diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a41ae896524f37d6832f098a6c5aa53ef03091b5..c85f75c0be67f03407a0cabb2caf3eee454ed90b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -97,7 +97,25 @@ jobs:
with:
version: ${{ env.kind-version }}
image: ${{ matrix.kind-image }}
- wait: 300s
+ wait: 10s # Without default CNI, control-plane doesn't get ready until Cilium is installed
+ config: .github/workflows/kind/config.yml
+ - name: Setup Helm
+ uses: azure/setup-helm@v1
+ - name: Install Cilium
+ run: |
+ helm repo add cilium https://helm.cilium.io/
+ helm install cilium cilium/cilium --version 1.9.13 \
+ --namespace kube-system \
+ --set nodeinit.enabled=true \
+ --set kubeProxyReplacement=partial \
+ --set hostServices.enabled=false \
+ --set externalIPs.enabled=true \
+ --set nodePort.enabled=true \
+ --set hostPort.enabled=true \
+ --set bpf.masquerade=false \
+ --set image.pullPolicy=IfNotPresent \
+ --set ipam.mode=kubernetes \
+ --set operator.replicas=1
- name: Wait for cluster to finish bootstraping
run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s
- name: Create kube-prometheus stack
diff --git a/.github/workflows/kind/config.yml b/.github/workflows/kind/config.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e0ac61d536534f3bb994c336cc5f7a84baad239b
--- /dev/null
+++ b/.github/workflows/kind/config.yml
@@ -0,0 +1,6 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+ disableDefaultCNI: true
+ podSubnet: "10.10.0.0/16"
+ serviceSubnet: "10.11.0.0/16"
diff --git a/.gitignore b/.gitignore
index cf9dc350f8ba9265fc482813d2b6ea9d1666da7f..cebe81d22dfacd61180351e439499b5b759c01a5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,4 +6,4 @@ vendor/
crdschemas/
developer-workspace/gitpod/_output
-kind
\ No newline at end of file
+developer-workspace/codespaces/kind
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 97662e7a91a6054b2d26be91189cfedcdf99da43..7f39f92b12fa4d7a6c91582b49d8d44ab33ff705 100644
--- a/Makefile
+++ b/Makefile
@@ -17,7 +17,7 @@ JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s
MDOX_VALIDATE_CONFIG?=.mdox.validate.yaml
MD_FILES_TO_FORMAT=$(shell find docs developer-workspace examples experimental jsonnet manifests -name "*.md") $(shell ls *.md)
-KUBESCAPE_THRESHOLD=9
+KUBESCAPE_THRESHOLD=1
all: generate fmt test docs
diff --git a/developer-workspace/codespaces/prepare-kind.sh b/developer-workspace/codespaces/prepare-kind.sh
index 21bbf5afc2cebea0a39c3efa1820ff67be81bc9b..5ee6f54732c9c6c7e0cfb357962b55db86931cf3 100755
--- a/developer-workspace/codespaces/prepare-kind.sh
+++ b/developer-workspace/codespaces/prepare-kind.sh
@@ -9,12 +9,27 @@ if [[ $? != 0 ]]; then
| cut -d : -f 2,3 \
| tr -d \" \
| wget -qi -
- mv kind-linux-amd64 kind && chmod +x kind
+ mv kind-linux-amd64 developer-workspace/codespaces/kind && chmod +x developer-workspace/codespaces/kind
+ export PATH=$PATH:$PWD/developer-workspace/codespaces
fi
-cluster_created=$($PWD/kind get clusters 2>&1)
+cluster_created=$($PWD/developer-workspace/codespaces/kind get clusters 2>&1)
if [[ "$cluster_created" == "No kind clusters found." ]]; then
- $PWD/kind create cluster
+ $PWD/developer-workspace/codespaces/kind create cluster --config $PWD/.github/workflows/kind/config.yml
else
echo "Cluster '$cluster_created' already present"
-fi
\ No newline at end of file
+fi
+
+helm repo add --force-update cilium https://helm.cilium.io/
+helm install cilium cilium/cilium --version 1.9.13 \
+ --namespace kube-system \
+ --set nodeinit.enabled=true \
+ --set kubeProxyReplacement=partial \
+ --set hostServices.enabled=false \
+ --set externalIPs.enabled=true \
+ --set nodePort.enabled=true \
+ --set hostPort.enabled=true \
+ --set bpf.masquerade=false \
+ --set image.pullPolicy=IfNotPresent \
+ --set ipam.mode=kubernetes \
+ --set operator.replicas=1
\ No newline at end of file
diff --git a/examples/networkpolicies-disabled.jsonnet b/examples/networkpolicies-disabled.jsonnet
new file mode 100644
index 0000000000000000000000000000000000000000..a90da5da02eff266e4b20bad4266a9ed4b75744c
--- /dev/null
+++ b/examples/networkpolicies-disabled.jsonnet
@@ -0,0 +1,25 @@
+local kp = (import 'kube-prometheus/main.libsonnet') +
+ (import 'kube-prometheus/addons/networkpolicies-disabled.libsonnet') + {
+ values+:: {
+ common+: {
+ namespace: 'monitoring',
+ },
+ },
+};
+
+{
+ ['setup/' + resource]: kp[component][resource]
+ for component in std.objectFields(kp)
+ for resource in std.filter(
+ function(resource)
+ kp[component][resource].kind == 'CustomResourceDefinition' || kp[component][resource].kind == 'Namespace', std.objectFields(kp[component])
+ )
+} +
+{
+ [component + '-' + resource]: kp[component][resource]
+ for component in std.objectFields(kp)
+ for resource in std.filter(
+ function(resource)
+ kp[component][resource].kind != 'CustomResourceDefinition' && kp[component][resource].kind != 'Namespace', std.objectFields(kp[component])
+ )
+}
diff --git a/jsonnet/kube-prometheus/addons/networkpolicies-disabled.libsonnet b/jsonnet/kube-prometheus/addons/networkpolicies-disabled.libsonnet
new file mode 100644
index 0000000000000000000000000000000000000000..7f2ae6032eeee7b6ce8369d2dd981fa442ec34cf
--- /dev/null
+++ b/jsonnet/kube-prometheus/addons/networkpolicies-disabled.libsonnet
@@ -0,0 +1,35 @@
+// Disables creation of NetworkPolicies
+
+{
+ blackboxExporter+: {
+ networkPolicies:: {},
+ },
+
+ kubeStateMetrics+: {
+ networkPolicies:: {},
+ },
+
+ nodeExporter+: {
+ networkPolicies:: {},
+ },
+
+ prometheusAdapter+: {
+ networkPolicies:: {},
+ },
+
+ alertmanager+: {
+ networkPolicies:: {},
+ },
+
+ grafana+: {
+ networkPolicies:: {},
+ },
+
+ prometheus+: {
+ networkPolicies:: {},
+ },
+
+ prometheusOperator+: {
+ networkPolicies:: {},
+ },
+}
diff --git a/jsonnet/kube-prometheus/components/alertmanager.libsonnet b/jsonnet/kube-prometheus/components/alertmanager.libsonnet
index a2f29e671d737fd8c1454fb93fb0bc059e51916f..364b1a35924996dab9bd7901f68c98b3d56d0912 100644
--- a/jsonnet/kube-prometheus/components/alertmanager.libsonnet
+++ b/jsonnet/kube-prometheus/components/alertmanager.libsonnet
@@ -103,6 +103,51 @@ function(params) {
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: am.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: am._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [
+ {
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, am.service.spec.ports),
+ },
+ // Alertmanager cluster peer-to-peer communication
+ {
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'alertmanager',
+ },
+ },
+ }],
+ ports: [{
+ port: 9094,
+ protocol: 'TCP',
+ }, {
+ port: 9094,
+ protocol: 'UDP',
+ }],
+ },
+ ],
+ },
+ },
+
secret: {
apiVersion: 'v1',
kind: 'Secret',
diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
index 162bd9a631028d20054aad1fac49127d07b2dc01..24deb175ebc992b20f7f45eac4f7b1e2209d136c 100644
--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -250,6 +250,32 @@ function(params) {
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: bb.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: bb._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, bb.service.spec.ports),
+ }],
+ },
+ },
+
service: {
apiVersion: 'v1',
kind: 'Service',
diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet
index 6ea80dd4311c8972ff94ae894e07d3814b69b997..f6df20e0cdce6db7b23db3c222ad2886dcc12f2d 100644
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -84,6 +84,32 @@ function(params)
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: g.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: g._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, g.service.spec.ports),
+ }],
+ },
+ },
+
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' and extra volumeMounts can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
index 5162141e07917c621eaea182572e64c9a093577f..5893588fd646092cba1e5ac0074cf0e597900ad4 100644
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -124,6 +124,32 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage,
}),
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: ksm.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: ksm._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, ksm.service.spec.ports),
+ }],
+ },
+ },
+
deployment+: {
spec+: {
template+: {
diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
index 2d1deb960685b81531c887a1389462a240cfd778..8de79f1825e1f3aebe7a9b0dca4be3d798b13704 100644
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -160,6 +160,32 @@ function(params) {
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: ne.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: ne._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, ne.service.spec.ports),
+ }],
+ },
+ },
+
daemonset:
local nodeExporter = {
name: ne._config.name,
diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
index 8ff8b3a53b177f41af36568b1ab4c740ab5346a1..41fadebffe492c7e44eb0ff197e5d637014c93ee 100644
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -206,6 +206,21 @@ function(params) {
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: pa.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: pa._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ // Prometheus-adapter needs ingress allowed so HPAs can request metrics from it.
+ ingress: [{}],
+ },
+ },
+
deployment:
local c = {
name: pa._config.name,
diff --git a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
index d95d854e5eaa7cd9d66e1ff2c2e6b3f8e4e7ff8d..7d4bc0a36ecfb7adf10ffb63a3a05ffc6e32ad17 100644
--- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
@@ -72,6 +72,32 @@ function(params)
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: po.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: po._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, po.service.spec.ports),
+ }],
+ },
+ },
+
service+: {
spec+: {
ports: [
diff --git a/jsonnet/kube-prometheus/components/prometheus.libsonnet b/jsonnet/kube-prometheus/components/prometheus.libsonnet
index c21a65a92badf2b2f3c7d3230ad4ef4d2418b9c6..461a4253f0d5c44c75e25939655548f3abb70510 100644
--- a/jsonnet/kube-prometheus/components/prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus.libsonnet
@@ -94,6 +94,32 @@ function(params) {
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: p.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: p._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, p.service.spec.ports),
+ }],
+ },
+ },
+
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
diff --git a/kustomization.yaml b/kustomization.yaml
index 084af1b179aca34c513deb679d56a2faf3c14812..ffdf7b6843a36e705d6e27d3420d4d14d5e0e00e 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./manifests/alertmanager-alertmanager.yaml
+- ./manifests/alertmanager-networkPolicy.yaml
- ./manifests/alertmanager-podDisruptionBudget.yaml
- ./manifests/alertmanager-prometheusRule.yaml
- ./manifests/alertmanager-secret.yaml
@@ -12,6 +13,7 @@ resources:
- ./manifests/blackboxExporter-clusterRoleBinding.yaml
- ./manifests/blackboxExporter-configuration.yaml
- ./manifests/blackboxExporter-deployment.yaml
+- ./manifests/blackboxExporter-networkPolicy.yaml
- ./manifests/blackboxExporter-service.yaml
- ./manifests/blackboxExporter-serviceAccount.yaml
- ./manifests/blackboxExporter-serviceMonitor.yaml
@@ -20,6 +22,7 @@ resources:
- ./manifests/grafana-dashboardDefinitions.yaml
- ./manifests/grafana-dashboardSources.yaml
- ./manifests/grafana-deployment.yaml
+- ./manifests/grafana-networkPolicy.yaml
- ./manifests/grafana-prometheusRule.yaml
- ./manifests/grafana-service.yaml
- ./manifests/grafana-serviceAccount.yaml
@@ -28,6 +31,7 @@ resources:
- ./manifests/kubeStateMetrics-clusterRole.yaml
- ./manifests/kubeStateMetrics-clusterRoleBinding.yaml
- ./manifests/kubeStateMetrics-deployment.yaml
+- ./manifests/kubeStateMetrics-networkPolicy.yaml
- ./manifests/kubeStateMetrics-prometheusRule.yaml
- ./manifests/kubeStateMetrics-service.yaml
- ./manifests/kubeStateMetrics-serviceAccount.yaml
@@ -41,12 +45,14 @@ resources:
- ./manifests/nodeExporter-clusterRole.yaml
- ./manifests/nodeExporter-clusterRoleBinding.yaml
- ./manifests/nodeExporter-daemonset.yaml
+- ./manifests/nodeExporter-networkPolicy.yaml
- ./manifests/nodeExporter-prometheusRule.yaml
- ./manifests/nodeExporter-service.yaml
- ./manifests/nodeExporter-serviceAccount.yaml
- ./manifests/nodeExporter-serviceMonitor.yaml
- ./manifests/prometheus-clusterRole.yaml
- ./manifests/prometheus-clusterRoleBinding.yaml
+- ./manifests/prometheus-networkPolicy.yaml
- ./manifests/prometheus-podDisruptionBudget.yaml
- ./manifests/prometheus-prometheus.yaml
- ./manifests/prometheus-prometheusRule.yaml
@@ -65,6 +71,7 @@ resources:
- ./manifests/prometheusAdapter-clusterRoleServerResources.yaml
- ./manifests/prometheusAdapter-configMap.yaml
- ./manifests/prometheusAdapter-deployment.yaml
+- ./manifests/prometheusAdapter-networkPolicy.yaml
- ./manifests/prometheusAdapter-podDisruptionBudget.yaml
- ./manifests/prometheusAdapter-roleBindingAuthReader.yaml
- ./manifests/prometheusAdapter-service.yaml
@@ -73,6 +80,7 @@ resources:
- ./manifests/prometheusOperator-clusterRole.yaml
- ./manifests/prometheusOperator-clusterRoleBinding.yaml
- ./manifests/prometheusOperator-deployment.yaml
+- ./manifests/prometheusOperator-networkPolicy.yaml
- ./manifests/prometheusOperator-prometheusRule.yaml
- ./manifests/prometheusOperator-service.yaml
- ./manifests/prometheusOperator-serviceAccount.yaml
diff --git a/manifests/alertmanager-networkPolicy.yaml b/manifests/alertmanager-networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..11b1a992e713570f80d06c3d1916fe1df7deb4da
--- /dev/null
+++ b/manifests/alertmanager-networkPolicy.yaml
@@ -0,0 +1,42 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: alert-router
+ app.kubernetes.io/instance: main
+ app.kubernetes.io/name: alertmanager
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 0.23.0
+ name: alertmanager-main
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9093
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: alertmanager
+ ports:
+ - port: 9094
+ protocol: TCP
+ - port: 9094
+ protocol: UDP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: alert-router
+ app.kubernetes.io/instance: main
+ app.kubernetes.io/name: alertmanager
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/blackboxExporter-networkPolicy.yaml b/manifests/blackboxExporter-networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8a6873aaca44d3f387f5f2ce9800eaada9b73db6
--- /dev/null
+++ b/manifests/blackboxExporter-networkPolicy.yaml
@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: blackbox-exporter
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 0.19.0
+ name: blackbox-exporter
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9115
+ protocol: TCP
+ - port: 19115
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: blackbox-exporter
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/grafana-networkPolicy.yaml b/manifests/grafana-networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a5dd2aef7249ada2934a16c1019a259304ce08da
--- /dev/null
+++ b/manifests/grafana-networkPolicy.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: grafana
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 8.4.3
+ name: grafana
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 3000
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: grafana
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/kubeStateMetrics-networkPolicy.yaml b/manifests/kubeStateMetrics-networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..711077a2fd96af6cb020cf3c22bb070ba148e5c3
--- /dev/null
+++ b/manifests/kubeStateMetrics-networkPolicy.yaml
@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: kube-state-metrics
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 2.4.1
+ name: kube-state-metrics
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 8443
+ protocol: TCP
+ - port: 9443
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: kube-state-metrics
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/nodeExporter-networkPolicy.yaml b/manifests/nodeExporter-networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1d2291581793df78fbeb173930a83859434e80b4
--- /dev/null
+++ b/manifests/nodeExporter-networkPolicy.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: node-exporter
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 1.3.1
+ name: node-exporter
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9100
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: node-exporter
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/prometheus-networkPolicy.yaml b/manifests/prometheus-networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..eb2a4eb7b45817b1e001db1e5fc77ae68bf4c8ba
--- /dev/null
+++ b/manifests/prometheus-networkPolicy.yaml
@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: prometheus
+ app.kubernetes.io/instance: k8s
+ app.kubernetes.io/name: prometheus
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 2.33.4
+ name: prometheus-k8s
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9090
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: prometheus
+ app.kubernetes.io/instance: k8s
+ app.kubernetes.io/name: prometheus
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/prometheusAdapter-networkPolicy.yaml b/manifests/prometheusAdapter-networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d4636dff3f00f155bbc6beec30ce9cdddc1aea71
--- /dev/null
+++ b/manifests/prometheusAdapter-networkPolicy.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: metrics-adapter
+ app.kubernetes.io/name: prometheus-adapter
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 0.9.1
+ name: prometheus-adapter
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - {}
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: metrics-adapter
+ app.kubernetes.io/name: prometheus-adapter
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/prometheusOperator-networkPolicy.yaml b/manifests/prometheusOperator-networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b7c0dba131ae191cfa58ed4a584517b4c405bc0a
--- /dev/null
+++ b/manifests/prometheusOperator-networkPolicy.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: prometheus-operator
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 0.54.1
+ name: prometheus-operator
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 8443
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: prometheus-operator
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress