Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardened k3s network policy #2868

Merged
merged 2 commits into from
Sep 11, 2023
Merged

Hardened k3s network policy #2868

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1d42dc9
Add network policy to hardened.yaml to expose port for coredns
Aug 15, 2023
e33be70
make charts
Sep 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified assets/rancher-monitoring/rancher-monitoring-103.0.0+up40.1.2.tgz
View file
Open in desktop
Binary file not shown.
20 changes: 20 additions & 0 deletions charts/rancher-monitoring/103.0.0+up40.1.2/templates/rancher-monitoring/hardened.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,4 +125,24 @@ spec:
- Ingress
- Egress
{{- end }}
{{- end }}
---
{{- if .Values.hardened.k3s.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-coredns-network-policy
namespace: kube-system
spec:
ingress:
- ports:
- port: 9153
geethub97 marked this conversation as resolved.
Show resolved Hide resolved
protocol: TCP
- port: 9153
protocol: UDP
podSelector:
matchLabels:
k8s-app: kube-dns
policyTypes:
- Ingress
{{- end }}
5 changes: 5 additions & 0 deletions charts/rancher-monitoring/103.0.0+up40.1.2/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,11 @@ k3sServer:
- sourceLabels: [__metrics_path__]
targetLabel: metrics_path

hardened:
k3s:
networkPolicy:
enabled: true

## KubeADM PushProx Monitoring
## ref: https://github.com/rancher/charts/tree/dev-v2.5-source/packages/rancher-pushprox
##
Expand Down
4 changes: 2 additions & 2 deletions index.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11126,7 +11126,7 @@ entries:
catalog.cattle.io/upstream-version: 19.0.3
apiVersion: v2
appVersion: 0.59.1
created: "2023-09-05T15:59:46.046773-07:00"
created: "2023-09-11T10:56:06.005436-07:00"
dependencies:
- condition: grafana.enabled
name: grafana
Expand Down Expand Up @@ -11197,7 +11197,7 @@ entries:
description: Collects several related Helm charts, Grafana dashboards, and Prometheus
rules combined with documentation and scripts to provide easy to operate end-to-end
Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
digest: a0e7f34b7406f2b416a67087f6775061f38949cb65492d05940437c9a89bde74
digest: 02f8a1df4177f27bf1632dcce427ed30ece3117c6806096ec5e2674c46e749c5
home: https://github.com/prometheus-operator/kube-prometheus
icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
keywords:
Expand Down
20 changes: 20 additions & 0 deletions ...g/rancher-monitoring/generated-changes/overlay/templates/rancher-monitoring/hardened.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,4 +125,24 @@ spec:
- Ingress
- Egress
{{- end }}
{{- end }}
---
{{- if .Values.hardened.k3s.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: monitoring-coredns-network-policy
namespace: kube-system
spec:
ingress:
- ports:
- port: 9153
protocol: TCP
- port: 9153
protocol: UDP
podSelector:
matchLabels:
k8s-app: kube-dns
policyTypes:
- Ingress
{{- end }}
67 changes: 36 additions & 31 deletions packages/rancher-monitoring/rancher-monitoring/generated-changes/patch/values.yaml.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -2,13 +2,630 @@
@@ -2,13 +2,635 @@
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

Expand Down Expand Up @@ -173,6 +173,11 @@
+ - sourceLabels: [__metrics_path__]
+ targetLabel: metrics_path
+
+hardened:
+ k3s:
+ networkPolicy:
+ enabled: true
+
+## KubeADM PushProx Monitoring
+## ref: https://github.com/rancher/charts/tree/dev-v2.5-source/packages/rancher-pushprox
+##
Expand Down Expand Up @@ -633,7 +638,7 @@

## Provide a k8s version to auto dashboard import script example: kubeTargetVersionOverride: 1.16.6
##
@@ -104,13 +721,36 @@
@@ -104,13 +726,36 @@

##
global:
Expand Down Expand Up @@ -674,7 +679,7 @@
pspAnnotations: {}
## Specify pod annotations
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
@@ -225,25 +865,77 @@
@@ -225,25 +870,77 @@
## ref: https://prometheus.io/docs/alerting/notifications/
## https://prometheus.io/docs/alerting/notification_examples/
##
Expand Down Expand Up @@ -771,7 +776,7 @@

ingress:
enabled: false
@@ -452,7 +1144,7 @@
@@ -452,7 +1149,7 @@
## Image of Alertmanager
##
image:
Expand All @@ -780,7 +785,7 @@
tag: v0.24.0
sha: ""

@@ -575,9 +1267,13 @@
@@ -575,9 +1272,13 @@
## Define resources requests and limits for single Pods.
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
##
Expand All @@ -797,7 +802,7 @@

## Pod anti-affinity can prevent the scheduler from placing Prometheus replicas on the same node.
## The default value "soft" means that the scheduler should *prefer* to not schedule two replica pods onto the same node but no guarantee is provided.
@@ -707,6 +1403,30 @@
@@ -707,6 +1408,30 @@
enabled: true
namespaceOverride: ""

Expand Down Expand Up @@ -828,7 +833,7 @@
## ForceDeployDatasources Create datasource configmap even if grafana deployment has been disabled
##
forceDeployDatasources: false
@@ -719,6 +1439,18 @@
@@ -719,6 +1444,18 @@
##
defaultDashboardsEnabled: true

Expand All @@ -847,7 +852,7 @@
## Timezone for the default dashboards
## Other options are: browser or a specific timezone, i.e. Europe/Luxembourg
##
@@ -726,11 +1458,6 @@
@@ -726,11 +1463,6 @@

adminPassword: prom-operator

Expand All @@ -859,15 +864,15 @@
ingress:
## If true, Grafana Ingress will be created
##
@@ -773,6 +1500,7 @@
@@ -773,6 +1505,7 @@
dashboards:
enabled: true
label: grafana_dashboard
+ searchNamespace: cattle-dashboards
labelValue: "1"

## Annotations for Grafana dashboard configmaps
@@ -845,8 +1573,63 @@
@@ -845,8 +1578,63 @@
## Passed to grafana subchart and used by servicemonitor below
##
service:
Expand Down Expand Up @@ -932,7 +937,7 @@
serviceMonitor:
# If true, a ServiceMonitor CRD is created for a prometheus operator
# https://github.com/coreos/prometheus-operator
@@ -880,6 +1663,17 @@
@@ -880,6 +1668,17 @@
# replacement: $1
# action: replace

Expand All @@ -950,7 +955,7 @@
## Component scraping the kube api server
##
kubeApiServer:
@@ -1099,7 +1893,7 @@
@@ -1099,7 +1898,7 @@
## Component scraping the kube controller manager
##
kubeControllerManager:
Expand All @@ -959,7 +964,7 @@

## If your kube controller manager is not deployed as a pod, specify IPs it can be found on
##
@@ -1276,7 +2070,7 @@
@@ -1276,7 +2075,7 @@
## Component scraping etcd
##
kubeEtcd:
Expand All @@ -968,7 +973,7 @@

## If your etcd is not deployed as a pod, specify IPs it can be found on
##
@@ -1347,7 +2141,7 @@
@@ -1347,7 +2146,7 @@
## Component scraping kube scheduler
##
kubeScheduler:
Expand All @@ -977,7 +982,7 @@

## If your kube scheduler is not deployed as a pod, specify IPs it can be found on
##
@@ -1415,7 +2209,7 @@
@@ -1415,7 +2214,7 @@
## Component scraping kube proxy
##
kubeProxy:
Expand All @@ -986,7 +991,7 @@

## If your kube proxy is not deployed as a pod, specify IPs it can be found on
##
@@ -1578,10 +2372,6 @@
@@ -1578,10 +2377,6 @@
# targetLabel: nodename
# replacement: $1
# action: replace
Expand All @@ -997,7 +1002,7 @@

## Manages Prometheus and Alertmanager components
##
@@ -1594,8 +2384,8 @@
@@ -1594,8 +2389,8 @@
enabled: true
# Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants
tlsMinVersion: VersionTLS13
Expand All @@ -1008,7 +1013,7 @@

## Admission webhook support for PrometheusRules resources added in Prometheus Operator 0.30 can be enabled to prevent incorrectly formatted
## rules from making their way into prometheus and potentially preventing the container from starting
@@ -1614,7 +2404,7 @@
@@ -1614,7 +2409,7 @@
patch:
enabled: true
image:
Expand All @@ -1017,7 +1022,7 @@
tag: v1.3.0
sha: ""
pullPolicy: IfNotPresent
@@ -1787,13 +2577,13 @@
@@ -1787,13 +2582,13 @@

## Resource limits & requests
##
Expand All @@ -1038,7 +1043,7 @@

# Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico),
# because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working
@@ -1853,7 +2643,7 @@
@@ -1853,7 +2648,7 @@
## Prometheus-operator image
##
image:
Expand All @@ -1047,7 +1052,7 @@
tag: v0.59.1
sha: ""
pullPolicy: IfNotPresent
@@ -1870,7 +2660,7 @@
@@ -1870,7 +2665,7 @@
##
prometheusConfigReloader:
image:
Expand All @@ -1056,7 +1061,7 @@
tag: v0.59.1
sha: ""

@@ -1886,7 +2676,7 @@
@@ -1886,7 +2681,7 @@
## Thanos side-car image when configured
##
thanosImage:
Expand All @@ -1065,7 +1070,7 @@
tag: v0.28.0
sha: ""

@@ -2014,7 +2804,7 @@
@@ -2014,7 +2809,7 @@
port: 9090

## To be used with a proxy extraContainer port
Expand All @@ -1074,7 +1079,7 @@

## List of IP addresses at which the Prometheus server service is available
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
@@ -2319,7 +3109,7 @@
@@ -2319,7 +3114,7 @@
## Image of Prometheus.
##
image:
Expand All @@ -1083,7 +1088,7 @@
tag: v2.38.0
sha: ""

@@ -2418,7 +3208,7 @@
@@ -2418,7 +3213,7 @@
## prometheus resource to be created with selectors based on values in the helm deployment,
## which will also match the PrometheusRule resources created
##
Expand All @@ -1092,7 +1097,7 @@

## PrometheusRules to be selected for target discovery.
## If {}, select all PrometheusRules
@@ -2443,7 +3233,7 @@
@@ -2443,7 +3238,7 @@
## prometheus resource to be created with selectors based on values in the helm deployment,
## which will also match the servicemonitors created
##
Expand All @@ -1101,7 +1106,7 @@

## ServiceMonitors to be selected for target discovery.
## If {}, select all ServiceMonitors
@@ -2466,7 +3256,7 @@
@@ -2466,7 +3261,7 @@
## prometheus resource to be created with selectors based on values in the helm deployment,
## which will also match the podmonitors created
##
Expand All @@ -1110,7 +1115,7 @@

## PodMonitors to be selected for target discovery.
## If {}, select all PodMonitors
@@ -2597,9 +3387,13 @@
@@ -2597,9 +3392,13 @@

## Resource limits & requests
##
Expand All @@ -1127,7 +1132,7 @@

## Prometheus StorageSpec for persistent data
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/storage.md
@@ -2622,7 +3416,13 @@
@@ -2622,7 +3421,13 @@
# medium: Memory

# Additional volumes on the output StatefulSet definition.
Expand All @@ -1142,7 +1147,7 @@

# Additional VolumeMounts on the output StatefulSet definition.
volumeMounts: []
@@ -2768,21 +3568,34 @@
@@ -2768,21 +3573,34 @@
# fileName: "objstore.yaml"
# objectStorageConfigFile: /var/secrets/object-store.yaml

Expand Down Expand Up @@ -1190,7 +1195,7 @@

## InitContainers allows injecting additional initContainers. This is meant to allow doing some changes
## (permissions, dir tree) on mounted volumes before starting prometheus
@@ -3154,7 +3967,7 @@
@@ -3154,7 +3972,7 @@
## Image of ThanosRuler
##
image:
Expand Down
Loading