Uploaded image for project: 'OpenShift Over the Air'
  1. OpenShift Over the Air
  2. OTA-1609

Implement basic Network Policies for OSUS operands

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • Security & Compliance
    • False
    • Hide

      None

      Show
      None
    • False
    • 5
    • None
    • None
    • OTA 278

      Summary

      Implement basic Network Policy resources that restrict the network communication for OSUS instances created by OSUS Operator. For each UpdateService, the OSUS Operator should create NetworkPolicy resources that restrict networking for all workloads related to that OSUS instance. The policies should be created before workloads to ensure they are effective for the whole workload lifecycle. When an instance is removed, the policies should be removed as well. This card covers shipping basic policies and tries to avoid some complexity stemming from dynamic cluster / OSUS configuration. Tightening the policies further will be done in separated cards focused on specific cases.

      OSUS Network Policy Requirements

      For each UpdateService, the OSUS Operator should create Network Policies enforcing the following rules:

      1. Default deny both ingress / egress with a selector that matches all instance workloads (deployment+graph-data-tag-digest)
      2. Allow egress to cluster-external addresses to allow graph builder scrape images from the registry. The scope of this card is to allow all egress. Filtering to a known ports or to cluster-internal locations is out of scope of this card.
      3. Allow egress to DNS: pragmatic port filter suggested as sufficient for OCPSTRAT-819
      4. Allow ingress from the router on a known port to allow external consumers to access policy engine through Route

      Note: the deny policy from item 1 can be eventually removed once the operator ships the blanket deny policy (OTA-1608 will develop it but not ship it)

      Definition of Done

      1. All workloads are labeled in a way that allows targeting them with a per-instance policy
      2. For each UpdateService, the operator creates a Network Policy that enforces default deny everything for any workload related to that OSUS instance
      3. For each UpdateService, the operator creates a Network Policy allows networking specified above in OSUS Network Policy Requirements
      4. When an UpdateService is removed, all related Network Policy resources are removed too, after the workloads are removed

      Testing

      • Expected NetworkPolicy resources are created for each UpdateService instance
      • OSUS must be able to work as normal, that means scrape image registry and serve the content through the route endpoint
      • OSUS should not be able to serve content cluster-internally through the service endpoint
      • Other unrelated workloads in the namespace should not be affected

              trking W. Trevor King
              afri@afri.cz Petr Muller
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: