From 0bf3674539f63ccded123540b26a68eb195297a7 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Sun, 16 Dec 2018 04:21:46 +0000 Subject: [PATCH] Revert "Add Egress Helm-toolkit function & enforce the nework policy at OSH-INFRA" This reverts commit 8d33a2911cda0c9e88406b9eeacbd8dfa70286f2. Change-Id: Ic861b9bf9b337449b47a3558da8355e7a5bcacee --- ceph-rgw/templates/network_policy.yaml | 21 ----- ceph-rgw/values.yaml | 13 --- elasticsearch/values.yaml | 23 ----- fluent-logging/values.yaml | 37 -------- grafana/values.yaml | 20 ----- .../templates/manifests/_network_policy.tpl | 89 +------------------ ingress/values.yaml | 17 ---- kibana/values.yaml | 19 ---- ldap/values.yaml | 17 ---- libvirt/values.yaml | 15 ---- mariadb/values.yaml | 15 ---- memcached/values.yaml | 15 ---- nagios/values.yaml | 15 ---- openvswitch/values.yaml | 13 --- postgresql/values.yaml | 22 ----- prometheus/values.yaml | 15 ---- rabbitmq/values.yaml | 15 ---- tools/deployment/network-policy/040-ldap.sh | 45 +++++----- .../deployment/network-policy/045-mariadb.sh | 5 -- .../network-policy/120-elasticsearch.sh | 7 +- .../network-policy/130-fluent-logging.sh | 21 ++++- 21 files changed, 52 insertions(+), 407 deletions(-) delete mode 100644 ceph-rgw/templates/network_policy.yaml diff --git a/ceph-rgw/templates/network_policy.yaml b/ceph-rgw/templates/network_policy.yaml deleted file mode 100644 index bfc0b4def..000000000 --- a/ceph-rgw/templates/network_policy.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Copyright 2017-2018 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if .Values.manifests.network_policy -}} -{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph-rgw" -}} -{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} -{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" }} -{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} -{{- end -}} diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml index fe459ff43..3e32fb1b5 100644 --- a/ceph-rgw/values.yaml +++ b/ceph-rgw/values.yaml @@ -474,18 +474,6 @@ endpoints: mon: default: 6789 -network_policy: - ceph-rgw: - ingress: - - {} - egress: - - {} - ceph: - ingress: - - {} - egress: - - {} - manifests: configmap_ceph_templates: true @@ -495,7 +483,6 @@ manifests: configmap_etc: true deployment_rgw: true ingress_rgw: true - network_policy: false job_ceph_rgw_storage_init: true job_image_repo_sync: true job_ks_endpoints: true diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 7e61523e9..6a36e6adc 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -586,21 +586,6 @@ endpoints: api: default: 8088 public: 80 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public monitoring: prometheus: @@ -621,13 +606,6 @@ network: enabled: false port: 30920 -network_policy: - elasticsearch: - ingress: - - {} - egress: - - {} - storage: enabled: true pvc: @@ -645,7 +623,6 @@ manifests: deployment_client: true deployment_master: true ingress: true - network_policy: false job_image_repo_sync: true job_snapshot_repository: true job_s3_user: true diff --git a/fluent-logging/values.yaml b/fluent-logging/values.yaml index 7c43e4f64..7b8212a70 100644 --- a/fluent-logging/values.yaml +++ b/fluent-logging/values.yaml @@ -481,43 +481,6 @@ endpoints: port: metrics: default: 9309 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public - -network_policy: - fluentbit: - ingress: - - {} - egress: - - {} - fluentd: - ingress: - - {} - egress: - - {} - fluent: - ingress: - - {} - egress: - - {} - fluent-logging: - ingress: - - {} - egress: - - {} monitoring: prometheus: diff --git a/grafana/values.yaml b/grafana/values.yaml index 8f837074b..47775ca7e 100644 --- a/grafana/values.yaml +++ b/grafana/values.yaml @@ -232,26 +232,6 @@ endpoints: port: ldap: default: 389 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public - -network_policy: - grafana: - egress: - - {} dependencies: dynamic: diff --git a/helm-toolkit/templates/manifests/_network_policy.tpl b/helm-toolkit/templates/manifests/_network_policy.tpl index 75e2608c6..3d412892a 100644 --- a/helm-toolkit/templates/manifests/_network_policy.tpl +++ b/helm-toolkit/templates/manifests/_network_policy.tpl @@ -11,28 +11,12 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} + {{/* abstract: | Creates a network policy manifest for services. values: | -endpoints: - kube_dns: - namespace: kube-system - name: kubernetes-dns - hosts: - default: kube-dns - host_fqdn_override: - default: null - path: - default: null - scheme: http - port: - dns_tcp: - default: 53 - dns: - default: 53 - protocol: UDP -network_policy: + network_policy: myLabel: ingress: - from: @@ -42,14 +26,6 @@ network_policy: ports: - protocol: TCP port: 80 - egress: - - to: - - namespaceSelector: - matchLabels: - name: default - - namespaceSelector: - matchLabels: - name: kube-public usage: | {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} return: | @@ -75,25 +51,7 @@ return: | - protocol: TCP port: 80 egress: - - to: - - podSelector: - matchLabels: - application: kube-dns - - namespaceSelector: - matchLabels: - name: kube-system - ports: - - protocol: TCP - port: 53 - - protocol: UDP - port: 53 - - to: - - namespaceSelector: - matchLabels: - name: kube-public - - namespaceSelector: - matchLabels: - name: default + - {} */}} {{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} @@ -118,47 +76,8 @@ spec: matchLabels: {{ $name }}: {{ $label }} egress: -{{- range $key, $value := $envAll.Values.endpoints }} -{{- if kindIs "map" $value }} - - to: -{{- if index $value "namespace" }} - - namespaceSelector: - matchLabels: - name: {{ index $value "namespace" }} -{{- else if index $value "hosts" }} -{{- $defaultValue := index $value "hosts" "internal" }} -{{- if hasKey (index $value "hosts") "internal" }} -{{- $a := split "-" $defaultValue }} - - podSelector: - matchLabels: - application: {{ printf "%s" (index $a._0) | default $defaultValue }} -{{- else }} -{{- $defaultValue := index $value "hosts" "default" }} -{{- $a := split "-" $defaultValue }} - - podSelector: - matchLabels: - application: {{ printf "%s" (index $a._0) | default $defaultValue }} -{{- end }} -{{- end }} - ports: -{{- if index $value "port" }} -{{- range $k, $v := index $value "port" }} -{{- if $k }} -{{- range $pk, $pv := $v }} -{{- if (ne $pk "protocol") }} - - port: {{ $pv }} - protocol: {{ $v.protocol | default "TCP" }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} + - {} {{- if hasKey (index $envAll.Values "network_policy") $label }} -{{- if index $envAll.Values.network_policy $label "egress" }} -{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} -{{- end }} {{- if index $envAll.Values.network_policy $label "ingress" }} ingress: {{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }} diff --git a/ingress/values.yaml b/ingress/values.yaml index 9d33894d6..6b7df26ab 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -198,28 +198,11 @@ endpoints: dns: default: 53 protocol: UDP - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public network_policy: ingress: ingress: - {} - egress: - - {} conf: controller: diff --git a/kibana/values.yaml b/kibana/values.yaml index 61cc916f7..9721ff707 100644 --- a/kibana/values.yaml +++ b/kibana/values.yaml @@ -294,26 +294,7 @@ endpoints: port: ldap: default: 389 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public -network_policy: - kibana: - egress: - - {} network: kibana: ingress: diff --git a/ldap/values.yaml b/ldap/values.yaml index 2bf3ee80d..716b31852 100644 --- a/ldap/values.yaml +++ b/ldap/values.yaml @@ -146,28 +146,11 @@ endpoints: port: ldap: default: 389 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public network_policy: ldap: ingress: - {} - egress: - - {} data: sample: | diff --git a/libvirt/values.yaml b/libvirt/values.yaml index ac368b101..b2551d86a 100644 --- a/libvirt/values.yaml +++ b/libvirt/values.yaml @@ -57,26 +57,11 @@ endpoints: port: registry: node: 5000 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public network_policy: libvirt: ingress: - {} - egress: - - {} ceph_client: configmap: ceph-etc diff --git a/mariadb/values.yaml b/mariadb/values.yaml index 846b4aa01..62051ca68 100644 --- a/mariadb/values.yaml +++ b/mariadb/values.yaml @@ -275,21 +275,6 @@ endpoints: dns: default: 53 protocol: UDP - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public network_policy: mariadb: diff --git a/memcached/values.yaml b/memcached/values.yaml index 8f099cb08..9ca41237b 100644 --- a/memcached/values.yaml +++ b/memcached/values.yaml @@ -98,21 +98,6 @@ endpoints: dns: default: 53 protocol: UDP - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public network_policy: memcached: diff --git a/nagios/values.yaml b/nagios/values.yaml index 64dca29da..a11df1d58 100644 --- a/nagios/values.yaml +++ b/nagios/values.yaml @@ -168,21 +168,6 @@ endpoints: default: 9283 scheme: default: http - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public network: nagios: diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml index c01c820f7..3804ed6a5 100644 --- a/openvswitch/values.yaml +++ b/openvswitch/values.yaml @@ -90,19 +90,6 @@ endpoints: port: registry: node: 5000 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public network_policy: openvswitch: diff --git a/postgresql/values.yaml b/postgresql/values.yaml index 0203a6e37..2a52b0571 100644 --- a/postgresql/values.yaml +++ b/postgresql/values.yaml @@ -198,32 +198,10 @@ endpoints: port: metrics: default: 9187 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public - -network_policy: - postgresql: - ingress: - - {} - manifests: configmap_bin: true job_image_repo_sync: true - network_policy: false secret_admin: true service: true statefulset: true diff --git a/prometheus/values.yaml b/prometheus/values.yaml index 1d4e489a5..28ed48700 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -167,21 +167,6 @@ endpoints: port: ldap: default: 389 - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public dependencies: dynamic: diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml index 872bca1d0..d1cad04c2 100644 --- a/rabbitmq/values.yaml +++ b/rabbitmq/values.yaml @@ -265,21 +265,6 @@ endpoints: dns: default: 53 protocol: UDP - #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access. - # They are using to enable the Egress K8s network policy. - k8s: - port: - api: - default: 6443 - internal: 5000 - http: - default: 80 - default: - namespace: default - kube_system: - namespace: kube-system - kube_public: - namespace: kube-public network_policy: rabbitmq: diff --git a/tools/deployment/network-policy/040-ldap.sh b/tools/deployment/network-policy/040-ldap.sh index 66efc6aaf..259222d5f 100755 --- a/tools/deployment/network-policy/040-ldap.sh +++ b/tools/deployment/network-policy/040-ldap.sh @@ -23,29 +23,28 @@ tee /tmp/ldap.yaml <