NETOBSERV-1377: Add controller to deploy netobserv network policy #690
Conversation
OlivierCazade
force-pushed
the
network-policy
branch
2 times, most recently
from
bbc161d to
ea0cfec
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #690 +/- ##
==========================================
- Coverage 66.60% 65.98% -0.62%
==========================================
Files 70 74 +4
Lines 8115 8541 +426
==========================================
+ Hits 5405 5636 +231
- Misses 2315 2503 +188
- Partials 395 402 +7
Flags with carried forward coverage won't be shown. Click here to find out more.
|
OlivierCazade
force-pushed
the
network-policy
branch
from
ea0cfec to
1ce7586
Compare
| NetworkPolicy NetworkPolycy `json:"networkPolicy,omitempty"` | ||
| } | ||
|
|
||
| type NetworkPolycy struct { |
| } | ||
|
|
||
| type NetworkPolycy struct { | ||
| // Set `deploy` to `false` to disable network policy deployment. It is enabled by default. |
There was a problem hiding this comment.
We could add more information about what this policy does, such as:
This network policy better isolates the NetObserv components to prevent undesired connections to them. It is recommended to install it.
(or something in that vein)
Also, shouldn't we name that Enable, like we do generally for anything that can be turned on/off ?
| // +optional | ||
| Deploy *bool `json:"deploy,omitempty"` | ||
|
|
||
| // `additionalNamespaces` contains the interface names from where flows are collected. If empty, the agent |
There was a problem hiding this comment.
hmm I guess it's not the good text here :-)
There was a problem hiding this comment.
We should mention here in particular what users need to care about:
- If they use Kafka and installed it in a separate namespace, they must add it here
- Same for any exporter
We can expect users misconfigurations here... Probably something that we'll have to worry about in docs & troubleshooting
There was a problem hiding this comment.
Noted as something to add to docs :)
There was a problem hiding this comment.
I think in @Amoghrd's testing having Loki and Kafka in separate NS didn't turn out to be a problem since this was an Ingress policy and only affecting inbound connections.
| return ctrl.NewControllerManagedBy(mgr). | ||
| For(&flowslatest.FlowCollector{}, reconcilers.IgnoreStatusChange). | ||
| Named("networkPolicy"). | ||
| Owns(&corev1.Namespace{}). |
There was a problem hiding this comment.
I don't think Namespace is required here?
| client.Client | ||
| mgr *manager.Manager | ||
| status status.Instance | ||
| currentNamespace string |
There was a problem hiding this comment.
looking at the code it doesn't seem that currentNamespace is useful here
| Advanced: &flowslatest.AdvancedProcessorConfig{ | ||
| Env: map[string]string{ | ||
| "GOGC": "200", | ||
| }, | ||
| ConversationHeartbeatInterval: &metav1.Duration{ | ||
| Duration: conntrackHeartbeatInterval, | ||
| }, | ||
| ConversationEndTimeout: &metav1.Duration{ | ||
| Duration: conntrackEndTimeout, | ||
| }, | ||
| ConversationTerminatingTimeout: &metav1.Duration{ | ||
| Duration: conntrackTerminatingTimeout, | ||
| }, | ||
| }, |
There was a problem hiding this comment.
I don't think conn-track settings has any use here, right? I guess you can remove them
OlivierCazade
force-pushed
the
network-policy
branch
from
1ce7586 to
f8d5c37
Compare
OlivierCazade
force-pushed
the
network-policy
branch
from
f8d5c37 to
73bf6b9
Compare
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. To deploy this build: # Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:8afb9c0 make deploy
# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-8afb9c0Or as a Catalog Source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-8afb9c0
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
|
@OlivierCazade networkPolicy seems to be disabled by default |
pkg/manager/manager.go
Outdated
| @@ -30,6 +30,7 @@ import ( | |||
| //+kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;create;delete;update;patch;list;watch | |||
| //+kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions;networks,verbs=get;list;watch | |||
| //+kubebuilder:rbac:groups=loki.grafana.com,resources=network,resourceNames=logs,verbs=get;create | |||
| //+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update | |||
There was a problem hiding this comment.
delete is missing here; and I'd also add patch, just in case (we never know exactly what the controller-runtime client does under the cover)
| //+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update | |
| //+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;patch;delete |
- Add DELETE and PATCH roles to operator - Make additionalNamespaces only affect the main namespace - Add allowed namespaces based on context knowledge (is openshift? is console enabled? etc.) - Add port restriction for console access
github-actions
bot
removed
the
ok-to-test
|
hey @Amoghrd I think this is ok to test |
jotak
changed the title
|
@OlivierCazade: This pull request references NETOBSERV-1377 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. To deploy this build: # Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:e618cc3 make deploy
# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-e618cc3Or as a Catalog Source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-e618cc3
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
|
/label qe-approved |
|
@OlivierCazade: This pull request references NETOBSERV-1377 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
github-actions
bot
removed
the
ok-to-test
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jotak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jotak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
Add controller to deploy netobserv network policy
Dependencies
n/a
Checklist
If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.