diff --git a/charts/litmus/templates/auth-server-network-policy.yaml b/charts/litmus/templates/auth-server-network-policy.yaml new file mode 100644 index 00000000..65c43ee5 --- /dev/null +++ b/charts/litmus/templates/auth-server-network-policy.yaml @@ -0,0 +1,51 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-auth-server-network-policy + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-auth-server + {{- include "litmus-portal.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-auth-server + policyTypes: + - Ingress + - Egress + ingress: + #normal connections + - from: + # Frontend --> auth-Server connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-frontend + + ports: + - protocol: TCP + port: {{ .Values.portal.server.service.authRpcServer.targetPort }} + + # GRPC connections + - from: + # gql-server --> auth-server, grpc connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-server + ports: + - protocol: TCP + port: {{ .Values.portal.server.service.authServer.targetPort }} + + egress: + - to: + # Auth-Server -> database connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-database + + # auth-server --> gql-server, grpc connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-server +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/chaos-exporter-network-policy.yaml b/charts/litmus/templates/chaos-exporter-network-policy.yaml new file mode 100644 index 00000000..96fdccec --- /dev/null +++ b/charts/litmus/templates/chaos-exporter-network-policy.yaml @@ -0,0 +1,20 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-chaos-exporter-network-policy +spec: + podSelector: + matchLabels: + app: chaos-exporter + policyTypes: + - Egress + - Ingress + ingress: + # Prometheus needs access for fetching metrics. PORT - 8080 + - {} + egress: + # Needs access to kube-api-server for metrics + - {} +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/chaos-operator-network-policy.yaml b/charts/litmus/templates/chaos-operator-network-policy.yaml new file mode 100644 index 00000000..4e0d88f0 --- /dev/null +++ b/charts/litmus/templates/chaos-operator-network-policy.yaml @@ -0,0 +1,16 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-chaos-operator-network-policy +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: operator + policyTypes: + - Egress + # Needs access to kube-api-server for reconcilation & running the chaos-injection + egress: + - {} +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/event-tracker-network-policy.yaml b/charts/litmus/templates/event-tracker-network-policy.yaml new file mode 100644 index 00000000..9fc9ec60 --- /dev/null +++ b/charts/litmus/templates/event-tracker-network-policy.yaml @@ -0,0 +1,16 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-event-tracker-network-policy +spec: + podSelector: + matchLabels: + app: event-tracker + policyTypes: + - Egress + # Needs access to kube-api-server for reconcilation on workflows & target-applications annoted for gitOps + egress: + - {} +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/frontend-network-policy.yaml b/charts/litmus/templates/frontend-network-policy.yaml new file mode 100644 index 00000000..e0663bb4 --- /dev/null +++ b/charts/litmus/templates/frontend-network-policy.yaml @@ -0,0 +1,31 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-frontend-network-policy + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-frontend + {{- include "litmus-portal.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-frontend + ingress: + - {} + egress: + - to: + # frontend --> gql-server connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-server + + # frontend --> auth-server connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-auth-server + policyTypes: + - Ingress + - Egress +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/mongo-network-policy.yaml b/charts/litmus/templates/mongo-network-policy.yaml new file mode 100644 index 00000000..cbf1fd4b --- /dev/null +++ b/charts/litmus/templates/mongo-network-policy.yaml @@ -0,0 +1,35 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-database-network-policy + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-database + {{- include "litmus-portal.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-database + policyTypes: + - Ingress + - Egress + # No outbound connection allowed for DB + egress: [] + ingress: + - from: + # Accepts connections from gql-server pod + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-server + + # Accepts connections from authg-server pod + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-auth-server + + ports: + - protocol: TCP + port: {{ .Values.mongo.service.targetPort }} +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/server-network-policy.yaml b/charts/litmus/templates/server-network-policy.yaml new file mode 100644 index 00000000..5ba7003f --- /dev/null +++ b/charts/litmus/templates/server-network-policy.yaml @@ -0,0 +1,73 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-server-network-policy + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-server + {{- include "litmus-portal.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-server + policyTypes: + - Ingress + - Egress + ingress: + # Normal Query/Mutations/Subscriptions --- + - from: + # frontend --> gql-server connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-frontend + + # self-agent --> gql-server, websocket connections + - podSelector: + matchLabels: + app: subscriber + + #External Agent rules, please commentout & update as per requirements + # - from: + # - ipBlock: + # cidr: 10.0.0.0/24 + + ports: + - protocol: TCP + port: {{ .Values.portal.server.service.graphqlServer.targetPort }} + + # GRPC connections ------- + - from: + # auth-server --> gql-server, grpc connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-auth-server + + ports: + - protocol: TCP + port: {{ .Values.portal.server.service.graphqlRpcServer.targetPort }} + + egress: + - to: + # gql-server --> auth-server, grpc connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-auth-server + + # Server -> database connection + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-database + + # Server --> Self-agent, workflow CRUD Ops + - podSelector: + matchLabels: + app: subscriber + + # Server --> External Agent connection, please commentout & update as per requirements + # - ipBlock: + # cidr: 10.0.0.0/24 + + # Needs access to kube-api-server as well for Ingress related operations +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/subscriber-network-policy.yaml b/charts/litmus/templates/subscriber-network-policy.yaml new file mode 100644 index 00000000..3f4fc653 --- /dev/null +++ b/charts/litmus/templates/subscriber-network-policy.yaml @@ -0,0 +1,28 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-subscriber-network-policy +spec: + podSelector: + matchLabels: + app: subscriber + policyTypes: + - Ingress + - Egress + ingress: + - from: + # gql-server --> self-agent, Accepting workflow requests from gql-server + - podSelector: + matchLabels: + app.kubernetes.io/component: {{ include "litmus-portal.name" . }}-server + + # external-agent --> gql-server connection, please commentout & update as per requirements + # - ipBlock: + # cidr: 10.0.0.0/24 + + egress: + # Needs access to kube-api-server for applying the workflows & for sending events/requests to gql-server + - {} +{{- end }} \ No newline at end of file diff --git a/charts/litmus/templates/workflow-controller-network-policy.yaml b/charts/litmus/templates/workflow-controller-network-policy.yaml new file mode 100644 index 00000000..52c2584a --- /dev/null +++ b/charts/litmus/templates/workflow-controller-network-policy.yaml @@ -0,0 +1,16 @@ +{{- if .Values.networkPolicy.enabled -}} +{{ $fullName := include "litmus-portal.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "litmus-portal.fullname" . }}-workflow-controller-network-policy +spec: + podSelector: + matchLabels: + app: workflow-controller + policyTypes: + - Egress + # Needs access to kube-api-server for reconcilation & running the scheduled workflows on the cluster + egress: + - {} +{{- end }} \ No newline at end of file diff --git a/charts/litmus/values.yaml b/charts/litmus/values.yaml index 23085cea..794baa3e 100644 --- a/charts/litmus/values.yaml +++ b/charts/litmus/values.yaml @@ -330,6 +330,22 @@ mongo: tolerations: [] affinity: {} +networkPolicy: + enabled: false + control-plane: + frontend: + server: + auth-server: + mongodb: + + # only for self-agent + execution-plane: + subscriber: + event-tracker: + chaos-operator: + chaos-exporter: + workflow-controller: + # OpenShift specific configuration openshift: # If service should be exposed using an OpenShift route