NE-1476: Added network policies for DNS#458
NE-1476: Added network policies for DNS#458rfredette wants to merge 3 commits intoopenshift:masterfrom
Conversation
Added the framework for network policies for DNS for the operator and the dns pods. The operator has a deny all network policy that for the openshift-dns-operator namespace and an allow policy for egress to the apiserver and dns ports at any IP. The operator installs a deny all network policy for the openshift-dns namespace. Then for each dns that it manages it installs an allow policy for ingress for dns traffic and metrics. It has to allow ingress from the dns pods to any IP because we allow configuration to set the upstream server and port, so any valid IP and port needs to be allowed. It also needs access to the api server, but that is covered by the wildcard allow policy. https://issues.redhat.com/browse/NE-1476
openshift-ci-robot
added
the
jira/valid-reference
|
@rfredette: This pull request references NE-1476 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
rfredette
force-pushed
the
dns-network-policies
branch
from
3964cc9 to
d30b60b
Compare
|
/retest |
rfredette
force-pushed
the
dns-network-policies
branch
2 times, most recently
from
470923d to
14ce844
Compare
|
Tested with cluster bot Changes are visible in the cluster, hence marking as verified. |
openshift-ci-robot
added
the
verified
|
@melvinjoseph86: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
rfredette
force-pushed
the
dns-network-policies
branch
from
14ce844 to
66e8615
Compare
openshift-ci-robot
removed
the
verified
|
@rfredette: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
|
|
/cc |
| - Egress | ||
| - Ingress | ||
| egress: | ||
| - ports: |
There was a problem hiding this comment.
@rfredette this rule seems a bit weird, so let me echo what you tried to do here:
- DNS must be able to speak with pods on namespace "openshift-apiserver" on port 6443
- DNS must be able to speak with anything on port 53 TCP and UDP
If so, what you need are two egress rules (right now what your rule is saying: allow any egress to port 6443, 53 TCP and UDP, and also allow any egress to any pod with label apiserver=true on namespace openshift-apiserver
I guess the network policy you were expecting is something like this:
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-apiserver
podSelector:
matchLabels:
apiserver: "true"
ports:
- port: 6443
| - protocol: TCP | ||
| port: 8181 | ||
| from: | ||
| - namespaceSelector: |
There was a problem hiding this comment.
I think this will fail, the namespaceSelector.matchLabels is an AND operator. You are saying here you want traffic just from pods that are on a namespace that contains the labels metadata.name=openshift-dns-operator AND metadata.name=openshift-dns
Instead, you could do something like:
from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns-operator
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
Tho, I am wondering why workloads running on openshift-dns would need to be able to reach metrics from other workloads on the same namespace. Would it make sense to limit just "from: openshift-dns-operator"?
There was a problem hiding this comment.
ah btw this is also conflicting, matchLabels is a map[string]string so you are setting the same key twice. Probably worth removing "openshift-dns" from here and leaving just openshift-dns-operator
| verbs: | ||
| - "*" | ||
|
|
||
| - apiGroups: |
There was a problem hiding this comment.
do we really need this to be added to the Role? I can see the following ClusterRoleBinding on the cluster:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: openshift-dns-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openshift-dns-operator
subjects:
- kind: ServiceAccount
name: dns-operator
namespace: openshift-dns-operator
Which means the Pod from the operator (who will be creating the Network Policies) already has its permissions. I am not sure why the dns-operator role exists and why it would need to be able to add Network Policies as well
7 participants
Taking over from #443 from @knobunc. Original description:
Added the framework for network policies for DNS for the operator and the dns pods.
The operator has a deny all network policy that for the openshift-dns-operator namespace and an allow policy for egress to the apiserver and dns ports at any IP.
The operator installs a deny all network policy for the openshift-dns namespace.
Then for each dns that it manages it installs an allow policy for ingress for dns traffic and metrics.
It has to allow ingress from the dns pods to any IP because we allow configuration to set the upstream server and port, so any valid IP and port needs to be allowed.
It also needs access to the api server, but that is covered by the wildcard allow policy.
https://issues.redhat.com/browse/NE-1476