diff --git a/apis/installer/v1/types.go b/apis/installer/v1/types.go index c775cae2af..fa6efc34b5 100644 --- a/apis/installer/v1/types.go +++ b/apis/installer/v1/types.go @@ -111,6 +111,19 @@ type PSPSpec struct { Enabled bool `json:"enabled"` } +// NetworkPolicyFlavor selects which API flavor is used when network policies +// are emitted. Defaults to "kubernetes". +// +kubebuilder:validation:Enum=kubernetes;cilium +type NetworkPolicyFlavor string + +const ( + NetworkPolicyFlavorKubernetes NetworkPolicyFlavor = "kubernetes" + NetworkPolicyFlavorCilium NetworkPolicyFlavor = "cilium" +) + type NetworkPolicySpec struct { Enabled bool `json:"enabled"` + // +optional + // +kubebuilder:default=kubernetes + Flavor NetworkPolicyFlavor `json:"flavor,omitempty"` } diff --git a/charts/kubedb-certified/templates/_helpers.tpl b/charts/kubedb-certified/templates/_helpers.tpl index 503261a00d..2191ebf666 100644 --- a/charts/kubedb-certified/templates/_helpers.tpl +++ b/charts/kubedb-certified/templates/_helpers.tpl @@ -178,6 +178,35 @@ Returns whether the NetworkPolicy should be enabled {{- or .Values.global.networkPolicy.enabled (and .Values.networkPolicy .Values.networkPolicy.enabled) -}} {{- end }} +{{/* +Returns the configured NetworkPolicy flavor. +"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the +default networking.k8s.io/v1 NetworkPolicy. +Local chart-scoped networkPolicy.flavor wins over the global value. +*/}} +{{- define "security.networkPolicyFlavor" -}} +{{- $local := "" -}} +{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}} +{{- $local = .Values.networkPolicy.flavor -}} +{{- end -}} +{{- default (default "kubernetes" .Values.global.networkPolicy.flavor) $local -}} +{{- end }} + +{{/* +Returns "true" when CiliumNetworkPolicy resources should be emitted. +*/}} +{{- define "security.useCiliumNetworkPolicy" -}} +{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}} +{{- end }} + +{{/* +Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources +should be emitted (the default flavor). +*/}} +{{- define "security.useKubernetesNetworkPolicy" -}} +{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}} +{{- end }} + {{/* Returns whether the OpenShift distribution is used */}} diff --git a/charts/kubedb-certified/templates/cilium-network-policy.yaml b/charts/kubedb-certified/templates/cilium-network-policy.yaml new file mode 100644 index 0000000000..909968d64d --- /dev/null +++ b/charts/kubedb-certified/templates/cilium-network-policy.yaml @@ -0,0 +1,53 @@ +{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }} +# Allow every pod in the operator namespace to reach the Kubernetes API server. +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ .Release.Name }}-egress-kubernetes-api + namespace: {{ .Release.Namespace }} +spec: + endpointSelector: {} + egress: + - toEntities: + - remote-node + - host + toPorts: + - ports: + - port: "6443" + protocol: TCP +--- +# Allow the operator pods to reach the database pods (any kubedb-managed +# namespace, on the standard DB ports). +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ .Release.Name }}-egress-to-databases + namespace: {{ .Release.Namespace }} +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + egress: + - toEndpoints: + - matchLabels: + app.kubernetes.io/component: database + app.kubernetes.io/managed-by: kubedb.com + toPorts: + - ports: + - port: "5432" + protocol: TCP + - port: "27017" + protocol: TCP + - port: "3306" + protocol: TCP + - port: "6379" + protocol: TCP + - port: "9200" + protocol: TCP + - port: "9092" + protocol: TCP + - port: "9000" + protocol: TCP + - port: "9042" + protocol: TCP +{{- end }} diff --git a/charts/kubedb-certified/templates/network-policy.yaml b/charts/kubedb-certified/templates/network-policy.yaml index fe207e56ca..8110401a15 100644 --- a/charts/kubedb-certified/templates/network-policy.yaml +++ b/charts/kubedb-certified/templates/network-policy.yaml @@ -1,4 +1,4 @@ -{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }} +{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/charts/kubedb-certified/values.openapiv3_schema.yaml b/charts/kubedb-certified/values.openapiv3_schema.yaml index 89990fb0dd..01c3cb8b51 100644 --- a/charts/kubedb-certified/values.openapiv3_schema.yaml +++ b/charts/kubedb-certified/values.openapiv3_schema.yaml @@ -2683,6 +2683,11 @@ properties: properties: enabled: type: boolean + flavor: + enum: + - kubernetes + - cilium + type: string required: - enabled type: object @@ -21330,6 +21335,11 @@ properties: properties: enabled: type: boolean + flavor: + enum: + - kubernetes + - cilium + type: string required: - enabled type: object diff --git a/charts/kubedb-certified/values.yaml b/charts/kubedb-certified/values.yaml index 266d1412da..c5b5451d82 100644 --- a/charts/kubedb-certified/values.yaml +++ b/charts/kubedb-certified/values.yaml @@ -104,6 +104,9 @@ global: # Controls the network policy creation networkPolicy: enabled: false + # flavor selects which network policy API is used. + # Accepted values: "kubernetes" (default) or "cilium". + flavor: kubernetes distro: openshift: false diff --git a/charts/kubedb-opscenter/templates/_helpers.tpl b/charts/kubedb-opscenter/templates/_helpers.tpl index 6f910199a4..9ce5a59c4c 100644 --- a/charts/kubedb-opscenter/templates/_helpers.tpl +++ b/charts/kubedb-opscenter/templates/_helpers.tpl @@ -122,6 +122,35 @@ Returns whether the NetworkPolicy should be enabled {{- or .Values.global.networkPolicy.enabled (and .Values.networkPolicy .Values.networkPolicy.enabled) -}} {{- end }} +{{/* +Returns the configured NetworkPolicy flavor. +"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the +default networking.k8s.io/v1 NetworkPolicy. +Local chart-scoped networkPolicy.flavor wins over the global value. +*/}} +{{- define "security.networkPolicyFlavor" -}} +{{- $local := "" -}} +{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}} +{{- $local = .Values.networkPolicy.flavor -}} +{{- end -}} +{{- default (default "kubernetes" .Values.global.networkPolicy.flavor) $local -}} +{{- end }} + +{{/* +Returns "true" when CiliumNetworkPolicy resources should be emitted. +*/}} +{{- define "security.useCiliumNetworkPolicy" -}} +{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}} +{{- end }} + +{{/* +Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources +should be emitted (the default flavor). +*/}} +{{- define "security.useKubernetesNetworkPolicy" -}} +{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}} +{{- end }} + {{/* Returns whether the OpenShift distribution is used */}} diff --git a/charts/kubedb-opscenter/templates/cilium-network-policy.yaml b/charts/kubedb-opscenter/templates/cilium-network-policy.yaml new file mode 100644 index 0000000000..9c479d7914 --- /dev/null +++ b/charts/kubedb-opscenter/templates/cilium-network-policy.yaml @@ -0,0 +1,20 @@ +{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }} +# Allow the opscenter pods to reach the Kubernetes API server. +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ .Release.Name }}-egress-kubernetes-api + namespace: {{ .Release.Namespace }} +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + egress: + - toEntities: + - remote-node + - host + toPorts: + - ports: + - port: "6443" + protocol: TCP +{{- end }} diff --git a/charts/kubedb-opscenter/templates/network-policy.yaml b/charts/kubedb-opscenter/templates/network-policy.yaml index af702f82db..f5edd66e18 100644 --- a/charts/kubedb-opscenter/templates/network-policy.yaml +++ b/charts/kubedb-opscenter/templates/network-policy.yaml @@ -1,4 +1,4 @@ -{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }} +{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/charts/kubedb-opscenter/values.yaml b/charts/kubedb-opscenter/values.yaml index a51cc592aa..67ee5011d7 100644 --- a/charts/kubedb-opscenter/values.yaml +++ b/charts/kubedb-opscenter/values.yaml @@ -77,6 +77,9 @@ global: # Controls the network policy creation networkPolicy: enabled: false + # flavor selects which network policy API is used. + # Accepted values: "kubernetes" (default) or "cilium". + flavor: kubernetes distro: openshift: false diff --git a/charts/kubedb-provisioner/templates/statefulset.yaml b/charts/kubedb-provisioner/templates/statefulset.yaml index f198f940ea..0c60e6ac4f 100644 --- a/charts/kubedb-provisioner/templates/statefulset.yaml +++ b/charts/kubedb-provisioner/templates/statefulset.yaml @@ -101,6 +101,7 @@ spec: {{- end }} {{- if and .Values.global .Values.global.networkPolicy.enabled }} - --enable-network-policy=true + - --network-policy-flavor={{ default "kubernetes" .Values.global.networkPolicy.flavor }} {{- end }} {{- with .Values.envFrom }} envFrom: diff --git a/charts/kubedb-webhook-server/templates/_helpers.tpl b/charts/kubedb-webhook-server/templates/_helpers.tpl index ca8ab4172c..71bf5b531e 100644 --- a/charts/kubedb-webhook-server/templates/_helpers.tpl +++ b/charts/kubedb-webhook-server/templates/_helpers.tpl @@ -113,6 +113,39 @@ Returns whether the NetworkPolicy should be enabled {{- ternary "true" "false" .Values.networkPolicy.enabled -}} {{- end }} +{{/* +Returns the configured NetworkPolicy flavor. +"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the +default networking.k8s.io/v1 NetworkPolicy. The local chart's +networkPolicy.flavor wins over the global value. +*/}} +{{- define "security.networkPolicyFlavor" -}} +{{- $globalFlavor := "" -}} +{{- if and .Values.global .Values.global.networkPolicy -}} +{{- $globalFlavor = .Values.global.networkPolicy.flavor -}} +{{- end -}} +{{- $localFlavor := "" -}} +{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}} +{{- $localFlavor = .Values.networkPolicy.flavor -}} +{{- end -}} +{{- default (default "kubernetes" $globalFlavor) $localFlavor -}} +{{- end }} + +{{/* +Returns "true" when CiliumNetworkPolicy resources should be emitted. +*/}} +{{- define "security.useCiliumNetworkPolicy" -}} +{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}} +{{- end }} + +{{/* +Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources +should be emitted (the default flavor). +*/}} +{{- define "security.useKubernetesNetworkPolicy" -}} +{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}} +{{- end }} + {{/* Returns whether the OpenShift distribution is used */}} diff --git a/charts/kubedb-webhook-server/templates/cilium-network-policy.yaml b/charts/kubedb-webhook-server/templates/cilium-network-policy.yaml new file mode 100644 index 0000000000..9dcd52ee7d --- /dev/null +++ b/charts/kubedb-webhook-server/templates/cilium-network-policy.yaml @@ -0,0 +1,23 @@ +{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }} +# Allow the kube-apiserver (via host / remote-node identities in Cilium) to +# reach the webhook server's mutating, validating, and conversion endpoints. +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ include "kubedb-webhook-server.fullname" . }}-ingress-from-apiserver + namespace: {{ .Release.Namespace }} +spec: + endpointSelector: + matchLabels: + {{- include "kubedb-webhook-server.selectorLabels" . | nindent 6 }} + ingress: + - fromEntities: + - remote-node + - host + toPorts: + - ports: + - port: "8443" + protocol: TCP + - port: "9443" + protocol: TCP +{{- end }} diff --git a/charts/kubedb-webhook-server/templates/network-policy.yaml b/charts/kubedb-webhook-server/templates/network-policy.yaml index 4bec0f699f..3fb3d6fa7b 100644 --- a/charts/kubedb-webhook-server/templates/network-policy.yaml +++ b/charts/kubedb-webhook-server/templates/network-policy.yaml @@ -1,4 +1,4 @@ -{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }} +{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/charts/kubedb-webhook-server/values.openapiv3_schema.yaml b/charts/kubedb-webhook-server/values.openapiv3_schema.yaml index 1ddc932a1d..edcdae75d0 100644 --- a/charts/kubedb-webhook-server/values.openapiv3_schema.yaml +++ b/charts/kubedb-webhook-server/values.openapiv3_schema.yaml @@ -1402,6 +1402,11 @@ properties: properties: enabled: type: boolean + flavor: + enum: + - kubernetes + - cilium + type: string required: - enabled type: object diff --git a/charts/kubedb-webhook-server/values.yaml b/charts/kubedb-webhook-server/values.yaml index c816cebf56..f2072a111c 100644 --- a/charts/kubedb-webhook-server/values.yaml +++ b/charts/kubedb-webhook-server/values.yaml @@ -161,6 +161,9 @@ hostNetwork: false networkPolicy: enabled: false + # flavor selects which network policy API is used. + # Accepted values: "kubernetes" (default) or "cilium". + flavor: kubernetes defaultSeccompProfileType: "" diff --git a/charts/kubedb/templates/_helpers.tpl b/charts/kubedb/templates/_helpers.tpl index 503261a00d..2191ebf666 100644 --- a/charts/kubedb/templates/_helpers.tpl +++ b/charts/kubedb/templates/_helpers.tpl @@ -178,6 +178,35 @@ Returns whether the NetworkPolicy should be enabled {{- or .Values.global.networkPolicy.enabled (and .Values.networkPolicy .Values.networkPolicy.enabled) -}} {{- end }} +{{/* +Returns the configured NetworkPolicy flavor. +"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the +default networking.k8s.io/v1 NetworkPolicy. +Local chart-scoped networkPolicy.flavor wins over the global value. +*/}} +{{- define "security.networkPolicyFlavor" -}} +{{- $local := "" -}} +{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}} +{{- $local = .Values.networkPolicy.flavor -}} +{{- end -}} +{{- default (default "kubernetes" .Values.global.networkPolicy.flavor) $local -}} +{{- end }} + +{{/* +Returns "true" when CiliumNetworkPolicy resources should be emitted. +*/}} +{{- define "security.useCiliumNetworkPolicy" -}} +{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}} +{{- end }} + +{{/* +Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources +should be emitted (the default flavor). +*/}} +{{- define "security.useKubernetesNetworkPolicy" -}} +{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}} +{{- end }} + {{/* Returns whether the OpenShift distribution is used */}} diff --git a/charts/kubedb/templates/cilium-network-policy.yaml b/charts/kubedb/templates/cilium-network-policy.yaml new file mode 100644 index 0000000000..c99cd760a8 --- /dev/null +++ b/charts/kubedb/templates/cilium-network-policy.yaml @@ -0,0 +1,63 @@ +{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }} +# Allow every pod in the operator namespace to reach the Kubernetes API server. +# Required when the operator runs with >1 replica (leader election against +# kube-apiserver) or when DBs are reconciled across namespaces. +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ .Release.Name }}-egress-kubernetes-api + namespace: {{ .Release.Namespace }} +spec: + endpointSelector: {} + egress: + - toEntities: + - remote-node + - host + toPorts: + - ports: + - port: "6443" + protocol: TCP +--- +# Allow the operator pods to reach the database pods (any kubedb-managed +# namespace, on the standard DB ports). +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ .Release.Name }}-egress-to-databases + namespace: {{ .Release.Namespace }} +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + egress: + - toEndpoints: + - matchLabels: + app.kubernetes.io/component: database + app.kubernetes.io/managed-by: kubedb.com + toPorts: + - ports: + # PostgreSQL + - port: "5432" + protocol: TCP + # MongoDB + - port: "27017" + protocol: TCP + # MySQL / MariaDB + - port: "3306" + protocol: TCP + # Redis + - port: "6379" + protocol: TCP + # Elasticsearch / OpenSearch + - port: "9200" + protocol: TCP + # Kafka + - port: "9092" + protocol: TCP + # ClickHouse + - port: "9000" + protocol: TCP + # Cassandra + - port: "9042" + protocol: TCP +{{- end }} diff --git a/charts/kubedb/templates/network-policy.yaml b/charts/kubedb/templates/network-policy.yaml index fe207e56ca..8110401a15 100644 --- a/charts/kubedb/templates/network-policy.yaml +++ b/charts/kubedb/templates/network-policy.yaml @@ -1,4 +1,4 @@ -{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }} +{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/charts/kubedb/values.openapiv3_schema.yaml b/charts/kubedb/values.openapiv3_schema.yaml index 89990fb0dd..01c3cb8b51 100644 --- a/charts/kubedb/values.openapiv3_schema.yaml +++ b/charts/kubedb/values.openapiv3_schema.yaml @@ -2683,6 +2683,11 @@ properties: properties: enabled: type: boolean + flavor: + enum: + - kubernetes + - cilium + type: string required: - enabled type: object @@ -21330,6 +21335,11 @@ properties: properties: enabled: type: boolean + flavor: + enum: + - kubernetes + - cilium + type: string required: - enabled type: object diff --git a/charts/kubedb/values.yaml b/charts/kubedb/values.yaml index 266d1412da..c5b5451d82 100644 --- a/charts/kubedb/values.yaml +++ b/charts/kubedb/values.yaml @@ -104,6 +104,9 @@ global: # Controls the network policy creation networkPolicy: enabled: false + # flavor selects which network policy API is used. + # Accepted values: "kubernetes" (default) or "cilium". + flavor: kubernetes distro: openshift: false