github.com/verrazzano/verrazzano@v1.7.0/platform-operator/internal/k8s/netpolicy/netpolicy.go (about) 1 // Copyright (c) 2021, 2022, Oracle and/or its affiliates. 2 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 package netpolicy 5 6 import ( 7 "context" 8 "github.com/verrazzano/verrazzano/platform-operator/constants" 9 corev1 "k8s.io/api/core/v1" 10 netv1 "k8s.io/api/networking/v1" 11 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 12 "k8s.io/apimachinery/pkg/util/intstr" 13 "k8s.io/client-go/kubernetes" 14 "sigs.k8s.io/controller-runtime/pkg/client" 15 "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" 16 ) 17 18 const ( 19 networkPolicyAPIVersion = "networking.k8s.io/v1" 20 networkPolicyKind = "NetworkPolicy" 21 networkPolicyPodName = "verrazzano-platform-operator" 22 networkPolicyPodName2 = "verrazzano-platform-operator-webhook" 23 podAppLabel = "app" 24 verrazzanoNamespaceLabel = "verrazzano.io/namespace" 25 appNameLabel = "app.kubernetes.io/name" 26 apiServerEndpointName = "kubernetes" 27 ) 28 29 // CreateOrUpdateNetworkPolicies creates or updates network policies for the platform operator to 30 // limit network ingress. 31 func CreateOrUpdateNetworkPolicies(clientset kubernetes.Interface, client client.Client) ([]controllerutil.OperationResult, []error) { 32 var opResults []controllerutil.OperationResult 33 var errors []error 34 35 netPolicies := newNetworkPolicies() 36 for _, netPolicy := range netPolicies { 37 objKey := &netv1.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: netPolicy.ObjectMeta.Name, Namespace: netPolicy.ObjectMeta.Namespace}} 38 39 opResult, err := controllerutil.CreateOrUpdate(context.TODO(), client, objKey, func() error { 40 netPolicy.Spec.DeepCopyInto(&objKey.Spec) 41 return nil 42 }) 43 opResults = append(opResults, opResult) 44 if err != nil { 45 errors = append(errors, err) 46 } 47 48 } 49 50 return opResults, errors 51 } 52 53 // newNetworkPolicy returns a populated NetworkPolicy with ingress rules for this operator. 54 func newNetworkPolicies() []*netv1.NetworkPolicy { 55 tcpProtocol := corev1.ProtocolTCP 56 webhookPort := intstr.FromInt(9443) 57 metricsPort := intstr.FromInt(9100) 58 59 vponetpol := &netv1.NetworkPolicy{ 60 TypeMeta: metav1.TypeMeta{ 61 APIVersion: networkPolicyAPIVersion, 62 Kind: networkPolicyKind, 63 }, 64 ObjectMeta: metav1.ObjectMeta{ 65 Namespace: constants.VerrazzanoInstallNamespace, 66 Name: networkPolicyPodName, 67 }, 68 Spec: netv1.NetworkPolicySpec{ 69 PodSelector: metav1.LabelSelector{ 70 MatchLabels: map[string]string{ 71 podAppLabel: networkPolicyPodName, 72 }, 73 }, 74 PolicyTypes: []netv1.PolicyType{ 75 netv1.PolicyTypeIngress, 76 }, 77 Ingress: []netv1.NetworkPolicyIngressRule{ 78 { 79 From: []netv1.NetworkPolicyPeer{ 80 { 81 NamespaceSelector: &metav1.LabelSelector{ 82 MatchLabels: map[string]string{ 83 verrazzanoNamespaceLabel: constants.VerrazzanoMonitoringNamespace, 84 }, 85 }, 86 PodSelector: &metav1.LabelSelector{ 87 MatchLabels: map[string]string{ 88 appNameLabel: constants.PrometheusStorageLabelValue, 89 }, 90 }, 91 }, 92 }, 93 // ingress from Prometheus server for scraping metrics 94 Ports: []netv1.NetworkPolicyPort{ 95 { 96 Protocol: &tcpProtocol, 97 Port: &metricsPort, 98 }, 99 }, 100 }, 101 }, 102 }, 103 } 104 webhooknetpol := &netv1.NetworkPolicy{ 105 TypeMeta: metav1.TypeMeta{ 106 APIVersion: networkPolicyAPIVersion, 107 Kind: networkPolicyKind, 108 }, 109 ObjectMeta: metav1.ObjectMeta{ 110 Namespace: constants.VerrazzanoInstallNamespace, 111 Name: networkPolicyPodName2, 112 }, 113 Spec: netv1.NetworkPolicySpec{ 114 PodSelector: metav1.LabelSelector{ 115 MatchLabels: map[string]string{ 116 podAppLabel: networkPolicyPodName2, 117 }, 118 }, 119 PolicyTypes: []netv1.PolicyType{ 120 netv1.PolicyTypeIngress, 121 }, 122 Ingress: []netv1.NetworkPolicyIngressRule{ 123 { 124 // ingress from the kubernetes API server and other services 125 Ports: []netv1.NetworkPolicyPort{ 126 { 127 Protocol: &tcpProtocol, 128 Port: &webhookPort, 129 }, 130 }, 131 }, 132 { 133 From: []netv1.NetworkPolicyPeer{ 134 { 135 NamespaceSelector: &metav1.LabelSelector{ 136 MatchLabels: map[string]string{ 137 verrazzanoNamespaceLabel: constants.VerrazzanoMonitoringNamespace, 138 }, 139 }, 140 PodSelector: &metav1.LabelSelector{ 141 MatchLabels: map[string]string{ 142 appNameLabel: constants.PrometheusStorageLabelValue, 143 }, 144 }, 145 }, 146 }, 147 // ingress from Prometheus server for scraping metrics 148 Ports: []netv1.NetworkPolicyPort{ 149 { 150 Protocol: &tcpProtocol, 151 Port: &metricsPort, 152 }, 153 }, 154 }, 155 }, 156 }, 157 } 158 netpols := []*netv1.NetworkPolicy{vponetpol, webhooknetpol} 159 return netpols 160 }