Skip to content

Commit

Permalink
Merge pull request #445 from kubescape/netpol
Browse files Browse the repository at this point in the history 
add missing network policies
  • Loading branch information
@matthyx
matthyx authored Jun 20, 2024
2 parents d1c59c4 + 4e2fa67 commit 9aaacd7
Show file tree
Hide file tree
Showing 24 changed files with 1,212 additions and 212 deletions.
16 changes: 16 additions & 0 deletions charts/kubescape-operator/assets/api-server-egress-rules.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
- ports:
- port: {{ .Values.global.networkPolicy.apiServerPort }}
protocol: TCP
to:
{{- if .Values.global.networkPolicy.apiServerIP }}
- ipBlock:
cidr: {{ .Values.global.networkPolicy.apiServerIP }}/32
{{- else }}
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: default
podSelector:
matchLabels:
component: apiserver
provider: kubernetes
{{- end -}}
25 changes: 25 additions & 0 deletions charts/kubescape-operator/assets/common-egress-rules.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
- ports:
- port: 53
protocol: UDP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
- ports:
- port: 4317
protocol: TCP
to:
- podSelector:
matchLabels:
app: otel-collector
{{- if ne .Values.global.httpsProxy "" }}
- ports:
- port: {{ .Values.global.networkPolicy.httpsProxyPort }}
protocol: TCP
to:
- ipBlock:
cidr: {{ .Values.global.networkPolicy.httpsProxyIP }}/32
{{- end }}
3 changes: 2 additions & 1 deletion charts/kubescape-operator/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,5 +78,6 @@ clamAV:
enabled: {{ eq .Values.capabilities.malwareDetection "enable" }}
customCaCertificates:
name: custom-ca-certificates

autoUpdater:
enabled: {{ eq .Values.capabilities.autoUpgrading "enable" }}
{{- end -}}
3 changes: 2 additions & 1 deletion charts/kubescape-operator/templates/autoupdater/cronjob.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if eq .Values.capabilities.autoUpgrading "enable" }}
{{- $components := fromYaml (include "components" .) }}
{{- if $components.autoUpdater.enabled }}
apiVersion: batch/v1
kind: CronJob
metadata:
Expand Down
22 changes: 22 additions & 0 deletions charts/kubescape-operator/templates/autoupdater/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- $components := fromYaml (include "components" .) }}
{{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.autoUpdater.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.helmReleaseUpgrader.name }}
namespace: {{ .Values.ksNamespace }}
labels:
app: {{ .Values.helmReleaseUpgrader.name }}
tier: {{ .Values.global.namespaceTier }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.helmReleaseUpgrader.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Egress
egress:
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
3 changes: 2 additions & 1 deletion charts/kubescape-operator/templates/autoupdater/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if eq .Values.capabilities.autoUpgrading "enable" }}
{{- $components := fromYaml (include "components" .) }}
{{- if $components.autoUpdater.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down
3 changes: 2 additions & 1 deletion charts/kubescape-operator/templates/autoupdater/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if eq .Values.capabilities.autoUpgrading "enable" }}
{{- $components := fromYaml (include "components" .) }}
{{- if $components.autoUpdater.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
13 changes: 7 additions & 6 deletions charts/kubescape-operator/templates/gateway/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ metadata:
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ .Values.gateway.name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.gateway.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Ingress
Expand All @@ -22,16 +22,17 @@ spec:
egress:
# gatewayUrl (wss://{{ .Values.gatewayUrl }}/v1)
- ports:
- port: 443
protocol: TCP
- port: 443
protocol: TCP
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/instance: kubescape
app.kubernetes.io/name: operator
tier: ks-control-plane
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.operator.name }}
tier: {{ .Values.global.namespaceTier }}
ports:
- port: websocket
protocol: TCP
Expand Down
4 changes: 2 additions & 2 deletions charts/kubescape-operator/templates/grype-offline-db/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,16 @@ metadata:
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ .Values.grypeOfflineDB.name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.grypeOfflineDB.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Values.ksNamespace }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.kubevuln.name }}
tier: {{ .Values.global.namespaceTier }}
ports:
Expand Down
4 changes: 3 additions & 1 deletion charts/kubescape-operator/templates/kollector/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ metadata:
labels:
app: {{ .Values.kollector.name }}
tier: {{ .Values.global.namespaceTier }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ .Values.kollector.name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.kollector.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Egress
Expand All @@ -28,4 +29,5 @@ spec:
to:
- ipBlock:
cidr: 169.254.169.254/32
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
3 changes: 3 additions & 0 deletions charts/kubescape-operator/templates/kollector/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ spec:
tier: {{ .Values.global.namespaceTier }}
app: {{ .Values.kollector.name }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
{{- if $components.otelCollector.enabled }}
otel: enabled
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
Expand Down
22 changes: 22 additions & 0 deletions charts/kubescape-operator/templates/kubescape-scheduler/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- $components := fromYaml (include "components" .) }}
{{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.kubescapeScheduler.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.kubescapeScheduler.name }}
namespace: {{ .Values.ksNamespace }}
labels:
app: {{ .Values.kubescapeScheduler.name }}
tier: {{ .Values.global.namespaceTier }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.kubescapeScheduler.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Egress
egress:
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
21 changes: 15 additions & 6 deletions charts/kubescape-operator/templates/kubescape/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ metadata:
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ .Values.kubescape.name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.kubescape.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Ingress
Expand All @@ -23,16 +23,25 @@ spec:
# - backend api server
# - GitRegoStore (https://github.com/kubescape/regolibrary/releases/)
- ports:
- port: 443
protocol: TCP
- port: 443
protocol: TCP
# Cloud Vendor detection (Instance Metadata Services)
- ports:
- port: 80
protocol: TCP
to:
- ipBlock:
cidr: 169.254.169.254/32
{{ tpl (.Files.Get "assets/api-server-egress-rules.yaml") . | indent 4 }}
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/instance: kubescape
app.kubernetes.io/name: operator
tier: ks-control-plane
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.operator.name }}
tier: {{ .Values.global.namespaceTier }}
ports:
- port: http
protocol: TCP
Expand Down
22 changes: 22 additions & 0 deletions charts/kubescape-operator/templates/kubevuln-scheduler/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- $components := fromYaml (include "components" .) }}
{{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.kubevulnScheduler.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.kubevulnScheduler.name }}
namespace: {{ .Values.ksNamespace }}
labels:
app: {{ .Values.kubevulnScheduler.name }}
tier: {{ .Values.global.namespaceTier }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.kubevulnScheduler.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Egress
egress:
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
10 changes: 6 additions & 4 deletions charts/kubescape-operator/templates/kubevuln/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ metadata:
labels:
app: {{ .Values.kubevuln.name }}
tier: {{ .Values.global.namespaceTier }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ .Values.kubevuln.name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.kubevuln.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Ingress
Expand All @@ -25,14 +26,15 @@ spec:
- ports:
- port: 443
protocol: TCP
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/instance: kubescape
app.kubernetes.io/name: operator
tier: ks-control-plane
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.operator.name }}
tier: {{ .Values.global.namespaceTier }}
ports:
- port: {{ .Values.kubevuln.service.port }}
protocol: TCP
Expand Down
22 changes: 22 additions & 0 deletions charts/kubescape-operator/templates/node-agent/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- $components := fromYaml (include "components" .) }}
{{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.nodeAgent.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Values.nodeAgent.name }}
namespace: {{ .Values.ksNamespace }}
labels:
app: {{ .Values.nodeAgent.name }}
tier: {{ .Values.global.namespaceTier }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.nodeAgent.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Egress
egress:
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
31 changes: 30 additions & 1 deletion charts/kubescape-operator/templates/operator/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ metadata:
labels:
app: {{ .Values.operator.name }}
tier: {{ .Values.global.namespaceTier }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ .Values.operator.name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.operator.name }}
tier: {{ .Values.global.namespaceTier }}
policyTypes:
- Ingress
Expand All @@ -30,6 +31,34 @@ spec:
to:
- ipBlock:
cidr: 169.254.169.254/32
- ports:
- protocol: TCP
port: 8080
to:
- podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.kubescape.name }}
tier: {{ .Values.global.namespaceTier }}
- ports:
- protocol: TCP
port: 8001
to:
- podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.gateway.name }}
tier: {{ .Values.global.namespaceTier }}
- ports:
- protocol: TCP
port: 8080
to:
- podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Values.kubevuln.name }}
tier: {{ .Values.global.namespaceTier }}
{{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
{{- end }}
ingress:
- from:
Expand Down
Loading

0 comments on commit 9aaacd7

Please sign in to comment.