From ea158da23f4cbe6f34bd75ebe1a2f8251c9dcd13 Mon Sep 17 00:00:00 2001
From: Arthur Silva Sens <arthursens2005@gmail.com>
Date: Thu, 17 Feb 2022 08:24:45 +0000
Subject: [PATCH] Add networkPolicies for alertmanager, grafana,
prometheus-operator and prometheus
Signed-off-by: GitHub <noreply@github.com>
(cherry picked from commit 86e16b539cc57710b50f4692848cab5645e3d2bc)
---
.../components/alertmanager.libsonnet | 26 +++++++++++++++
.../components/grafana.libsonnet | 26 +++++++++++++++
.../components/prometheus-operator.libsonnet | 26 +++++++++++++++
.../components/prometheus.libsonnet | 26 +++++++++++++++
kustomization.yaml | 4 +++
manifests/alertmanager-networkPolicy.yaml | 33 +++++++++++++++++++
manifests/grafana-networkPolicy.yaml | 29 ++++++++++++++++
manifests/kubeStateMetrics-networkPolicy.yaml | 31 +++++++++++++++++
manifests/nodeExporter-networkPolicy.yaml | 29 ++++++++++++++++
manifests/prometheus-networkPolicy.yaml | 33 +++++++++++++++++++
.../prometheusOperator-networkPolicy.yaml | 29 ++++++++++++++++
11 files changed, 292 insertions(+)
create mode 100644 manifests/alertmanager-networkPolicy.yaml
create mode 100644 manifests/grafana-networkPolicy.yaml
create mode 100644 manifests/kubeStateMetrics-networkPolicy.yaml
create mode 100644 manifests/nodeExporter-networkPolicy.yaml
create mode 100644 manifests/prometheus-networkPolicy.yaml
create mode 100644 manifests/prometheusOperator-networkPolicy.yaml
diff --git a/jsonnet/kube-prometheus/components/alertmanager.libsonnet b/jsonnet/kube-prometheus/components/alertmanager.libsonnet
index a2f29e67..7dc43b3b 100644
--- a/jsonnet/kube-prometheus/components/alertmanager.libsonnet
+++ b/jsonnet/kube-prometheus/components/alertmanager.libsonnet
@@ -103,6 +103,32 @@ function(params) {
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: am.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: am._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, am.service.spec.ports),
+ }],
+ },
+ },
+
secret: {
apiVersion: 'v1',
kind: 'Secret',
diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet
index 6ea80dd4..f6df20e0 100644
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -84,6 +84,32 @@ function(params)
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: g.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: g._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, g.service.spec.ports),
+ }],
+ },
+ },
+
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' and extra volumeMounts can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
diff --git a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
index d95d854e..7d4bc0a3 100644
--- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
@@ -72,6 +72,32 @@ function(params)
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: po.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: po._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, po.service.spec.ports),
+ }],
+ },
+ },
+
service+: {
spec+: {
ports: [
diff --git a/jsonnet/kube-prometheus/components/prometheus.libsonnet b/jsonnet/kube-prometheus/components/prometheus.libsonnet
index c21a65a9..461a4253 100644
--- a/jsonnet/kube-prometheus/components/prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus.libsonnet
@@ -94,6 +94,32 @@ function(params) {
},
},
+ networkPolicy: {
+ apiVersion: 'networking.k8s.io/v1',
+ kind: 'NetworkPolicy',
+ metadata: p.service.metadata,
+ spec: {
+ podSelector: {
+ matchLabels: p._config.selectorLabels,
+ },
+ policyTypes: ['Egress', 'Ingress'],
+ egress: [{}],
+ ingress: [{
+ from: [{
+ podSelector: {
+ matchLabels: {
+ 'app.kubernetes.io/name': 'prometheus',
+ },
+ },
+ }],
+ ports: std.map(function(o) {
+ port: o.port,
+ protocol: 'TCP',
+ }, p.service.spec.ports),
+ }],
+ },
+ },
+
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
diff --git a/kustomization.yaml b/kustomization.yaml
index 084af1b1..c79bca6b 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./manifests/alertmanager-alertmanager.yaml
+- ./manifests/alertmanager-networkPolicy.yaml
- ./manifests/alertmanager-podDisruptionBudget.yaml
- ./manifests/alertmanager-prometheusRule.yaml
- ./manifests/alertmanager-secret.yaml
@@ -20,6 +21,7 @@ resources:
- ./manifests/grafana-dashboardDefinitions.yaml
- ./manifests/grafana-dashboardSources.yaml
- ./manifests/grafana-deployment.yaml
+- ./manifests/grafana-networkPolicy.yaml
- ./manifests/grafana-prometheusRule.yaml
- ./manifests/grafana-service.yaml
- ./manifests/grafana-serviceAccount.yaml
@@ -47,6 +49,7 @@ resources:
- ./manifests/nodeExporter-serviceMonitor.yaml
- ./manifests/prometheus-clusterRole.yaml
- ./manifests/prometheus-clusterRoleBinding.yaml
+- ./manifests/prometheus-networkPolicy.yaml
- ./manifests/prometheus-podDisruptionBudget.yaml
- ./manifests/prometheus-prometheus.yaml
- ./manifests/prometheus-prometheusRule.yaml
@@ -73,6 +76,7 @@ resources:
- ./manifests/prometheusOperator-clusterRole.yaml
- ./manifests/prometheusOperator-clusterRoleBinding.yaml
- ./manifests/prometheusOperator-deployment.yaml
+- ./manifests/prometheusOperator-networkPolicy.yaml
- ./manifests/prometheusOperator-prometheusRule.yaml
- ./manifests/prometheusOperator-service.yaml
- ./manifests/prometheusOperator-serviceAccount.yaml
diff --git a/manifests/alertmanager-networkPolicy.yaml b/manifests/alertmanager-networkPolicy.yaml
new file mode 100644
index 00000000..d9f01424
--- /dev/null
+++ b/manifests/alertmanager-networkPolicy.yaml
@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: alert-router
+ app.kubernetes.io/instance: main
+ app.kubernetes.io/name: alertmanager
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 0.23.0
+ name: alertmanager-main
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9093
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: alert-router
+ app.kubernetes.io/instance: main
+ app.kubernetes.io/name: alertmanager
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/grafana-networkPolicy.yaml b/manifests/grafana-networkPolicy.yaml
new file mode 100644
index 00000000..d842725e
--- /dev/null
+++ b/manifests/grafana-networkPolicy.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: grafana
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 8.3.6
+ name: grafana
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 3000
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: grafana
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/kubeStateMetrics-networkPolicy.yaml b/manifests/kubeStateMetrics-networkPolicy.yaml
new file mode 100644
index 00000000..e295e722
--- /dev/null
+++ b/manifests/kubeStateMetrics-networkPolicy.yaml
@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: kube-state-metrics
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 2.3.0
+ name: kube-state-metrics
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 8443
+ protocol: TCP
+ - port: 9443
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: kube-state-metrics
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/nodeExporter-networkPolicy.yaml b/manifests/nodeExporter-networkPolicy.yaml
new file mode 100644
index 00000000..1d229158
--- /dev/null
+++ b/manifests/nodeExporter-networkPolicy.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: node-exporter
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 1.3.1
+ name: node-exporter
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9100
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: exporter
+ app.kubernetes.io/name: node-exporter
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/prometheus-networkPolicy.yaml b/manifests/prometheus-networkPolicy.yaml
new file mode 100644
index 00000000..189c0529
--- /dev/null
+++ b/manifests/prometheus-networkPolicy.yaml
@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: prometheus
+ app.kubernetes.io/instance: k8s
+ app.kubernetes.io/name: prometheus
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 2.33.3
+ name: prometheus-k8s
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 9090
+ protocol: TCP
+ - port: 8080
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: prometheus
+ app.kubernetes.io/instance: k8s
+ app.kubernetes.io/name: prometheus
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
diff --git a/manifests/prometheusOperator-networkPolicy.yaml b/manifests/prometheusOperator-networkPolicy.yaml
new file mode 100644
index 00000000..d9244c6a
--- /dev/null
+++ b/manifests/prometheusOperator-networkPolicy.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: prometheus-operator
+ app.kubernetes.io/part-of: kube-prometheus
+ app.kubernetes.io/version: 0.54.0
+ name: prometheus-operator
+ namespace: monitoring
+spec:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: prometheus
+ ports:
+ - port: 8443
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/name: prometheus-operator
+ app.kubernetes.io/part-of: kube-prometheus
+ policyTypes:
+ - Egress
+ - Ingress
--
GitLab