Add bypass deny all egress flag

Author: kabicin

api/v1/runtimecomponent_types.go

@@ -320,24 +320,28 @@ type RuntimeComponentNetworkPolicy struct {
 	// +operator-sdk:csv:customresourcedefinitions:order=48,type=spec,displayName="Disable Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
 	DisableEgress *bool `json:"disableEgress,omitempty"`
 
+	// Bypasses deny all egress rules to allow API server and DNS access. Defaults to false.
+	// +operator-sdk:csv:customresourcedefinitions:order=49,type=spec,displayName="Bypass Deny All Egress",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	BypassDenyAllEgress *bool `json:"bypassDenyAllEgress,omitempty"`
+
 	// Deprecated. .spec.networkPolicy.fromNamespaceLabels should be used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels will override this.
-	// +operator-sdk:csv:customresourcedefinitions:order=49,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// +operator-sdk:csv:customresourcedefinitions:order=50,type=spec,displayName="Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	NamespaceLabels *map[string]string `json:"namespaceLabels,omitempty"`
 
 	// Specify the labels of namespaces that incoming traffic is allowed from.
-	// +operator-sdk:csv:customresourcedefinitions:order=50,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// +operator-sdk:csv:customresourcedefinitions:order=51,type=spec,displayName="From Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	FromNamespaceLabels *map[string]string `json:"fromNamespaceLabels,omitempty"`
 
 	// Specify the labels of pod(s) that incoming traffic is allowed from.
-	// +operator-sdk:csv:customresourcedefinitions:order=51,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="From Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	FromLabels *map[string]string `json:"fromLabels,omitempty"`
 
 	// Specify the labels of namespaces that outgoing traffic is allowed to.
-	// +operator-sdk:csv:customresourcedefinitions:order=52,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="To Namespace Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	ToNamespaceLabels *map[string]string `json:"toNamespaceLabels,omitempty"`
 
 	// Specify the labels of pod(s) that outgoing traffic is allowed to.
-	// +operator-sdk:csv:customresourcedefinitions:order=53,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
+	// +operator-sdk:csv:customresourcedefinitions:order=54,type=spec,displayName="To Labels",xDescriptors="urn:alm:descriptor:com.tectonic.ui:text"
 	ToLabels *map[string]string `json:"toLabels,omitempty"`
 }
 
@@ -940,6 +944,10 @@ func (np *RuntimeComponentNetworkPolicy) IsEgressDisabled() bool {
 	return np.DisableEgress != nil && *np.DisableEgress
 }
 
+func (np *RuntimeComponentNetworkPolicy) IsBypassingDenyAllEgress() bool {
+	return np.BypassDenyAllEgress != nil && *np.BypassDenyAllEgress
+}
+
 // GetLabels returns labels to be added on ServiceMonitor
 func (m *RuntimeComponentMonitoring) GetLabels() map[string]string {
 	return m.Labels

api/v1/zz_generated.deepcopy.go

@@ -3365,6 +3365,10 @@ spec:
               networkPolicy:
                 description: Defines the network policy
                 properties:
+                  bypassDenyAllEgress:
+                    description: Bypasses deny all egress rules to allow API server
+                      and DNS access. Defaults to false.
+                    type: boolean
                   disable:
                     description: Disable the creation of the network policy. Defaults
                       to false.

bundle/manifests/rc.app.stacks_runtimecomponents.yaml

@@ -143,6 +143,7 @@ type BaseComponentNetworkPolicy interface {
 	IsDisabled() bool
 	IsIngressDisabled() bool
 	IsEgressDisabled() bool
+	IsBypassingDenyAllEgress() bool
 	GetToNamespaceLabels() map[string]string
 	GetToLabels() map[string]string
 	GetFromNamespaceLabels() map[string]string

common/types.go

@@ -3361,6 +3361,10 @@ spec:
               networkPolicy:
                 description: Defines the network policy
                 properties:
+                  bypassDenyAllEgress:
+                    description: Bypasses deny all egress rules to allow API server
+                      and DNS access. Defaults to false.
+                    type: boolean
                   disable:
                     description: Disable the creation of the network policy. Defaults
                       to false.

config/crd/bases/rc.app.stacks_runtimecomponents.yaml

@@ -426,6 +426,12 @@ spec:
         path: networkPolicy.disableEgress
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - description: Bypasses deny all egress rules to allow API server and DNS access.
+          Defaults to false.
+        displayName: Bypass Deny All Egress
+        path: networkPolicy.bypassDenyAllEgress
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Deprecated. .spec.networkPolicy.fromNamespaceLabels should be
           used instead. If both are specified, .spec.networkPolicy.fromNamespaceLabels
           will override this.

config/manifests/bases/runtime-component.clusterserviceversion.yaml

@@ -23,6 +23,7 @@ import (
 	"strings"
 
 	"github.com/application-stacks/runtime-component-operator/common"
+	"github.com/application-stacks/runtime-component-operator/utils"
 	"github.com/pkg/errors"
 
 	kcontroller "sigs.k8s.io/controller-runtime/pkg/controller"
@@ -351,7 +352,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	networkPolicy := &networkingv1.NetworkPolicy{ObjectMeta: defaultMeta}
 	if np := instance.Spec.NetworkPolicy; np == nil || np != nil && !np.IsDisabled() {
 		err = r.CreateOrUpdate(networkPolicy, instance, func() error {
-			appstacksutils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), instance)
+			appstacksutils.CustomizeNetworkPolicy(networkPolicy, r.IsOpenShift(), r.getDNSEgressRule, r.getEndpoints, instance)
 			return nil
 		})
 		if err != nil {
@@ -560,6 +561,43 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	return r.ManageSuccess(common.StatusConditionTypeReconciled, instance)
 }
 
+func (r *RuntimeComponentReconciler) getEndpoints(serviceName string, namespace string) (*corev1.Endpoints, error) {
+	endpoints := &corev1.Endpoints{}
+	if err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: serviceName, Namespace: namespace}, endpoints); err != nil {
+		return nil, err
+	} else {
+		return endpoints, nil
+	}
+}
+
+func (r *RuntimeComponentReconciler) getDNSEgressRule(endpointsName string, endpointsNamespace string) (bool, networkingv1.NetworkPolicyEgressRule) {
+	dnsRule := networkingv1.NetworkPolicyEgressRule{}
+	if dnsEndpoints, err := r.getEndpoints(endpointsName, endpointsNamespace); err == nil {
+		if len(dnsEndpoints.Subsets) > 0 {
+			if endpointPort := utils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns"); endpointPort != nil {
+				dnsRule.Ports = append(dnsRule.Ports, utils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
+			}
+			if endpointPort := utils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns-tcp"); endpointPort != nil {
+				dnsRule.Ports = append(dnsRule.Ports, utils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
+			}
+		}
+		peer := networkingv1.NetworkPolicyPeer{}
+		peer.NamespaceSelector = &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"kubernetes.io/metadata.name": endpointsNamespace,
+			},
+		}
+		dnsRule.To = append(dnsRule.To, peer)
+		// reqLogger.Info("Found endpoints for " + endpointsName + " service in the " + endpointsNamespace + " namespace")
+		return false, dnsRule
+	}
+	// use permissive rule
+	// egress:
+	//   - {}
+	// reqLogger.Info("Failed to retrieve endpoints for " + endpointsName + " service in the " + endpointsNamespace + "  namespace. Using more permissive rule.")
+	return true, dnsRule
+}
+
 // SetupWithManager initializes reconciler
 func (r *RuntimeComponentReconciler) SetupWithManager(mgr ctrl.Manager) error {
 

internal/controller/runtimecomponent_controller.go

@@ -3364,6 +3364,10 @@ spec:
               networkPolicy:
                 description: Defines the network policy
                 properties:
+                  bypassDenyAllEgress:
+                    description: Bypasses deny all egress rules to allow API server
+                      and DNS access. Defaults to false.
+                    type: boolean
                   disable:
                     description: Disable the creation of the network policy. Defaults
                       to false.

internal/deploy/kubectl/runtime-component-crd.yaml

@@ -3364,6 +3364,10 @@ spec:
               networkPolicy:
                 description: Defines the network policy
                 properties:
+                  bypassDenyAllEgress:
+                    description: Bypasses deny all egress rules to allow API server
+                      and DNS access. Defaults to false.
+                    type: boolean
                   disable:
                     description: Disable the creation of the network policy. Defaults
                       to false.

internal/deploy/kustomize/daily/base/runtime-component-crd.yaml

@@ -330,19 +330,73 @@ func customizeProbeDefaults(config *corev1.Probe, defaultProbe *corev1.Probe) *c
 	return probe
 }
 
+func createEgressBypass(ba common.BaseComponent, isOpenShift bool, getDNSEgressRule func(string, string) (bool, networkingv1.NetworkPolicyEgressRule), getEndpoints func(string, string) (*corev1.Endpoints, error)) (bool, []networkingv1.NetworkPolicyEgressRule) {
+	egressRules := []networkingv1.NetworkPolicyEgressRule{}
+
+	var dnsRule networkingv1.NetworkPolicyEgressRule
+	var usingPermissiveRule bool
+	// If allowed, add an Egress rule to access the OpenShift DNS or K8s CoreDNS. Otherwise, use a permissive cluster-wide Egress rule.
+	if isOpenShift {
+		usingPermissiveRule, dnsRule = getDNSEgressRule("dns-default", "openshift-dns")
+	} else {
+		usingPermissiveRule, dnsRule = getDNSEgressRule("kube-dns", "kube-system")
+	}
+	egressRules = append(egressRules, dnsRule)
+
+	// If the DNS rule is a specific Egress rule also check if another Egress rule can be created for the API server.
+	// Otherwise, fallback to a permissive cluster-wide Egress rule.
+	if !usingPermissiveRule {
+		if apiServerEndpoints, err := getEndpoints("kubernetes", "default"); err == nil {
+			rule := networkingv1.NetworkPolicyEgressRule{}
+			// Define the port
+			port := networkingv1.NetworkPolicyPort{}
+			port.Protocol = &apiServerEndpoints.Subsets[0].Ports[0].Protocol
+			var portNumber intstr.IntOrString = intstr.FromInt((int)(apiServerEndpoints.Subsets[0].Ports[0].Port))
+			port.Port = &portNumber
+			rule.Ports = append(rule.Ports, port)
+
+			// Add the endpoint address as ipBlock entries
+			for _, endpoint := range apiServerEndpoints.Subsets {
+				for _, address := range endpoint.Addresses {
+					peer := networkingv1.NetworkPolicyPeer{}
+					ipBlock := networkingv1.IPBlock{}
+					ipBlock.CIDR = address.IP + "/32"
+
+					peer.IPBlock = &ipBlock
+					rule.To = append(rule.To, peer)
+				}
+			}
+			egressRules = append(egressRules, rule)
+		} else {
+			// The operator couldn't create a rule for the K8s API server so add a permissive Egress rule
+			rule := networkingv1.NetworkPolicyEgressRule{}
+			egressRules = append(egressRules, rule)
+		}
+	}
+	return usingPermissiveRule, egressRules
+}
+
 // createNetworkPolicyEgressRules returns the network policy rules for outgoing traffic to other Pod(s)
-func createNetworkPolicyEgressRules(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) []networkingv1.NetworkPolicyEgressRule {
+func createNetworkPolicyEgressRules(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, isBypassingDenyAllEgress bool, getDNSEgressRule func(string, string) (bool, networkingv1.NetworkPolicyEgressRule), getEndpoints func(string, string) (*corev1.Endpoints, error), ba common.BaseComponent) []networkingv1.NetworkPolicyEgressRule {
 	config := ba.GetNetworkPolicy()
+	egressRules := []networkingv1.NetworkPolicyEgressRule{}
+	if isBypassingDenyAllEgress {
+		usingPermissiveRule, bypassRules := createEgressBypass(ba, isOpenShift, getDNSEgressRule, getEndpoints)
+		egressRules = append(egressRules, bypassRules...)
+		if usingPermissiveRule {
+			return egressRules // exit early because permissive egress is set
+		}
+	}
+	// configure the main application egress rule
 	var rule networkingv1.NetworkPolicyEgressRule
-
 	if config == nil || ((config.GetToNamespaceLabels() != nil && len(config.GetToNamespaceLabels()) == 0) &&
 		(config.GetToLabels() != nil && len(config.GetToLabels()) == 0)) {
 		rule = createAllowAllNetworkPolicyEgressRule()
 	} else {
 		rule = createNetworkPolicyEgressRule(ba.GetApplicationName(), networkPolicy.Namespace, config)
 	}
-
-	return []networkingv1.NetworkPolicyEgressRule{rule}
+	egressRules = append(egressRules, rule)
+	return egressRules
 }
 
 func createNetworkPolicyEgressRule(appName string, namespace string, config common.BaseComponentNetworkPolicy) networkingv1.NetworkPolicyEgressRule {
@@ -364,7 +418,26 @@ func createAllowAllNetworkPolicyEgressRule() networkingv1.NetworkPolicyEgressRul
 	}
 }
 
-func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, ba common.BaseComponent) {
+func GetEndpointPortByName(endpointPorts *[]corev1.EndpointPort, name string) *corev1.EndpointPort {
+	if endpointPorts != nil {
+		for _, endpointPort := range *endpointPorts {
+			if endpointPort.Name == name {
+				return &endpointPort
+			}
+		}
+	}
+	return nil
+}
+
+func CreateNetworkPolicyPortFromEndpointPort(endpointPort *corev1.EndpointPort) networkingv1.NetworkPolicyPort {
+	port := networkingv1.NetworkPolicyPort{}
+	port.Protocol = &endpointPort.Protocol
+	var portNumber intstr.IntOrString = intstr.FromInt((int)(endpointPort.Port))
+	port.Port = &portNumber
+	return port
+}
+
+func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShift bool, getDNSEgressRule func(string, string) (bool, networkingv1.NetworkPolicyEgressRule), getEndpoints func(string, string) (*corev1.Endpoints, error), ba common.BaseComponent) {
 	obj := ba.(metav1.Object)
 	networkPolicy.Labels = ba.GetLabels()
 	networkPolicy.Annotations = MergeMaps(networkPolicy.Annotations, ba.GetAnnotations())
@@ -402,7 +475,8 @@ func CustomizeNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, isOpenShi
 			if !hasEgressPolicy {
 				networkPolicy.Spec.PolicyTypes = append(networkPolicy.Spec.PolicyTypes, networkingv1.PolicyTypeEgress)
 			}
-			networkPolicy.Spec.Egress = createNetworkPolicyEgressRules(networkPolicy, isOpenShift, ba)
+			egressBypass := ba.GetNetworkPolicy() != nil && ba.GetNetworkPolicy().IsBypassingDenyAllEgress() // check if egress should bypass deny all policy to access the API server and DNS
+			networkPolicy.Spec.Egress = createNetworkPolicyEgressRules(networkPolicy, isOpenShift, egressBypass, getDNSEgressRule, getEndpoints, ba)
 		} else {
 			// if egress is not configured, consider the network policy disabled
 			if hasEgressPolicy {