Add network policies to CDI #3938
Conversation
kubevirt-bot
added
do-not-merge/work-in-progress
|
/cc @akalenyu |
Acedus
force-pushed
the
dump-network-policies
branch
from
c67a1fb to
c53682a
Compare
Acedus
force-pushed
the
dump-network-policies
branch
3 times, most recently
from
37ebc46 to
9196530
Compare
|
@Acedus: The specified target(s) for The following commands are available to trigger optional jobs: Use In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test pull-containerized-data-importer-e2e-nfs |
`np.kubevirt.io/allow-access-cluster-services` is a pod label to be set by CDI components to indicate that they require access to cluster services otherwise blocked by the strict network policy (NP). This label will be applied to the following CDI pods: - cdi-operator - cdi-deployment - cdi-apiserver - cdi-uploadproxy - poller (DataImportCron poller pods that run in the CDI namespace) This label is then used as pod selector to create a NP to give the pods access to cluster services (apiserver/dns). Signed-off-by: Adi Aloni <[email protected]> Co-authored-by: fossedihelm <[email protected]>
Acedus
force-pushed
the
dump-network-policies
branch
from
9196530 to
19a0374
Compare
kubevirt-bot
removed
the
do-not-merge/work-in-progress
|
/test pull-containerized-data-importer-e2e-istio |
The DIC poller which is used to sample the digest of a container image from a remote registry currently lacks an identifier labels which can be used by NetworkPolicies to control its traffic patterns, this commit adds one. Signed-off-by: Adi Aloni <[email protected]>
This commit adds an additional factory function that isn't included as part of the standard create all resources to generate the network policies required by CDI to function properly. This new function will be used in following commits to generate network policies as part of manifest-generator and csv-gen. Signed-off-by: Adi Aloni <[email protected]>
A new environment variable CDI_DEPLOY_NP has been added with the options of true and false (defaults to false) to control the deployment of CDI's network policies. The network policies deployed when CDI_DEPLOY_NP is set to true are the ones generated by the createNetworkPolicies factory function as well as static ones for denying all traffic in the namespace and allow traffic to kube-apiserver and DNS for pods labeled with `np.kubevirt.io/allow-access-cluster-services`. Signed-off-by: Adi Aloni <[email protected]>
This commit adds the -dump-network-policies optional flag to the csv-generator tool in order to allow dumping CDI's required network policies in case of a restrictive environment. Signed-off-by: Adi Aloni <[email protected]>
Acedus
force-pushed
the
dump-network-policies
branch
from
19a0374 to
31de2f6
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awels The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
| @@ -0,0 +1,17 @@ | |||
| apiVersion: networking.k8s.io/v1 | |||
There was a problem hiding this comment.
Do we want to ship this to external entities running our func test suite, similarly to the SCC? Totally not a must for this PR, just something to consider.
| ingress: | ||
| - {} | ||
| egress: | ||
| - {} |
There was a problem hiding this comment.
Just curious, what's this mostly about? http/registry test servers?
|
/test pull-cdi-goveralls looks like timeouts |
|
@Acedus: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
5 participants
What this PR does / why we need it:
This PR extends CDI to allow an optional generation and deployment of network policies that generally allow only the traffic patterns required by CDI's internal components, those being:
It introduces a new environment variable
CDI_DEPLOY_NPwhich allows controlling the deployment of said network policies during cluster-sync.A separate static network policy that allows all traffic patterns for CDI testing pods is created if the sync is ran with
test-infra.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: