github.com/verrazzano/verrazzano@v1.7.1/platform-operator/helm_config/charts/verrazzano-network-policies/templates/vmi-es-networkpolicy.yaml (about) 1 # Copyright (c) 2021, 2022, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 {{- if .Values.elasticSearch.enabled}} 5 {{- if .Values.elasticSearch.multiNodeCluster}} 6 # Network policy for Elasticsearch full multi-pod installation 7 8 # Network policy for Elasticsearch master 9 # Ingress: allow from ES pods to port 9300 10 # allow from Verrazzano Monitoring Operator to port 9200 11 # allow from Prometheus to scrape Envoy stats on port 15090 12 # Egress: allow all 13 apiVersion: networking.k8s.io/v1 14 kind: NetworkPolicy 15 metadata: 16 name: vmi-system-es-master 17 namespace: {{ .Release.Namespace }} 18 spec: 19 podSelector: 20 matchLabels: 21 opensearch.verrazzano.io/role-master: "true" 22 policyTypes: 23 - Ingress 24 ingress: 25 # Allow ingress from Verrazzano Monitoring Operator 26 - from: 27 - podSelector: 28 matchLabels: 29 k8s-app: verrazzano-monitoring-operator 30 ports: 31 - port: 9200 32 protocol: TCP 33 # Allow ingress from ES pods to cluster port 34 - from: 35 - podSelector: 36 matchLabels: 37 opensearch.verrazzano.io/role-master: "true" 38 - podSelector: 39 matchLabels: 40 opensearch.verrazzano.io/role-data: "true" 41 - podSelector: 42 matchLabels: 43 opensearch.verrazzano.io/role-ingest: "true" 44 ports: 45 - protocol: TCP 46 port: 9300 47 # Allow ingress from Prometheus to collect metrics from the app and the Istio sidecar 48 - from: 49 - namespaceSelector: 50 matchLabels: 51 verrazzano.io/namespace: verrazzano-monitoring 52 podSelector: 53 matchLabels: 54 app.kubernetes.io/name: prometheus 55 ports: 56 - port: 9200 57 protocol: TCP 58 - port: 15090 59 protocol: TCP 60 --- 61 # Network policy for Elasticsearch Data 62 # Ingress: allow from ES master to port 9300 63 # allow from ES data to port 9300 64 # allow from ES ingest to port 9200 and 9300 65 # allow from OSD to port 9200 66 # allow from Prometheus to scrape port 9200 and Envoy stats on port 15090 67 # Egress: allow all 68 apiVersion: networking.k8s.io/v1 69 kind: NetworkPolicy 70 metadata: 71 name: vmi-system-es-data 72 namespace: {{ .Release.Namespace }} 73 spec: 74 podSelector: 75 matchLabels: 76 opensearch.verrazzano.io/role-data: "true" 77 policyTypes: 78 - Ingress 79 ingress: 80 # Allow ingress from ES master 81 - from: 82 - podSelector: 83 matchLabels: 84 opensearch.verrazzano.io/role-master: "true" 85 ports: 86 - protocol: TCP 87 port: 9300 88 # Allow ingress from ES data 89 - from: 90 - podSelector: 91 matchLabels: 92 opensearch.verrazzano.io/role-data: "true" 93 ports: 94 - protocol: TCP 95 port: 9300 96 # Allow ingress from ES ingest 97 - from: 98 - podSelector: 99 matchLabels: 100 opensearch.verrazzano.io/role-ingest: "true" 101 ports: 102 - protocol: TCP 103 port: 9200 104 - protocol: TCP 105 port: 9300 106 # Allow ingress from OSD 107 - from: 108 - podSelector: 109 matchLabels: 110 app: system-osd 111 ports: 112 - protocol: TCP 113 port: 9200 114 # Allow ingress from Prometheus 115 - from: 116 - namespaceSelector: 117 matchLabels: 118 verrazzano.io/namespace: verrazzano-monitoring 119 podSelector: 120 matchLabels: 121 app.kubernetes.io/name: prometheus 122 ports: 123 - port: 9200 124 protocol: TCP 125 - port: 15090 126 protocol: TCP 127 --- 128 # Network policy for Elasticsearch Ingest 129 # Ingress: allow from auth proxy to port 9200 130 # allow from ES master and ES data to port 9300 131 # allow from OSD to port 9200 132 # allow from Prometheus to scrape port 9200 and Envoy stats on port 15090 133 # Egress: allow all 134 apiVersion: networking.k8s.io/v1 135 kind: NetworkPolicy 136 metadata: 137 name: vmi-system-os-ingest 138 namespace: {{ .Release.Namespace }} 139 spec: 140 podSelector: 141 matchLabels: 142 opensearch.verrazzano.io/role-ingest: "true" 143 policyTypes: 144 - Ingress 145 ingress: 146 - from: 147 - namespaceSelector: 148 matchLabels: 149 verrazzano.io/namespace: verrazzano-system 150 podSelector: 151 matchLabels: 152 app: verrazzano-authproxy 153 ports: 154 - protocol: TCP 155 port: 9200 156 # Allow ingress from ES master and ES data on cluster port 157 - from: 158 - podSelector: 159 matchLabels: 160 opensearch.verrazzano.io/role-master: "true" 161 - podSelector: 162 matchLabels: 163 opensearch.verrazzano.io/role-data: "true" 164 ports: 165 - protocol: TCP 166 port: 9300 167 # Allow ingress from OSD 168 - from: 169 - podSelector: 170 matchLabels: 171 app: system-osd 172 ports: 173 - protocol: TCP 174 port: 9200 175 # Allow ingress from Prometheus 176 - from: 177 - namespaceSelector: 178 matchLabels: 179 verrazzano.io/namespace: verrazzano-monitoring 180 podSelector: 181 matchLabels: 182 app.kubernetes.io/name: prometheus 183 ports: 184 - port: 9200 185 protocol: TCP 186 - port: 15090 187 protocol: TCP 188 {{- else }} 189 # Network policy for Elasticsearch master single pod installation 190 # Ingress: 191 # allow from Verrazzano Monitoring Operator to port 9200 192 # allow from auth proxy to port 9200 193 # allow from OSD to port 9200 194 # allow from Prometheus to scrape port 9200 and Envoy stats on port 15090 195 # Egress: allow all 196 apiVersion: networking.k8s.io/v1 197 kind: NetworkPolicy 198 metadata: 199 name: vmi-system-es-master 200 namespace: {{ .Release.Namespace }} 201 spec: 202 podSelector: 203 matchLabels: 204 opensearch.verrazzano.io/role-master: "true" 205 policyTypes: 206 - Ingress 207 ingress: 208 # Allow ingress from Verrazzano Monitoring Operator 209 - from: 210 - podSelector: 211 matchLabels: 212 k8s-app: verrazzano-monitoring-operator 213 ports: 214 - port: 9200 215 protocol: TCP 216 - from: 217 - namespaceSelector: 218 matchLabels: 219 verrazzano.io/namespace: verrazzano-system 220 podSelector: 221 matchLabels: 222 app: verrazzano-authproxy 223 ports: 224 - protocol: TCP 225 port: 9200 226 # Allow ingress from OSD 227 - from: 228 - podSelector: 229 matchLabels: 230 app: system-osd 231 ports: 232 - protocol: TCP 233 port: 9200 234 # Allow ingress from ES master to itself 235 - from: 236 - podSelector: 237 matchLabels: 238 opensearch.verrazzano.io/role-master: "true" 239 - ports: 240 - protocol: TCP 241 port: 9200 242 # Allow ingress from Prometheus 243 - from: 244 - namespaceSelector: 245 matchLabels: 246 verrazzano.io/namespace: verrazzano-monitoring 247 podSelector: 248 matchLabels: 249 app.kubernetes.io/name: prometheus 250 ports: 251 - port: 9200 252 protocol: TCP 253 - port: 15090 254 protocol: TCP 255 # end else 256 {{- end }} 257 --- 258 # Network policy for OSD 259 # Ingress: allow from auth proxy to port 5601 260 # allow from VMO on port 5601 261 # allow from Prometheus to scrape Envoy stats on port 15090 262 # Egress: allow all 263 apiVersion: networking.k8s.io/v1 264 kind: NetworkPolicy 265 metadata: 266 name: vmi-system-osd 267 namespace: {{ .Release.Namespace }} 268 spec: 269 podSelector: 270 matchLabels: 271 app: system-osd 272 policyTypes: 273 - Ingress 274 ingress: 275 # Allow ingress from Verrazzano Monitoring Operator 276 - from: 277 - podSelector: 278 matchLabels: 279 k8s-app: verrazzano-monitoring-operator 280 ports: 281 - port: 5601 282 protocol: TCP 283 - from: 284 - namespaceSelector: 285 matchLabels: 286 verrazzano.io/namespace: verrazzano-system 287 podSelector: 288 matchLabels: 289 app: verrazzano-authproxy 290 ports: 291 - protocol: TCP 292 port: 5601 293 # Allow ingress from Prometheus 294 - from: 295 - namespaceSelector: 296 matchLabels: 297 verrazzano.io/namespace: verrazzano-monitoring 298 podSelector: 299 matchLabels: 300 app.kubernetes.io/name: prometheus 301 ports: 302 - port: 15090 303 protocol: TCP 304 {{- end }}