From b441d40a927147052c247784203c59464b1e5cf2 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Tue, 7 Feb 2023 02:37:56 +0100
Subject: [PATCH] fix(monitoring): Add missing/broken NetworkPolicy

This patch fixes the current issue with the network policy regarding
host network containers, calico and Kubernetes NetworkPolicies.

The problem originates from the selected bind port to reach containers
on the calico overlay network, which is using the wireguard endpoint,
instead of the host external IP. Since these also always change, and are
part of the Pod-CIDR, it's not really possible to selected them using an
ipBlock without opening things up for all pods.

The reason why the Kubernetes NetworkPolicies don't work, is due to them
not being applied to host network pods, therefore the control-plane
can't be really selected here. therefore calico network policies with
automatic host endpoints are a requirement.
---
 infrastructure/monitoring/networkpolicy.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/infrastructure/monitoring/networkpolicy.yaml b/infrastructure/monitoring/networkpolicy.yaml
index 460c09edf..a89cc85a0 100644
--- a/infrastructure/monitoring/networkpolicy.yaml
+++ b/infrastructure/monitoring/networkpolicy.yaml
@@ -12,3 +12,19 @@ spec:
           - alertmanager
           - grafana
           - prometheus
+---
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: allow-controlplane
+spec:
+  selector: app.kubernetes.io/instance == 'kube-prometheus-stack'
+  ingress:
+  - action: Allow
+    protocol: TCP
+    source:
+      selector: has(node-role.kubernetes.io/control-plane)
+      namespaceSelector: global()
+    destination:
+      ports:
+      - 10250
\ No newline at end of file
-- 
GitLab