolicy:
+      enabled: true
 
   gateway:
     lb:

diff --git a/charts/vald-helm-operator/templates/clusterrole.yaml b/charts/vald-helm-operator/templates/clusterrole.yaml
@@ -112,6 +112,7 @@ rules:
       - networking.k8s.io
     resources:
       - ingresses
+      - networkpolicies
     verbs:
       - create
       - delete

diff --git a/charts/vald/templates/agent/networkpolicy.yaml b/charts/vald/templates/agent/networkpolicy.yaml
@@ -44,4 +44,15 @@ spec:
           podSelector:
             matchLabels:
               app: {{ $index.name }}
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+    {{- end }}
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.egress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+    {{- end }}
 {{- end }}
diff --git a/charts/vald/templates/discoverer/networkpolicy.yaml b/charts/vald/templates/discoverer/networkpolicy.yaml
@@ -46,9 +46,15 @@ spec:
         podSelector:
           matchLabels:
             app: {{ $index.name }}
+      {{- if .Values.defaults.networkPolicy.custom.ingress }}
+      {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+      {{- end }}
   egress:
     - to:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
+      {{- if .Values.defaults.networkPolicy.custom.egress }}
+      {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+      {{- end }}
 {{- end }}
diff --git a/charts/vald/templates/gateway/filter/networkpolicy.yaml b/charts/vald/templates/gateway/filter/networkpolicy.yaml
@@ -26,7 +26,14 @@ spec:
     matchLabels:
       app: {{ $filter.name }}
   policyTypes:
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    - Ingress
+    {{- end }}
     - Egress
+  {{- if .Values.defaults.networkPolicy.custom.ingress }}
+  ingress:
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+  {{- end }}
   egress:
     # allow all the egress to communicate with user-defined filters
     - {}

diff --git a/charts/vald/templates/gateway/lb/networkpolicy.yaml b/charts/vald/templates/gateway/lb/networkpolicy.yaml
@@ -41,6 +41,9 @@ spec:
         podSelector:
           matchLabels:
             app: {{ $filter.name }}
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+    {{- end }}
   egress:
     - to:
       - namespaceSelector:
@@ -58,4 +61,7 @@ spec:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.egress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+    {{- end }}
 {{- end }}
diff --git a/charts/vald/templates/manager/index/networkpolicy.yaml b/charts/vald/templates/manager/index/networkpolicy.yaml
@@ -34,6 +34,9 @@ spec:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+    {{- end }}
   egress:
     - to:
       - namespaceSelector:
@@ -51,4 +54,7 @@ spec:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.egress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+    {{- end }}
 {{- end }}
diff --git a/charts/vald/values.yaml b/charts/vald/values.yaml
@@ -834,8 +834,16 @@ defaults:
   networkPolicy:
     # @schema {"name": "defaults.networkPolicy.enabled", "type": "boolean"}
     # defaults.networkPolicy.enabled -- if network policy enabled
-    # TODO: Change this to true after implementing user custom network policy parser
     enabled: false
+    # @schema {"name": "defaults.networkPolicy.custom", "type": "object"}
+    # defaults.networkPolicy.custom -- custom network policies that a user can add
+    custom:
+      # @schema {"name": "defaults.networkPolicy.custom.ingress", "type": "object"}
+      # defaults.networkPolicy.custom.ingress -- custom ingress network policies that a user can add
+      ingress: {}
+      # @schema {"name": "defaults.networkPolicy.custom.egress", "type": "object"}
+      # defaults.networkPolicy.custom.egress -- custom egress network policies that a user can add
+      egress: {}
 
 # @schema {"name": "gateway", "type": "object"}
 gateway:

diff --git a/charts/vald/values/dev-observability.yaml b/charts/vald/values/dev-observability.yaml
@@ -40,6 +40,19 @@ defaults:
       collector_endpoint: "opentelemetry-collector-collector.default.svc.cluster.local:4317"
     trace:
       enabled: true
+  networkPolicy:
+    enabled: true
+    custom:
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: pyroscope
+      egress:
+        - to:
+            - podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: opentelemetry-collector-collector
 
 gateway:
   lb:

diff --git a/dockers/dev/Dockerfile b/dockers/dev/Dockerfile
@@ -71,4 +71,4 @@ USER vscode
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN curl -sS https://webinstall.dev/k9s | bash
 
-WORKDIR ${GOPATH}
+RUN go install github.com/stern/stern@latest