Skip to content

generate network policy per operand #1246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

generate network policy per operand #1246

wants to merge 2 commits into from

Conversation

frzifus
Copy link
Collaborator

@frzifus frzifus commented Jul 22, 2025
edited
Loading

Downside of this approach is that we need to manually align the mapping when we change e.g. a service. But we could generate services based on this too. wdyt?

NAME                                      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                     AGE
tempo-simplest-compactor                  ClusterIP   10.96.115.23    <none>        7946/TCP,3200/TCP                                                           2m8s
tempo-simplest-distributor                ClusterIP   10.96.122.122   <none>        4318/TCP,4317/TCP,3200/TCP,14268/TCP,6831/UDP,6832/UDP,14250/TCP,9411/TCP   2m8s
tempo-simplest-gossip-ring                ClusterIP   None            <none>        7946/TCP                                                                    2m8s
tempo-simplest-ingester                   ClusterIP   10.96.76.66     <none>        3200/TCP,9095/TCP                                                           2m8s
tempo-simplest-querier                    ClusterIP   10.96.206.87    <none>        7946/TCP,3200/TCP,9095/TCP                                                  2m8s
tempo-simplest-query-frontend             ClusterIP   10.96.117.99    <none>        3200/TCP,9095/TCP,16685/TCP,16686/TCP,16687/TCP                             2m8s
tempo-simplest-query-frontend-discovery   ClusterIP   None            <none>        3200/TCP,9095/TCP,9096/TCP,16685/TCP,16686/TCP,16687/TCP                    2m8s


NAME                         POD-SELECTOR                                                                                                                                           AGE
tempo-simplest-distributor   app.kubernetes.io/component=distributor,app.kubernetes.io/instance=simplest,app.kubernetes.io/managed-by=tempo-operator,app.kubernetes.io/name=tempo   17s

frzifus added 2 commits July 23, 2025 11:16
@frzifus
generate network policy per operand
183c7bd 
Signed-off-by: Benedikt Bongartz <[email protected]>
@frzifus
generate
1d1cb4b 
Signed-off-by: Benedikt Bongartz <[email protected]>
frzifus
frzifus commented Jul 23, 2025
View reviewed changes
internal/manifests/manifests.go
@@ -52,6 +53,7 @@ func BuildAll(params manifestutils.Params) ([]client.Object, error) {
}

var manifests []client.Object
manifests = append(manifests, networking.GenerateOperandPolicies(params.Tempo)...)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should only be done on OpenShift 4.20+.

andreasgerstmayr
andreasgerstmayr reviewed Jul 23, 2025
View reviewed changes
internal/manifests/networking/components.go
manifestutils.IngesterComponentName: {
tempoGrpcConn,
},
netPolicyOtelTargets: {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

depending on how tight we want to make the policy, the distributor should only be reachable from the gateway if the gateway is enabled

andreasgerstmayr
andreasgerstmayr reviewed Jul 23, 2025
View reviewed changes
Copy link
Collaborator

@andreasgerstmayr andreasgerstmayr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add unit tests with the generated policy? ideally in yaml format (to be less verbose than Golang), like here: https://github.com/grafana/tempo-operator/blob/main/internal/manifests/config/build_test.go#L23-L26

@frzifus
Copy link
Collaborator Author

frzifus commented Jul 23, 2025

y, I will do once its working.
I will pause this until #1248 is complete.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andreasgerstmayr andreasgerstmayr andreasgerstmayr left review comments

@rubenvp8510 rubenvp8510 Awaiting requested review from rubenvp8510

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@frzifus @andreasgerstmayr