Skip to content

Commit ed15c1d

Browse files
domdom82domdom82
authored
Merge pull request #546 from domdom82/cilium-deny-all-nwpol
Cilium deny all netpol prepare
2 parents 2a1f471 + 2e5a0d8 commit ed15c1d

File tree

12 files changed

+135
-5
lines changed

12 files changed

+135
-5
lines changed

Makefile

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ EFFECTIVE_VERSION := $(VERSION)-$(shell git rev-parse HEAD)
1616
LD_FLAGS := "-w $(shell bash $(GARDENER_HACK_DIR)/get-build-ld-flags.sh "" $(REPO_ROOT)/VERSION "$(EXTENSION_PREFIX)")"
1717
LEADER_ELECTION := false
1818
IGNORE_OPERATION_ANNOTATION := true
19+
ARCH ?= amd64
1920

2021
ifneq ($(strip $(shell git status --porcelain 2>/dev/null)),)
2122
EFFECTIVE_VERSION := $(EFFECTIVE_VERSION)-dirty
@@ -66,8 +67,8 @@ docker-login:
6667

6768
.PHONY: docker-images
6869
docker-images:
69-
@docker build --build-arg EFFECTIVE_VERSION=$(EFFECTIVE_VERSION) -t $(IMAGE_PREFIX)/$(NAME):$(VERSION) -t $(IMAGE_PREFIX)/$(NAME):latest -f Dockerfile -m 6g --target $(EXTENSION_PREFIX)-$(NAME) .
70-
@docker build --build-arg EFFECTIVE_VERSION=$(EFFECTIVE_VERSION) -t $(IMAGE_PREFIX)/$(ADMISSION_NAME):$(VERSION) -t $(IMAGE_PREFIX)/$(ADMISSION_NAME):latest -f Dockerfile -m 6g --target $(EXTENSION_PREFIX)-$(ADMISSION_NAME) .
70+
@docker build --platform=linux/$(ARCH) --build-arg EFFECTIVE_VERSION=$(EFFECTIVE_VERSION) -t $(IMAGE_PREFIX)/$(NAME):$(VERSION) -t $(IMAGE_PREFIX)/$(NAME):latest -f Dockerfile -m 6g --target $(EXTENSION_PREFIX)-$(NAME) .
71+
@docker build --platform=linux/$(ARCH) --build-arg EFFECTIVE_VERSION=$(EFFECTIVE_VERSION) -t $(IMAGE_PREFIX)/$(ADMISSION_NAME):$(VERSION) -t $(IMAGE_PREFIX)/$(ADMISSION_NAME):latest -f Dockerfile -m 6g --target $(EXTENSION_PREFIX)-$(ADMISSION_NAME) .
7172

7273
#####################################################################
7374
# Rules for verification, formatting, linting, testing and cleaning #

charts/internal/cilium/charts/agent/templates/daemonset.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,9 @@ spec:
3434
k8s-app: cilium
3535
app.kubernetes.io/name: cilium-agent
3636
app.kubernetes.io/part-of: cilium
37+
networking.gardener.cloud/to-public-networks: allowed
38+
networking.gardener.cloud/to-apiserver: allowed
39+
networking.gardener.cloud/to-dns: allowed
3740
spec:
3841
containers:
3942
{{- if .Values.global.sleepAfterInit }}

charts/internal/cilium/charts/envoy/templates/daemonset.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@ spec:
2929
k8s-app: cilium-envoy
3030
app.kubernetes.io/name: cilium-envoy
3131
app.kubernetes.io/part-of: cilium
32+
networking.gardener.cloud/to-public-networks: allowed
33+
networking.gardener.cloud/to-apiserver: allowed
34+
networking.gardener.cloud/to-dns: allowed
3235
spec:
3336
containers:
3437
- name: cilium-envoy

charts/internal/cilium/charts/hubble-relay/templates/deployment.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@ spec:
1818
k8s-app: {{ .Chart.Name }}
1919
app.kubernetes.io/name: {{ .Chart.Name }}
2020
app.kubernetes.io/part-of: cilium
21+
networking.gardener.cloud/to-public-networks: allowed
22+
networking.gardener.cloud/to-apiserver: allowed
23+
networking.gardener.cloud/to-dns: allowed
2124
spec:
2225
securityContext:
2326
fsGroup: 65532

charts/internal/cilium/charts/hubble-relay/templates/network-policy.yaml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
apiVersion: cilium.io/v2
2+
kind: CiliumNetworkPolicy
3+
metadata:
4+
name: gardener.cloud--allow-hubble-relay-from-hubble-ui
5+
namespace: {{ .Release.Namespace }}
6+
spec:
7+
endpointSelector:
8+
matchLabels:
9+
k8s-app: hubble-relay
10+
ingress:
11+
- fromEndpoints:
12+
- matchLabels:
13+
k8s-app: hubble-ui
14+
toPorts:
15+
- ports:
16+
- port: "4245"
17+
protocol: TCP
18+
---
19+
apiVersion: cilium.io/v2
20+
kind: CiliumNetworkPolicy
21+
metadata:
22+
name: gardener.cloud--allow-hubble-ui-to-hubble-relay
23+
namespace: {{ .Release.Namespace }}
24+
spec:
25+
endpointSelector:
26+
matchLabels:
27+
k8s-app: hubble-ui
28+
egress:
29+
- toEndpoints:
30+
- matchLabels:
31+
k8s-app: hubble-relay
32+
toPorts:
33+
- ports:
34+
- port: "4245"
35+
protocol: TCP
36+
---
37+
apiVersion: cilium.io/v2
38+
kind: CiliumNetworkPolicy
39+
metadata:
40+
name: gardener.cloud--allow-hubble-relay-to-peers
41+
namespace: {{ .Release.Namespace }}
42+
spec:
43+
endpointSelector:
44+
matchLabels:
45+
k8s-app: hubble-relay
46+
egress:
47+
- toEntities:
48+
- cluster
49+
toPorts:
50+
- ports:
51+
- port: "{{ .Values.global.hubble.peerPort }}"
52+
protocol: TCP

charts/internal/cilium/charts/hubble-ui/templates/deployment.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ spec:
2323
k8s-app: {{ .Chart.Name }}
2424
app.kubernetes.io/name: {{ .Chart.Name }}
2525
app.kubernetes.io/part-of: cilium
26+
networking.gardener.cloud/to-public-networks: allowed
27+
networking.gardener.cloud/to-apiserver: allowed
28+
networking.gardener.cloud/to-dns: allowed
2629
spec:
2730
securityContext:
2831
fsGroup: 1001

charts/internal/cilium/charts/network-policy/templates/nodelocaldns.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,4 +20,27 @@ spec:
2020
- port: "53"
2121
name: dns-tcp
2222
protocol: TCP
23+
---
24+
apiVersion: cilium.io/v2
25+
kind: CiliumClusterwideNetworkPolicy
26+
metadata:
27+
name: "nodelocaldns"
28+
spec:
29+
endpointSelector:
30+
matchLabels:
31+
k8s:io.kubernetes.pod.namespace: kube-system
32+
k8s-app: node-local-dns
33+
ingress:
34+
- fromEndpoints:
35+
- {}
36+
toPorts:
37+
- ports:
38+
- port: "53"
39+
protocol: TCP
40+
- port: "53"
41+
protocol: UDP
42+
- port: "9253"
43+
protocol: TCP
44+
- port: "9353"
45+
protocol: TCP
2346
{{- end }}

charts/internal/cilium/charts/operator/templates/deployment.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,9 @@ spec:
3737
name: cilium-operator
3838
app.kubernetes.io/part-of: cilium
3939
app.kubernetes.io/name: cilium-operator
40+
networking.gardener.cloud/to-public-networks: allowed
41+
networking.gardener.cloud/to-apiserver: allowed
42+
networking.gardener.cloud/to-dns: allowed
4043
spec:
4144
# In HA mode, cilium-operator pods must not be scheduled on the same
4245
# node as they will clash with each other.

test/e2e/common_test.go

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,10 +51,12 @@ func defaultShoot(generateName string) *gardencorev1beta1.Shoot {
5151
Spec: gardencorev1beta1.ShootSpec{
5252
Region: "local",
5353
SecretBindingName: ptr.To("local"),
54-
CloudProfileName: ptr.To("local"),
54+
CloudProfile: &gardencorev1beta1.CloudProfileReference{
55+
Name: "local",
56+
Kind: "CloudProfile",
57+
},
5558
Kubernetes: gardencorev1beta1.Kubernetes{
56-
Version: "1.30.0",
57-
EnableStaticTokenKubeconfig: ptr.To(false),
59+
Version: "1.30.0",
5860
Kubelet: &gardencorev1beta1.KubeletConfig{
5961
SerializeImagePulls: ptr.To(false),
6062
RegistryPullQPS: ptr.To(int32(10)),
@@ -84,6 +86,11 @@ func defaultShoot(generateName string) *gardencorev1beta1.Shoot {
8486
Maximum: 2,
8587
}},
8688
},
89+
SystemComponents: &gardencorev1beta1.SystemComponents{
90+
NodeLocalDNS: &gardencorev1beta1.NodeLocalDNS{
91+
Enabled: true,
92+
},
93+
},
8794
},
8895
}
8996
}

test/e2e/network_connectivity_test.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111

1212
batchv1 "k8s.io/api/batch/v1"
1313
corev1 "k8s.io/api/core/v1"
14+
networkingv1 "k8s.io/api/networking/v1"
1415
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1516
"k8s.io/apimachinery/pkg/labels"
1617
"k8s.io/utils/ptr"
@@ -34,6 +35,19 @@ var _ = Describe("Network Extension Tests", Label("Network"), func() {
3435
Expect(f.CreateShootAndWaitForCreation(ctx, false)).To(Succeed())
3536
f.Verify()
3637

38+
By("Create Deny-All Network Policy")
39+
denyAllPolicy := &networkingv1.NetworkPolicy{
40+
ObjectMeta: v1.ObjectMeta{Name: "deny-all", Namespace: templates.NetworkConnectivityTestNamespace},
41+
Spec: networkingv1.NetworkPolicySpec{
42+
PodSelector: v1.LabelSelector{},
43+
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
44+
Ingress: []networkingv1.NetworkPolicyIngressRule{},
45+
Egress: []networkingv1.NetworkPolicyEgressRule{},
46+
},
47+
}
48+
err := f.ShootFramework.ShootClient.Client().Create(ctx, denyAllPolicy)
49+
Expect(err).NotTo(HaveOccurred())
50+
3751
By("Test Networking")
3852
ctx, cancel = context.WithTimeout(parentCtx, defaultTimeout)
3953
defer cancel()

0 commit comments

Comments
 (0)