litmuschaos
/
litmus
mirror of https://github.com/litmuschaos/litmus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore (ChaosCenter): Adding Network-Policies for control-plane & agent-plane components (#3523) 

* Added network policies

Signed-off-by: Jonsy13 <vedant.shrotria@chaosnative.com>

* Added some changes in NP

Signed-off-by: Jonsy13 <vedant.shrotria@chaosnative.com>

* Added Minor changes for Network-policies

Signed-off-by: Jonsy13 <vedant.shrotria@chaosnative.com>
This commit is contained in:
Vedant Shrotria 2022-05-30 12:23:00 +05:30 committed by GitHub
parent 14ad433ce6
commit a4add75ea0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 263 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
litmus-portal/agent-plane-network-policies.yml Normal file
View File

@ -0,0 +1,90 @@
## Policy for Self-agent Subscriber
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: subscriber-network-policy
spec:
podSelector:
matchLabels:
app: subscriber
policyTypes:
- Ingress
- Egress
ingress:
- from:
# gql-server --> self-agent, Accepting workflow requests from gql-server
- podSelector:
matchLabels:
component: litmusportal-server
# external-agent --> gql-server connection, please commentout & update as per requirements
# - ipBlock:
# cidr: 10.0.0.0/24
egress:
# Needs access to kube-api-server for applying the workflows & for sending events/requests to gql-server
- {}
---
#Policy for event-tracker
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: event-tracker-network-policy
spec:
podSelector:
matchLabels:
app: event-tracker
policyTypes:
- Egress
# Needs access to kube-api-server for reconcilation on workflows & target-applications annoted for gitOps
egress:
- {}
---
#Policy for workflow-controller
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: workflow-controller-network-policy
spec:
podSelector:
matchLabels:
app: workflow-controller
policyTypes:
- Egress
egress:
# Needs access to kube-api-server for reconcilation & running the scheduled workflows on the cluster
- {}
---
#Policy for chaos-operator
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: chaos-operator-network-policy
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: operator
policyTypes:
- Egress
egress:
# Needs access to kube-api-server for reconcilation & running the chaos-injection
- {}
---
#Policy for chaos-exporter
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: chaos-exporter-network-policy
spec:
podSelector:
matchLabels:
app: chaos-exporter
policyTypes:
- Egress
- Ingress
ingress:
# Prometheus needs access for fetching metrics. PORT - 8080
- {}
egress:
# Needs access to kube-api-server for metrics
- {}

173
litmus-portal/control-plane-network-policies.yml Normal file
View File

@ -0,0 +1,173 @@
---
# Policy for Mongo Database
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-network-policy
spec:
podSelector:
matchLabels:
component: database
policyTypes:
- Ingress
- Egress
# No outbound connection allowed for DB
egress: []
ingress:
- from:
# Accepts connections from gql-server pod
- podSelector:
matchLabels:
component: litmusportal-server
# Accepts connections from authg-server pod
- podSelector:
matchLabels:
component: litmusportal-auth-server
ports:
- protocol: TCP
port: 27017
---
# Policy for Gql-Server (Needs Egress access to subscriber)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: server-network-policy
spec:
podSelector:
matchLabels:
component: litmusportal-server
policyTypes:
- Ingress
- Egress
ingress:
# Normal Query/Mutations/Subscriptions ---
- from:
# frontend --> gql-server connection
- podSelector:
matchLabels:
component: litmusportal-frontend
# self-agent --> gql-server, websocket connections
- podSelector:
matchLabels:
app: subscriber
#External Agent rules, please commentout & update as per requirements
# - from:
# - ipBlock:
# cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 8080
# GRPC connections -------
- from:
# auth-server --> gql-server, grpc connection
- podSelector:
matchLabels:
app: litmusportal-auth-server
ports:
- protocol: TCP
port: 8000
egress:
- to:
# gql-server --> auth-server, grpc connection
- podSelector:
matchLabels:
app: litmusportal-auth-server
# Server -> database connection
- podSelector:
matchLabels:
component: database
# Server --> Self-agent, workflow CRUD Ops
- podSelector:
matchLabels:
app: subscriber
# Server --> External Agent connection, please commentout & update as per requirements
# - ipBlock:
# cidr: 10.0.0.0/24
# Needs access to kube-api-server as well for Ingress related operations
---
# Policy for Auth-Server (Needs Egress access to subscriber)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: auth-server-network-policy
spec:
podSelector:
matchLabels:
component: litmusportal-auth-server
policyTypes:
- Ingress
- Egress
ingress:
#normal connections
- from:
# Frontend --> auth-Server connection
- podSelector:
matchLabels:
component: litmusportal-frontend
ports:
- protocol: TCP
port: 3000
# GRPC connections
- from:
# gql-server --> auth-server, grpc connection
- podSelector:
matchLabels:
app: litmusportal-server
ports:
- protocol: TCP
port: 3030
egress:
- to:
# Auth-Server -> database connection
- podSelector:
matchLabels:
component: database
# auth-server --> gql-server, grpc connection
- podSelector:
matchLabels:
app: litmusportal-server
---
#Policy for Frontend pod (Allows External/Internal Traffic & egress only to server pod)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-network-policy
spec:
podSelector:
matchLabels:
component: litmusportal-frontend
# Allowed all Ingress connections, customize according to requirements
ingress:
- {}
egress:
- to:
# frontend --> gql-server connection
- podSelector:
matchLabels:
component: litmusportal-server
# frontend --> auth-server connection
- podSelector:
matchLabels:
component: litmusportal-auth-server
policyTypes:
- Ingress
- Egress