From 58702be3676ba6b8172f9767e2deb6f108cf85d5 Mon Sep 17 00:00:00 2001 From: BcGovNeal <47604552+BcGovNeal@users.noreply.github.com> Date: Mon, 19 Apr 2021 14:29:05 -0700 Subject: [PATCH] Update k8s network policy (#833) --- .../network-policy.yaml | 108 ++++++++++ .../network-security-policy-legacy.yaml | 197 ------------------ .../network-security-policy-quickstart.yaml | 86 -------- 3 files changed, 108 insertions(+), 283 deletions(-) create mode 100644 tools/network-security-policies/network-policy.yaml delete mode 100644 tools/network-security-policies/network-security-policy-legacy.yaml delete mode 100644 tools/network-security-policies/network-security-policy-quickstart.yaml diff --git a/tools/network-security-policies/network-policy.yaml b/tools/network-security-policies/network-policy.yaml new file mode 100644 index 000000000..ae4be0bcc --- /dev/null +++ b/tools/network-security-policies/network-policy.yaml @@ -0,0 +1,108 @@ +--- +apiVersion: template.openshift.io/v1 +kind: Template +labels: + template: ${GROUP_NAME}-network-security-policy +metadata: + name: ${GROUP_NAME}-network-security-policy +objects: + - kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + metadata: + name: ${GROUP_NAME}-deny-by-default + labels: + app: ${GROUP_NAME} + spec: + # The default posture for a security first namespace is to + # deny all traffic. If not added this rule will be added + # by Platform Services during environment cut-over. + podSelector: {} + ingress: [] + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: ${GROUP_NAME}-allow-from-openshift-ingress + labels: + app: ${GROUP_NAME} + spec: + # This policy allows any pod with a route & service combination + # to accept traffic from the OpenShift router pods. This is + # required for things outside of OpenShift (like the Internet) + # to reach your pods. + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + podSelector: {} + policyTypes: + - Ingress + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: ${GROUP_NAME}-allow-services-to-database + labels: + app: ${GROUP_NAME} + spec: + # Allow services to connect to the database + podSelector: + matchLabels: + role: database + ingress: + - from: + - podSelector: + matchLabels: + role: api + - podSelector: + matchLabels: + role: backup + - podSelector: + matchLabels: + role: metabase + ports: + - protocol: TCP + port: 27017 + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: ${GROUP_NAME}-allow-frontend-to-api + labels: + app: ${GROUP_NAME} + spec: + # Allow frontends to connect to API + podSelector: + matchLabels: + role: api + ingress: + - from: + - podSelector: + matchLabels: + role: frontend + ports: + - protocol: TCP + port: 3000 + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: ${GROUP_NAME}-allow-proxy-to-frontend + labels: + app: ${GROUP_NAME} + spec: + # Allow proxy to connect to the frontend + podSelector: + matchLabels: + role: frontend + ingress: + - from: + - podSelector: + matchLabels: + role: proxy + ports: + - protocol: TCP + port: 4000 # e-guides port +parameters: + - description: A name used to group objects together to identify related objects for a set of deployments + displayName: Group name + name: GROUP_NAME + required: true + value: nrpti \ No newline at end of file diff --git a/tools/network-security-policies/network-security-policy-legacy.yaml b/tools/network-security-policies/network-security-policy-legacy.yaml deleted file mode 100644 index 5c175099f..000000000 --- a/tools/network-security-policies/network-security-policy-legacy.yaml +++ /dev/null @@ -1,197 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -objects: - - apiVersion: security.devops.gov.bc.ca/v1alpha1 - kind: NetworkSecurityPolicy - metadata: - name: ${GROUP_NAME}-int-cluster-k8s-api-comms - labels: - app: ${GROUP_NAME} - spec: - description: Allow ${NAMESPACE} pods to talk to the internal K8S api - source: - - - $namespace=${NAMESPACE} - destination: - - - int:network=internal-cluster-api-endpoint - - apiVersion: security.devops.gov.bc.ca/v1alpha1 - kind: NetworkSecurityPolicy - metadata: - name: ${GROUP_NAME}-frontend2api-permit - labels: - app: ${GROUP_NAME} - spec: - description: Allow the frontend pod(s) to communicate to the API pod(s). - source: - - - app=${GROUP_NAME} - - role=${FRONTEND_ROLE_NAME} - destination: - - - app=${GROUP_NAME} - - role=${API_ROLE_NAME} - - apiVersion: security.devops.gov.bc.ca/v1alpha1 - kind: NetworkSecurityPolicy - metadata: - name: ${GROUP_NAME}-api2database-permit - labels: - app: ${GROUP_NAME} - spec: - description: Allow the api pod(s) to communicate to the database pod(s). - source: - - - app=${GROUP_NAME} - - role=${API_ROLE_NAME} - destination: - - - app=${GROUP_NAME} - - role=${DATABASE_ROLE_NAME} - - apiVersion: security.devops.gov.bc.ca/v1alpha1 - kind: NetworkSecurityPolicy - metadata: - name: ${GROUP_NAME}-metabase2database-permit - labels: - app: ${GROUP_NAME} - spec: - description: Allow the metabase pod(s) to communicate to the database pod(s). - source: - - - app=${GROUP_NAME} - - role=${METABASE_ROLE_NAME} - destination: - - - app=${GROUP_NAME} - - role=${DATABASE_ROLE_NAME} - - apiVersion: security.devops.gov.bc.ca/v1alpha1 - kind: NetworkSecurityPolicy - metadata: - name: ${GROUP_NAME}-backup2database-permit - labels: - app: ${GROUP_NAME} - spec: - description: Allow the backup pod(s) to communicate to the database pod(s). - source: - - - app=${GROUP_NAME} - - role=${BACKUP_ROLE_NAME} - destination: - - - app=${GROUP_NAME} - - role=${DATABASE_ROLE_NAME} - - kind: NetworkSecurityPolicy - apiVersion: security.devops.gov.bc.ca/v1alpha1 - metadata: - name: ${GROUP_NAME}-frontend-external-ingress - labels: - app: ${GROUP_NAME} - spec: - description: Allow the frontend pods to receive connections from the Internet. - source: - - - ext:network=any - destination: - - - app=${GROUP_NAME} - - role=${FRONTEND_ROLE_NAME} - - kind: NetworkSecurityPolicy - apiVersion: security.devops.gov.bc.ca/v1alpha1 - metadata: - name: ${GROUP_NAME}-api-external-ingress - labels: - app: ${GROUP_NAME} - spec: - description: Allow the api pods to receive connections from the Internet. - source: - - - ext:network=any - destination: - - - app=${GROUP_NAME} - - role=${API_ROLE_NAME} - - kind: NetworkSecurityPolicy - apiVersion: security.devops.gov.bc.ca/v1alpha1 - metadata: - name: ${GROUP_NAME}-metabase-external-ingress - labels: - app: ${GROUP_NAME} - spec: - description: Allow the metabase pods to receive connections from the Internet. - source: - - - ext:network=any - destination: - - - app=${GROUP_NAME} - - role=${API_ROLE_NAME} - - kind: NetworkSecurityPolicy - apiVersion: security.devops.gov.bc.ca/v1alpha1 - metadata: - name: ${GROUP_NAME}-api-internal-egress - labels: - app: ${GROUP_NAME} - spec: - description: Allow the api pods to open connections to the Internet. - source: - - - app=${GROUP_NAME} - - role=${API_ROLE_NAME} - destination: - - - ext:network=any - - kind: NetworkSecurityPolicy - apiVersion: security.devops.gov.bc.ca/v1alpha1 - metadata: - name: ${GROUP_NAME}-backup-internal-egress - labels: - app: ${GROUP_NAME} - spec: - description: Allow the backup pods to open connections to the Internet (for webhooks). - source: - - - app=${GROUP_NAME} - - role=${BACKUP_ROLE_NAME} - destination: - - - ext:network=any - - apiVersion: security.devops.gov.bc.ca/v1alpha1 - kind: NetworkSecurityPolicy - metadata: - name: ${GROUP_NAME}-cronjob2api-permit - labels: - app: ${GROUP_NAME} - spec: - description: Allow the cronjob pod(s) to communicate to the API pod(s). - source: - - - app=${GROUP_NAME} - - role=${CRONJOB_ROLE_NAME} - destination: - - - app=${GROUP_NAME} - - role=${API_ROLE_NAME} - - kind: NetworkSecurityPolicy - apiVersion: security.devops.gov.bc.ca/v1alpha1 - metadata: - name: ${GROUP_NAME}-cronjob-internal-egress - labels: - app: ${GROUP_NAME} - spec: - description: Allow the cronjob pods to open connections to the Internet (for SSO). - source: - - - app=${GROUP_NAME} - - role=${CRONJOB_ROLE_NAME} - destination: - - - ext:network=any -parameters: - - description: A name used to group objects together to identify related objects for a set of deployments - displayName: Group name - name: GROUP_NAME - required: true - value: nrpti - - displayName: NAMESPACE - name: NAMESPACE - required: true - value: f00029-dev - - displayName: API_ROLE_NAME - name: API_ROLE_NAME - required: true - value: api - - displayName: DATABASE_ROLE_NAME - name: DATABASE_ROLE_NAME - required: true - value: database - - displayName: METABASE_ROLE_NAME - name: METABASE_ROLE_NAME - required: true - value: metabase - - displayName: FRONTEND_ROLE_NAME - name: FRONTEND_ROLE_NAME - required: true - value: frontend - - displayName: BACKUP_ROLE_NAME - name: BACKUP_ROLE_NAME - required: true - value: backup - - displayName: CRONJOB_ROLE_NAME - name: CRONJOB_ROLE_NAME - required: true - value: cronjob diff --git a/tools/network-security-policies/network-security-policy-quickstart.yaml b/tools/network-security-policies/network-security-policy-quickstart.yaml deleted file mode 100644 index 605fde129..000000000 --- a/tools/network-security-policies/network-security-policy-quickstart.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -apiVersion: template.openshift.io/v1 -kind: Template -labels: - template: quickstart-network-security-policy -metadata: - name: quickstart-network-security-policy -objects: - - kind: NetworkPolicy - apiVersion: networking.k8s.io/v1 - metadata: - name: deny-by-default - spec: - # The default posture for a security first namespace is to - # deny all traffic. If not added this rule will be added - # by Platform Services during environment cut-over. - podSelector: {} - ingress: [] - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-from-openshift-ingress - spec: - # This policy allows any pod with a route & service combination - # to accept traffic from the OpenShift router pods. This is - # required for things outside of OpenShift (like the Internet) - # to reach your pods. - ingress: - - from: - - namespaceSelector: - matchLabels: - network.openshift.io/policy-group: ingress - podSelector: {} - policyTypes: - - Ingress - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-all-internal - spec: - # Allow all pods within the current namespace to communicate - # to one another. - ingress: - - from: - - namespaceSelector: - matchLabels: - environment: ${ENVIRONMENT} - name: ${NAMESPACE_PREFIX} - podSelector: {} - policyTypes: - - Ingress - - apiVersion: security.devops.gov.bc.ca/v1alpha1 - kind: NetworkSecurityPolicy - metadata: - name: any-to-any - spec: - description: | - allow all pods to communicate - source: - - - "$namespace=${NAMESPACE_PREFIX}-${ENVIRONMENT}" - destination: - - - "$namespace=*" - - apiVersion: security.devops.gov.bc.ca/v1alpha1 - kind: NetworkSecurityPolicy - metadata: - name: any-to-external - spec: - description: | - Allow all pods to talk to external systems - source: - - - "$namespace=${NAMESPACE_PREFIX}-${ENVIRONMENT}" - destination: - - - "ext:network=any" -parameters: - - name: NAMESPACE_PREFIX - displayName: Namespace Prefix - description: | - The prefix (a.k.a license plate) of the namespace this policy - is being deployed to; - required: true - - name: ENVIRONMENT - displayName: Environment Name - description: | - The environment (i.e dev/test/prod/tools) this policy is - being deployed to. - required: true \ No newline at end of file