diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index bf1041bd3..0e4e583de 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -15,8 +15,23 @@ spec: # Egress must be allowed to the external facing Keycloak endpoint - direction: Egress + remoteSelector: + app: tenant-ingressgateway + remoteNamespace: istio-tenant-gateway + description: "SSO Provider" + + {{- if .Values.redis.uri }} + - direction: Egress + description: Redis Session Store + {{- if .Values.redis.internal.enabled }} + remoteSelector: {{ .Values.redis.internal.remoteSelector }} + remoteNamespace: {{ .Values.redis.internal.remoteNamespace }} + {{- else if .Values.redis.egressCidr }} + remoteCidr: {{ .Values.redis.egressCidr }} + {{- else }} remoteGenerated: Anywhere - description: "SSO Provider & Redis Session Store" + {{- end }} + {{- end }} - direction: Ingress selector: diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index b28496153..06a631c9c 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -9,6 +9,14 @@ image: nameOverride: "authservice" +redis: + uri: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" + egressCidr: "" + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + podAnnotations: {} podSecurityContext: {} diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index 713a103a0..0181bc8f1 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -28,23 +28,38 @@ spec: targetPort: 3000 allow: - - direction: Ingress + # Egress allowed to Loki + - direction: Egress selector: app.kubernetes.io/name: grafana - remoteNamespace: tempo + remoteNamespace: loki remoteSelector: - app.kubernetes.io/name: tempo - port: 9090 - description: "Tempo Datasource" + app.kubernetes.io/name: loki + description: "Loki Datasource" + port: 8080 + # Egress allowed to Prometheus - direction: Egress selector: app.kubernetes.io/name: grafana - remoteGenerated: Anywhere + remoteNamespace: monitoring + remoteSelector: + app.kubernetes.io/name: prometheus + description: "Prometheus Datasource" + port: 9090 + # Egress allowed to Keyclaok - direction: Egress - remoteNamespace: tempo + selector: + app.kubernetes.io/name: grafana + remoteNamespace: keycloak remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" + app.kubernetes.io/name: keycloak + description: "SSO Provider" + + # Egress allowed to KubeAPI + - direction: Egress + selector: + app.kubernetes.io/name: grafana + remoteGenerated: KubeAPI + description: "Datasources Watcher" diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index bfec85312..0f8d1d8bf 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -12,7 +12,7 @@ initChownData: downloadDashboardsImage: registry: cgr.dev repository: du-uds-defenseunicorns/curl-fips - tag: 8.9.1 + tag: 8.10.0 sidecar: image: diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index d80a7b0bf..615c19514 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -19,4 +19,4 @@ initChownData: downloadDashboardsImage: registry: docker.io repository: curlimages/curl - tag: 8.9.1 + tag: 8.10.0 diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index f58b38bbf..a3396d3d1 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -22,7 +22,7 @@ components: - values/upstream-values.yaml images: - docker.io/grafana/grafana:11.2.0 - - docker.io/curlimages/curl:8.9.1 + - docker.io/curlimages/curl:8.10.0 - docker.io/library/busybox:1.36.1 - ghcr.io/kiwigrid/k8s-sidecar:1.27.6 @@ -54,5 +54,5 @@ components: images: - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.0 - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1 - - cgr.dev/du-uds-defenseunicorns/curl-fips:8.9.1 + - cgr.dev/du-uds-defenseunicorns/curl-fips:8.10.0 - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.6 diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml index 4c7b35acb..7269f5f3e 100644 --- a/src/keycloak/chart/Chart.yaml +++ b/src/keycloak/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver -version: 25.0.4 +version: 25.0.5 description: Open Source Identity and Access Management For Modern Applications and Services keywords: - sso diff --git a/src/keycloak/chart/templates/_helpers.tpl b/src/keycloak/chart/templates/_helpers.tpl index bb0825a07..a5ce50f28 100644 --- a/src/keycloak/chart/templates/_helpers.tpl +++ b/src/keycloak/chart/templates/_helpers.tpl @@ -89,7 +89,7 @@ Check external PostgreSQL connection information. Fails when required values are {{- else -}}{{fail "You must define \"username\", \"password\", \"database\", \"host\", and \"port\" for \"postgresql\"."}} {{- end -}} {{- default "true" "" }} -{{- else if not (empty (compact (values (omit .Values.postgresql "port")))) -}} +{{- else if not (empty (compact (values (omit .Values.postgresql "port" "internal")))) -}} {{ fail "Cannot use an external PostgreSQL Database when devMode is enabled." -}} {{- else -}} {{ default "false" "" }} diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 6ea6a2756..2c1c52e47 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -26,7 +26,7 @@ spec: port: 8080 # Temp workaround for any cluster pod - # @todo: remove this once cluster pods is a remote generated target + # todo: remove this once cluster pods is a remote generated target - description: "Keycloak backchannel access" direction: Ingress selector: @@ -34,6 +34,7 @@ spec: remoteGenerated: Anywhere port: 8080 + # Keycloak OCSP to check certs cannot guarantee a static IP - description: "OCSP Lookup" direction: Egress selector: @@ -58,8 +59,16 @@ spec: selector: app.kubernetes.io/name: keycloak port: {{ .Values.postgresql.port }} + {{- if .Values.postgresql.internal.enabled }} + remoteSelector: {{ .Values.postgresql.internal.remoteSelector }} + remoteNamespace: {{ .Values.postgresql.internal.remoteNamespace }} + {{- else if .Values.postgresql.egressCidr }} + remoteCidr: {{ .Values.postgresql.egressCidr }} + {{- else }} remoteGenerated: Anywhere + {{- end }} {{- end }} + {{- if .Values.autoscaling.enabled }} # HA for keycloak - direction: Ingress diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index 70ee59bde..f05bdc3a8 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -9,17 +9,7 @@ "additionalGatewayNamespaces": { "type": "array", "items": { - "type": "object", - "properties": { - "resource": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - } + "type": "string" } }, "autoscaling": { diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index e5ee480c8..f34315c98 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -2,12 +2,12 @@ image: # The Keycloak image repository repository: quay.io/keycloak/keycloak # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "25.0.4" + tag: "25.0.5" # The Keycloak image pull policy pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.1 +configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.2 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" @@ -174,6 +174,12 @@ postgresql: host: "" # Port the database is listening on port: 5432 + egressCidr: "" + # Configure internal postgresql deployment, requires keycloak not be deployed in dev-mode + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" serviceMonitor: # If `true`, a ServiceMonitor resource for the prometheus-operator is created diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index 1e669bfb2..a67206b7f 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -10,7 +10,7 @@ components: - name: keycloak namespace: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver - version: 25.0.4 + version: 25.0.5 localPath: ../chart actions: onDeploy: diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index 95fe48108..20bb09600 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -1,5 +1,5 @@ includes: - - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.1/tasks.yaml + - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.2/tasks.yaml tasks: - name: validate diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index 30c921b92..c94809ed6 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,6 +1,6 @@ image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak - tag: "25.0.4" + tag: "25.0.5" podSecurityContext: fsGroup: 2000 securityContext: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 6bff6fdfb..d3c178aa2 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 65532 image: repository: cgr.dev/du-uds-defenseunicorns/keycloak - tag: "25.0.4" + tag: "25.0.5" diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index 97dd2e6c2..ac9fc21ce 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 1000 image: repository: quay.io/keycloak/keycloak - tag: "25.0.4" + tag: "25.0.5" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index dd24b2eac..b3c378560 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -20,8 +20,8 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - quay.io/keycloak/keycloak:25.0.4 - - ghcr.io/defenseunicorns/uds/identity-config:0.6.1 + - quay.io/keycloak/keycloak:25.0.5 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.2 - name: keycloak required: true @@ -36,8 +36,8 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4 - - ghcr.io/defenseunicorns/uds/identity-config:0.6.1 + - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.5 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.2 - name: keycloak required: true @@ -50,5 +50,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.4 # todo: switch to FIPS image - - ghcr.io/defenseunicorns/uds/identity-config:0.6.1 + - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.5 # todo: switch to FIPS image + - ghcr.io/defenseunicorns/uds/identity-config:0.6.2 diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index 8f30a3d0c..a04557a51 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -31,7 +31,6 @@ spec: app.kubernetes.io/name: prometheus ports: - 3100 - - 8080 description: "Prometheus Metrics" - direction: Ingress @@ -44,15 +43,16 @@ spec: - 8080 description: "Promtail Log Storage" - # Todo: wide open for now for pushing to s3 + # Egress for S3 connections - direction: Egress selector: app.kubernetes.io/name: loki + description: Storage + {{- if .Values.storage.internal.enabled }} + remoteSelector: {{ .Values.storage.internal.remoteSelector }} + remoteNamespace: {{ .Values.storage.internal.remoteNamespace }} + {{- else if .Values.storage.egressCidr }} + remoteCidr: {{ .Values.storage.egressCidr }} + {{- else }} remoteGenerated: Anywhere - - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" + {{- end }} diff --git a/src/loki/chart/values.yaml b/src/loki/chart/values.yaml index e69de29bb..fbb557b5a 100644 --- a/src/loki/chart/values.yaml +++ b/src/loki/chart/values.yaml @@ -0,0 +1,6 @@ +storage: + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + egressCidr: "" diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml index 35376a992..3e3901bc4 100644 --- a/src/loki/common/zarf.yaml +++ b/src/loki/common/zarf.yaml @@ -13,7 +13,7 @@ components: localPath: ../chart - name: loki url: https://grafana.github.io/helm-charts/ - version: 5.47.1 + version: 6.12.0 namespace: loki valuesFiles: - ../values/values.yaml diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index 2d742b29f..900772e53 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -2,7 +2,7 @@ loki: image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/loki - tag: 2.9.6 + tag: 3.1.1 podSecurityContext: fsGroup: 10001 runAsGroup: 10001 @@ -19,4 +19,8 @@ gateway: image: registry: registry1.dso.mil repository: ironbank/opensource/nginx/nginx-alpine - tag: 1.25.3 + tag: 1.26.2 +memcached: + image: + repository: registry1.dso.mil/ironbank/opensource/memcached/memcached + tag: 1.6.31 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 20df5327b..309753bee 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -2,9 +2,13 @@ loki: image: registry: cgr.dev repository: du-uds-defenseunicorns/loki - tag: 2.9.8 + tag: 3.1.1 gateway: image: registry: cgr.dev repository: du-uds-defenseunicorns/nginx-fips - tag: 1.27.0 + tag: 1.27.1 +memcached: + image: + repository: cgr.dev/du-uds-defenseunicorns/memcached + tag: 1.6.31 diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index deaa6c7b8..a7ebd51df 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -2,10 +2,16 @@ loki: image: registry: docker.io repository: grafana/loki - tag: 2.9.6 + tag: 3.1.1 gateway: image: registry: docker.io repository: nginxinc/nginx-unprivileged - tag: 1.25-alpine + tag: 1.27-alpine + +memcached: + image: + registry: docker.io + repository: memcached + tag: 1.6.31-alpine diff --git a/src/loki/values/values.yaml b/src/loki/values/values.yaml index c513cd334..5a9952d4f 100644 --- a/src/loki/values/values.yaml +++ b/src/loki/values/values.yaml @@ -14,6 +14,12 @@ memberlist: service: publishNotReadyAddresses: true +chunksCache: + enabled: false + +resultsCache: + enabled: false + loki: configStorageType: Secret # Disable telemetry that doesn't function in the airgap @@ -33,8 +39,18 @@ loki: insecure: false commonConfig: replication_factor: 1 + schemaConfig: + configs: + - from: 2023-04-01 + store: tsdb + object_store: "{{ .Values.loki.storage.type }}" + schema: v12 + index: + prefix: loki_tsdb_ + period: 24h limits_config: split_queries_by_interval: "30m" + allow_structured_metadata: false query_scheduler: max_outstanding_requests_per_tenant: 32000 # This is the default in Loki 3.0 extraMemberlistConfig: @@ -72,6 +88,8 @@ rbac: test: enabled: false +deploymentMode: SimpleScalable + # Configuration for the single binary node(s) singleBinary: # -- Number of replicas for the single binary @@ -113,27 +131,35 @@ sidecar: # -- Whether or not to create a sidecar to ingest rule from specific ConfigMaps and/or Secrets. enabled: false +memcachedExporter: + # -- Whether memcached metrics should be exported + enabled: false + monitoring: - enabled: true - selfMonitoring: - enabled: false - grafanaAgent: - installOperator: false - lokiCanary: - enabled: false + serviceMonitor: + enabled: true + +lokiCanary: + enabled: false + gateway: enabled: true # Remove default anti-affinity to support single node - affinity: "" + affinity: null + + # Gateway has no metrics https://github.com/grafana/loki/issues/13201 + service: + labels: + prometheus.io/service-monitor: "false" read: # Remove default anti-affinity to support single node - affinity: "" + affinity: null write: # Remove default anti-affinity to support single node - affinity: "" + affinity: null backend: # Remove default anti-affinity to support single node - affinity: "" + affinity: null diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index df76918b9..46d102da2 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -16,8 +16,9 @@ components: valuesFiles: - ./values/upstream-values.yaml images: - - docker.io/grafana/loki:2.9.6 - - docker.io/nginxinc/nginx-unprivileged:1.25-alpine + - docker.io/grafana/loki:3.1.1 + - docker.io/nginxinc/nginx-unprivileged:1.27-alpine + - docker.io/memcached:1.6.31-alpine - name: loki required: true @@ -31,8 +32,9 @@ components: valuesFiles: - ./values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/loki:2.9.6 - - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.25.3 + - registry1.dso.mil/ironbank/opensource/grafana/loki:3.1.1 + - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2 + - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.31 - name: loki required: true @@ -46,5 +48,6 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/loki:2.9.8 - - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.0 + - cgr.dev/du-uds-defenseunicorns/loki:3.1.1 + - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.1 + - cgr.dev/du-uds-defenseunicorns/memcached:1.6.31 diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index f9c4bd08e..1cdee101d 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -58,9 +58,12 @@ spec: # Access to SSO for OIDC - direction: Egress - remoteGenerated: Anywhere selector: app: neuvector-controller-pod + remoteSelector: + app: tenant-ingressgateway + remoteNamespace: istio-tenant-gateway + description: "SSO Provider" - direction: Egress remoteGenerated: KubeAPI @@ -79,10 +82,3 @@ spec: app: neuvector-controller-pod port: 30443 description: "Webhook" - - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" diff --git a/src/pepr/operator/README.md b/src/pepr/operator/README.md index b03a84936..5b95cea2d 100644 --- a/src/pepr/operator/README.md +++ b/src/pepr/operator/README.md @@ -42,13 +42,6 @@ spec: app.kubernetes.io/name: grafana remoteGenerated: Anywhere - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" - # SSO allows for the creation of Keycloak clients and with automatic secret generation sso: - name: Grafana Dashboard diff --git a/src/pepr/operator/controllers/network/generate.spec.ts b/src/pepr/operator/controllers/network/generate.spec.ts index 559bcf18a..9abeb1647 100644 --- a/src/pepr/operator/controllers/network/generate.spec.ts +++ b/src/pepr/operator/controllers/network/generate.spec.ts @@ -111,3 +111,61 @@ describe("network policy generate", () => { policyTypes: ["Egress"], } as kind.NetworkPolicy["spec"]); }); + +describe("network policy generate with remoteCidr", () => { + it("should generate correct network policy with remoteCidr for Egress", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Egress, + selector: { app: "test" }, + remoteCidr: "192.168.0.0/16", + }); + + expect(policy.metadata?.name).toEqual("Egress-test"); + expect(policy.spec).toEqual({ + egress: [ + { + to: [ + { + ipBlock: { + cidr: "192.168.0.0/16", + except: ["169.254.169.254/32"], // Include the except field here + }, + }, + ], + ports: [], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Egress"], + } as kind.NetworkPolicy["spec"]); + }); + + it("should generate correct network policy with remoteCidr for Ingress", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Ingress, + selector: { app: "test" }, + remoteCidr: "10.0.0.0/8", + }); + + expect(policy.metadata?.name).toEqual("Ingress-test"); + expect(policy.spec).toEqual({ + ingress: [ + { + from: [ + { + ipBlock: { + cidr: "10.0.0.0/8", + except: ["169.254.169.254/32"], // Include the except field here + }, + }, + ], + ports: [], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Ingress"], + } as kind.NetworkPolicy["spec"]); + }); +}); diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index e64f19402..ecba6d1cb 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -6,6 +6,7 @@ import { anywhere } from "./generators/anywhere"; import { cloudMetadata } from "./generators/cloudMetadata"; import { intraNamespace } from "./generators/intraNamespace"; import { kubeAPI } from "./generators/kubeAPI"; +import { remoteCidr } from "./generators/remoteCidr"; function isWildcardNamespace(namespace: string) { return namespace === "" || namespace === "*"; @@ -52,6 +53,8 @@ function getPeers(policy: Allow): V1NetworkPolicyPeer[] { } peers.push(peer); + } else if (policy.remoteCidr !== undefined) { + peers = [remoteCidr(policy.remoteCidr)]; } return peers; diff --git a/src/pepr/operator/controllers/network/generators/remoteCidr.ts b/src/pepr/operator/controllers/network/generators/remoteCidr.ts new file mode 100644 index 000000000..031e43f16 --- /dev/null +++ b/src/pepr/operator/controllers/network/generators/remoteCidr.ts @@ -0,0 +1,12 @@ +import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; +import { META_IP } from "./cloudMetadata"; + +/** Matches a specific custom cidr EXCEPT the Cloud Meta endpoint */ +export function remoteCidr(cidr: string): V1NetworkPolicyPeer { + return { + ipBlock: { + cidr, + except: [META_IP], + }, + }; +} diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 311ec223f..20d896d92 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -144,6 +144,10 @@ export interface Allow { * A list of ports to allow (protocol is always TCP) */ ports?: number[]; + /** + * Custom generated policy CIDR + */ + remoteCidr?: string; /** * Custom generated remote selector for the policy */ diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 33d288bc8..8af0ed32a 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -84,6 +84,10 @@ const allow = { type: "string", enum: ["KubeAPI", "IntraNamespace", "CloudMetadata", "Anywhere"], }, + remoteCidr: { + description: "Custom generated policy CIDR", + type: "string", + }, port: { description: "The port to allow (protocol is always TCP)", minimum: 1, diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 4336fecfa..4ad6266fc 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -58,9 +58,34 @@ export async function validator(req: PeprValidateRequest) { const networkPolicyNames = new Set(); for (const policy of networkPolicy) { - // remoteGenerated cannot be combined with remoteNamespace or remoteSelector - if (policy.remoteGenerated && (policy.remoteNamespace || policy.remoteSelector)) { - return req.Deny("remoteGenerated cannot be combined with remoteNamespace or remoteSelector"); + // If 'remoteGenerated' is set, it cannot be combined with 'remoteNamespace', 'remoteSelector', or 'remoteCidr'. + if ( + policy.remoteGenerated && + (policy.remoteNamespace || policy.remoteSelector || policy.remoteCidr) + ) { + return req.Deny( + "remoteGenerated cannot be combined with remoteNamespace, remoteSelector, or remoteCidr", + ); + } + + // If either 'remoteNamespace' or 'remoteSelector' is set, they cannot be combined with 'remoteGenerated' or 'remoteCidr'. + if ( + (policy.remoteNamespace || policy.remoteSelector) && + (policy.remoteGenerated || policy.remoteCidr) + ) { + return req.Deny( + "remoteNamespace and remoteSelector cannot be combined with remoteGenerated or remoteCidr", + ); + } + + // If 'remoteCidr' is set, it cannot be combined with 'remoteGenerated', 'remoteNamespace', or 'remoteSelector'. + if ( + policy.remoteCidr && + (policy.remoteGenerated || policy.remoteNamespace || policy.remoteSelector) + ) { + return req.Deny( + "remoteCidr cannot be combined with remoteGenerated, remoteNamespace, or remoteSelector", + ); } // Ensure the policy name is unique diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index 746a08692..2dfda03fb 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -46,9 +46,9 @@ spec: port: 10250 description: "Webhook" - # todo: lockdown egress to scrape targets + # Prometheus scrape targets - direction: Egress - remoteNamespace: "" + remoteNamespace: "" # todo: restrict this overly permissive netpol selector: app.kubernetes.io/name: prometheus description: "Metrics Scraping" @@ -62,9 +62,3 @@ spec: port: 9090 description: "Grafana Metrics Queries" - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" diff --git a/src/promtail/chart/templates/uds-package.yaml b/src/promtail/chart/templates/uds-package.yaml index 1a66b8490..98a46eca7 100644 --- a/src/promtail/chart/templates/uds-package.yaml +++ b/src/promtail/chart/templates/uds-package.yaml @@ -27,13 +27,6 @@ spec: app.kubernetes.io/name: promtail remoteGenerated: KubeAPI - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" - - direction: Egress selector: app.kubernetes.io/name: promtail diff --git a/src/velero/chart/templates/uds-package.yaml b/src/velero/chart/templates/uds-package.yaml index 616559ebc..0326a863e 100644 --- a/src/velero/chart/templates/uds-package.yaml +++ b/src/velero/chart/templates/uds-package.yaml @@ -6,11 +6,19 @@ metadata: spec: network: allow: - # Todo: wide open for now for pushing to s3 + # Egress for S3 connections - direction: Egress selector: app.kubernetes.io/name: velero + description: Storage + {{- if .Values.storage.internal.enabled }} + remoteSelector: {{ .Values.storage.internal.remoteSelector }} + remoteNamespace: {{ .Values.storage.internal.remoteNamespace }} + {{- else if .Values.storage.egressCidr }} + remoteCidr: {{ .Values.storage.egressCidr }} + {{- else }} remoteGenerated: Anywhere + {{- end }} - direction: Egress selector: diff --git a/src/velero/chart/values.yaml b/src/velero/chart/values.yaml index e69de29bb..fbb557b5a 100644 --- a/src/velero/chart/values.yaml +++ b/src/velero/chart/values.yaml @@ -0,0 +1,6 @@ +storage: + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + egressCidr: ""