feat: Add support for ingress network policies at vcluster creation time

Author: cbalan

chart/templates/networkpolicy.yaml

@@ -105,4 +105,179 @@ spec:
     {{- end }}
   policyTypes:
     - Egress
-  {{- end }}
+{{- end }}
+{{- if .Values.policies.networkPolicy.ingress.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: vc-cp-{{ .Release.Name }}-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: vcluster
+    chart: "{{ include "vcluster.version.label"  $ }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{- if .Values.policies.networkPolicy.labels }}
+{{ toYaml .Values.policies.networkPolicy.labels | indent 4 }}
+{{- end }}
+{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.networkPolicy.annotations }}
+{{- if $annotations }}
+  annotations:
+{{ toYaml $annotations | indent 4 }}
+{{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      release: {{ .Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 8443
+          protocol: TCP
+      from:
+        # Allow for vcluster workloads traffic
+        - podSelector:
+            matchLabels:
+              vcluster.loft.sh/managed-by: {{ .Release.Name }}
+{{- if .Values.policies.networkPolicy.ingress.platform }}
+        # Allow ingress access from the loft platform.
+        - podSelector:
+            matchLabels:
+              app: loft
+          namespaceSelector: {}
+{{- end }}
+
+{{- if .Values.policies.networkPolicy.ingress.controlPlaneRules }}
+{{ toYaml .Values.policies.networkPolicy.ingress.controlPlaneRules | indent 4 }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: vc-kube-dns-{{ .Release.Name }}-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: vcluster
+    chart: "{{ include "vcluster.version.label"  $ }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{- if .Values.policies.networkPolicy.labels }}
+{{ toYaml .Values.policies.networkPolicy.labels | indent 4 }}
+{{- end }}
+{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.networkPolicy.annotations }}
+{{- if $annotations }}
+  annotations:
+{{ toYaml $annotations | indent 4 }}
+{{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: vcluster-kube-dns
+      vcluster.loft.sh/managed-by: {{ .Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allows incoming connections to DNS server
+    - ports:
+        - port: 1053
+          protocol: TCP
+        - port: 1053
+          protocol: UDP
+      from:
+       - podSelector:
+           matchLabels:
+             vcluster.loft.sh/managed-by: {{ .Release.Name }}
+
+{{- if .Values.policies.networkPolicy.ingress.kubeDnsRules }}
+{{ toYaml .Values.policies.networkPolicy.ingress.kubeDnsRules | indent 4 }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: vc-work-{{ .Release.Name }}-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: vcluster
+    chart: "{{ include "vcluster.version.label"  $ }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{- if .Values.policies.networkPolicy.labels }}
+{{ toYaml .Values.policies.networkPolicy.labels | indent 4 }}
+{{- end }}
+{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.networkPolicy.annotations }}
+{{- if $annotations }}
+  annotations:
+{{ toYaml $annotations | indent 4 }}
+{{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      vcluster.loft.sh/managed-by: {{ .Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow incoming connections from other vcluster workloads
+        - podSelector:
+            matchLabels:
+              vcluster.loft.sh/managed-by: {{ .Release.Name }}
+{{- if .Values.policies.networkPolicy.ingress.workloadRules }}
+{{ toYaml .Values.policies.networkPolicy.ingress.workloadRules | indent 4 }}
+{{- end }}
+{{- if and .Values.controlPlane.backingStore.etcd.deploy.enabled .Values.controlPlane.backingStore.etcd.deploy.statefulSet.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: vc-etcd-{{ .Release.Name }}-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: vcluster
+    chart: "{{ include "vcluster.version.label"  $ }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{- if .Values.policies.networkPolicy.labels }}
+{{ toYaml .Values.policies.networkPolicy.labels | indent 4 }}
+{{- end }}
+{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.networkPolicy.annotations }}
+{{- if $annotations }}
+  annotations:
+{{ toYaml $annotations | indent 4 }}
+{{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app: vcluster-etcd
+      release: {{ .Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 2380
+          protocol: TCP
+      from:
+        # Allow for vc-etcd peer traffic
+        - podSelector:
+            matchLabels:
+              app: vcluster-etcd
+              release: {{ .Release.Name }}
+    - ports:
+        - port: 2379
+          protocol: TCP
+      from:
+        # Allow for vc-cp traffic
+        - podSelector:
+            matchLabels:
+              app: vcluster
+              release: {{ .Release.Name }}
+
+        # Allow for vc-etcd peer traffic
+        - podSelector:
+            matchLabels:
+              app: vcluster-etcd
+              release: {{ .Release.Name }}
+{{- end }}
+{{- end }}

chart/tests/networkpolicy_test.yaml

@@ -121,3 +121,56 @@ tests:
         equal:
           path: spec.egress[3].ports[2].port
           value: 6443
+
+  - it: check ingress defaults
+    release:
+      name: my-release
+      namespace: my-namespace
+    set:
+      policies:
+        networkPolicy:
+          ingress:
+            enabled: true
+    asserts:
+      - hasDocuments:
+          count: 3
+      - documentIndex: 0
+        equal:
+          path: metadata.name
+          value: vc-cp-my-release-ingress
+      - documentIndex: 0
+        equal:
+          path: spec.policyTypes
+          value: ["Ingress"]
+      - documentIndex: 0
+        lengthEqual:
+          path: spec.ingress
+          count: 1
+      - documentIndex: 0
+        lengthEqual:
+          path: spec.ingress[0].from
+          count: 2
+      - documentIndex: 1
+        equal:
+          path: metadata.name
+          value: vc-kube-dns-my-release-ingress
+      - documentIndex: 1
+        equal:
+          path: spec.policyTypes
+          value: ["Ingress"]
+      - documentIndex: 1
+        lengthEqual:
+          path: spec.ingress
+          count: 1
+      - documentIndex: 2
+        equal:
+          path: metadata.name
+          value: vc-work-my-release-ingress
+      - documentIndex: 2
+        equal:
+          path: spec.policyTypes
+          value: ["Ingress"]
+      - documentIndex: 2
+        lengthEqual:
+          path: spec.ingress
+          count: 1

chart/values.schema.json

@@ -2930,6 +2930,10 @@
           "type": "array",
           "description": "ExtraWorkloadRules are extra allowed rules for the vCluster workloads."
         },
+        "ingress": {
+          "$ref": "#/$defs/NetworkPolicyIngress",
+          "description": "Ingress rules"
+        },
         "annotations": {
           "additionalProperties": {
             "type": "string"
@@ -2948,6 +2952,41 @@
       "additionalProperties": false,
       "type": "object"
     },
+    "NetworkPolicyIngress": {
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Enabled defines if the network policy should be deployed by vCluster."
+        },
+        "platform": {
+          "type": "boolean",
+          "description": "Platform enables ingress access from the loft platform"
+        },
+        "controlPlaneRules": {
+          "items": {
+            "type": "object"
+          },
+          "type": "array",
+          "description": "ControlPlaneRules are allowed rules for the vCluster control plane."
+        },
+        "kubeDnsRules": {
+          "items": {
+            "type": "object"
+          },
+          "type": "array",
+          "description": "KubeDNSRules are allowed rules for the vCluster workloads."
+        },
+        "workloadRules": {
+          "items": {
+            "type": "object"
+          },
+          "type": "array",
+          "description": "WorkloadRules are allowed rules for the vCluster workloads."
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "NetworkProxyKubelets": {
       "properties": {
         "byHostname": {

chart/values.yaml

@@ -1146,6 +1146,18 @@ policies:
           - 10.0.0.0/8
           - 172.16.0.0/12
           - 192.168.0.0/16
+    # Ingress rules
+    ingress:
+      # Enabled defines if the network policy should be deployed by vCluster.
+      enabled: false
+      # Platform enables ingress access from the loft platform
+      platform: true
+      # ControlPlaneRules are allowed rules for the vCluster control plane.
+      controlPlaneRules: []
+      # KubeDNSRules are allowed rules for the vCluster workloads.
+      kubeDnsRules: []
+      # WorkloadRules are allowed rules for the vCluster workloads.
+      workloadRules: []
 
   # CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.
   centralAdmission:

config/config.go

@@ -2681,9 +2681,29 @@ type NetworkPolicy struct {
 	// ExtraWorkloadRules are extra allowed rules for the vCluster workloads.
 	ExtraWorkloadRules []map[string]interface{} `json:"extraWorkloadRules,omitempty"`
 
+	// Ingress rules
+	Ingress NetworkPolicyIngress `json:"ingress,omitempty"`
+
 	LabelsAndAnnotations `json:",inline"`
 }
 
+type NetworkPolicyIngress struct {
+	// Enabled defines if the network policy should be deployed by vCluster.
+	Enabled bool `json:"enabled,omitempty"`
+
+	// Platform enables ingress access from the loft platform
+	Platform bool `json:"platform,omitempty"`
+
+	// ControlPlaneRules are allowed rules for the vCluster control plane.
+	ControlPlaneRules []map[string]interface{} `json:"controlPlaneRules,omitempty"`
+
+	// KubeDNSRules are allowed rules for the vCluster workloads.
+	KubeDNSRules []map[string]interface{} `json:"kubeDnsRules,omitempty"`
+
+	// WorkloadRules are allowed rules for the vCluster workloads.
+	WorkloadRules []map[string]interface{} `json:"workloadRules,omitempty"`
+}
+
 type OutgoingConnections struct {
 	// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
 	// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs

config/values.yaml

@@ -621,6 +621,12 @@ policies:
           - 10.0.0.0/8
           - 172.16.0.0/12
           - 192.168.0.0/16
+    ingress:
+      enabled: false
+      platform: true
+      controlPlaneRules: []
+      kubeDnsRules: []
+      workloadRules: []
 
   centralAdmission:
     validatingWebhooks: []