From ab0c60ec57c83b0d2bf10fe3803012d65d2b0e8a Mon Sep 17 00:00:00 2001 From: Iain Sproat <68657+iainsproat@users.noreply.github.com> Date: Thu, 25 Aug 2022 15:08:25 +0100 Subject: [PATCH] Helm Chart: Network Policies allow server egress to apollo (#965) * fix(helm chart): allow egress in server Network Policies to Apollo The Cilium and Kubernetes network policies currently do not allow egress from the server to Apollo for graphql monitoring. Kubernetes Network Policies don't allow domain names. We have an open support ticket with Apollo Studio to request which CIDR to limit egress to. Until then, we will need to open egress to everywhere if a Kubernetes Network Policy is used. --- .../templates/frontend/networkpolicy.cilium.yml | 2 +- .../templates/server/networkpolicy.cilium.yml | 14 +++++++++++++- .../templates/server/networkpolicy.kubernetes.yml | 10 ++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml b/utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml index 6051dc31c..f6ec58cfc 100644 --- a/utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml +++ b/utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml @@ -14,7 +14,7 @@ spec: - fromEndpoints: - matchLabels: io.kubernetes.pod.namespace: {{ .Values.ingress.namespace }} -{{ include "speckle.ingress.selector.pod" $ | indent 12 }} +{{ include "speckle.ingress.selector.pod" $ | indent 12 }} toPorts: - ports: - port: "www" diff --git a/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml b/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml index 7a6d4d258..96e6eca73 100644 --- a/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml +++ b/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml @@ -49,6 +49,9 @@ spec: dns: # TODO: remove egress to domain once https://github.com/specklesystems/speckle-server/issues/959 is fixed - matchName: {{ .Values.domain }} +{{- if .Values.server.monitoring.apollo.enabled }} + - matchPattern: "*.api.apollographql.com" +{{- end }} {{- if .Values.server.sentry_dns }} # DNS lookup for sentry - matchPattern: "*.ingest.sentry.io" @@ -56,6 +59,14 @@ spec: {{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }} {{ include "speckle.networkpolicy.dns.redis.cilium" $ | indent 14 }} {{ include "speckle.networkpolicy.dns.blob_storage.cilium" $ | indent 14 }} +{{- if .Values.server.monitoring.apollo.enabled }} + - toFQDNs: + - matchPattern: "*.api.apollographql.com" + toPorts: + - ports: + - port: "443" + protocol: TCP +{{- end }} {{- if .Values.server.sentry_dns }} # egress to sentry - toCIDRSet: @@ -63,6 +74,7 @@ spec: toPorts: - ports: - port: "443" + protocol: TCP {{- end }} # postgres {{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }} @@ -73,7 +85,7 @@ spec: # allow egress to the ingress for speckle-server, so it can call itself # TODO: remove egress to domain once https://github.com/specklesystems/speckle-server/issues/959 is fixed - toFQDNs: - - matchPattern: {{ .Values.domain }} + - matchName: {{ .Values.domain }} toPorts: - ports: - port: "443" diff --git a/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml b/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml index d372a410f..3c0107c09 100644 --- a/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml +++ b/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml @@ -23,6 +23,16 @@ spec: ports: - port: 53 protocol: UDP +{{- if .Values.server.monitoring.apollo.enabled }} + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # except to kubernetes pods or services + except: + - 10.0.0.0/8 + ports: + - port: 443 +{{- end }} {{- if .Values.server.sentry_dns }} # sentry.io https://docs.sentry.io/product/security/ip-ranges/#event-ingestion - to: