fix(monitoring): Add missing/broken NetworkPolicy

This patch fixes the current issue with the network policy regarding host network containers, calico and Kubernetes NetworkPolicies. The problem originates from the selected bind port to reach containers on the calico overlay network, which is using the wireguard endpoint, instead of the host external IP. Since these also always change, and are part of the Pod-CIDR, it's not really possible to selected them using an ipBlock without opening things up for all pods. The reason why the Kubernetes NetworkPolicies don't work, is due to them not being applied to host network pods, therefore the control-plane can't be really selected here. therefore calico network policies with automatic host endpoints are a requirement.

fix(monitoring): Add missing/broken NetworkPolicy
b441d40a · Sheogorath · 547ebac3 · b441d40a
Verified Commit b441d40a authored 2 years ago by Sheogorath
--- a/infrastructure/monitoring/networkpolicy.yaml
+++ b/infrastructure/monitoring/networkpolicy.yaml
@@ -12,3 +12,19 @@ spec:
          - alertmanager
          - grafana
          - prometheus
+---
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: allow-controlplane
+spec:
+  selector: app.kubernetes.io/instance == 'kube-prometheus-stack'
+  ingress:
+  - action: Allow
+    protocol: TCP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane)
+      namespaceSelector: global()
+    destination:
+      ports:
+      - 10250
\ No newline at end of file