From aaad3b3f47fc7bab4d3918982ac8f56734895c0a Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 6 Oct 2022 03:23:06 +0200
Subject: [PATCH] fix(loki): Drop egress policy to simplify setup
Using ingress and egress network policies as caused various issues in
the past few days. Dropping the egress policies entirely by moving the
network policies from the helm chart to manually crafted network
policies might makes things more complicated to upgrade but easier to
maintain in general.
---
infrastructure/loki/loki.yaml | 78 ++++++++++++++++++++-----------
infrastructure/loki/promtail.yaml | 24 ++++++----
2 files changed, 67 insertions(+), 35 deletions(-)
diff --git a/infrastructure/loki/loki.yaml b/infrastructure/loki/loki.yaml
index 504e124bd..7e5523ebc 100644
--- a/infrastructure/loki/loki.yaml
+++ b/infrastructure/loki/loki.yaml
@@ -62,28 +62,7 @@ data:
grafanaAgent:
installOperator: false
networkPolicy:
- enabled: true
- metrics:
- namespaceSelector:
- matchLabels:
- monitoring.shivering-isles.com/network-access-required: "true"
- podSelector:
- matchLabels:
- app.kubernetes.io/name: prometheus
- ingress:
- namespaceSelector:
- matchLabels:
- ingress.shivering-isles.com/network-access-required: "true"
- alertmanager:
- namespaceSelector:
- matchLabels:
- monitoring.shivering-isles.com/network-access-required: "true"
- podSelector:
- matchLabels:
- app.kubernetes.io/name: alertmanager
- externalStorage:
- ports:
- - 9000
+ enabled: false
minio:
enabled: true
mode: standalone
@@ -118,15 +97,60 @@ spec:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
- name: allow-from-job
+ name: allow-ingress-to-loki
spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ ingress.shivering-isles.com/network-access-required: "true"
+ ports:
+ - port: http
+ protocol: TCP
+ podSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - gateway
+ matchLabels:
+ app.kubernetes.io/instance: loki
+ app.kubernetes.io/name: loki
policyTypes:
- - Egress
- egress:
- - {}
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-loki-metrics
+ namespace: loki-system
+spec:
+ ingress:
+ - ports:
+ - port: http-metrics
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: loki
+ app.kubernetes.io/name: loki
+ policyTypes:
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-loki-minio
+ namespace: loki-system
+spec:
+ ingress:
+ - ports:
+ - port: 9000
+ protocol: TCP
podSelector:
matchLabels:
- app: minio-job
+ release: loki
+ policyTypes:
+ - Ingress
---
apiVersion: v1
kind: ConfigMap
diff --git a/infrastructure/loki/promtail.yaml b/infrastructure/loki/promtail.yaml
index dab6957a0..3e92aba12 100644
--- a/infrastructure/loki/promtail.yaml
+++ b/infrastructure/loki/promtail.yaml
@@ -41,14 +41,7 @@ data:
serviceMonitor:
enabled: true
networkPolicy:
- enabled: true
- metrics:
- namespaceSelector:
- matchLabels:
- monitoring.shivering-isles.com/network-access-required: "true"
- podSelector:
- matchLabels:
- app.kubernetes.io/name: prometheus
+ enabled: false
# Required for journald collection
containerSecurityContext:
privileged: true
@@ -95,3 +88,18 @@ data:
- name: machine-id
mountPath: /etc/machine-id
readOnly: true
+---
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-from-monitoring-promtail
+spec:
+ ingress:
+ - ports:
+ - port: http-metrics
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: promtail
+ app.kubernetes.io/name: promtail
--
GitLab