From d6879913dd1d391ba27a3cb634a757f91f081deb Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 20 Feb 2024 10:44:30 -0700 Subject: [PATCH 1/2] wip: netpol/pa for webhooks --- .../peerauthentication/metrics-api.yaml | 1 + .../neuvector-controller-pa.yaml | 5 ++++- src/neuvector/chart/templates/uds-package.yaml | 8 ++++++++ .../prometheus-operator-pa.yaml | 17 +++++++++++++++++ .../chart/templates/uds-package.yaml | 8 ++++++++ 5 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml diff --git a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml index f6c3a3bc0..18c5fdcbf 100644 --- a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml +++ b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml @@ -11,6 +11,7 @@ spec: matchLabels: app.kubernetes.io/name: metrics-server portLevelMtls: + # Allow api service calls to operate permissive since ingress originates from the nodes "10250": mode: PERMISSIVE {{- end }} diff --git a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml index 71c2deb73..6e881bf73 100644 --- a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml +++ b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml @@ -13,4 +13,7 @@ spec: portLevelMtls: "18300": mode: PERMISSIVE -{{- end }} \ No newline at end of file + # Allow webhooks to operate permissive since ingress originates from the nodes + "30443": + mode: PERMISSIVE +{{- end }} diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index 631410e45..c097ce346 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -31,6 +31,14 @@ spec: selector: app: neuvector-updater-pod + # - direction: Ingress + # # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls + # remoteGenerated: Anywhere + # selector: + # app: neuvector-controller-pod + # port: 30443 + # description: "Webhook" + - direction: Ingress remoteNamespace: monitoring remoteSelector: diff --git a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml new file mode 100644 index 000000000..eb1c14d0e --- /dev/null +++ b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml @@ -0,0 +1,17 @@ +{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} +apiVersion: "security.istio.io/v1beta1" +kind: PeerAuthentication +metadata: + name: prometheus-operator-webhook + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: kube-prometheus-stack-operator + mtls: + mode: STRICT + portLevelMtls: + # Allow webhooks to operate permissive since ingress originates from the nodes + "10250": + mode: PERMISSIVE +{{- end }} diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index f021ddf01..d4acd62eb 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -33,6 +33,14 @@ spec: selector: app: kube-prometheus-stack-admission-patch + # - direction: Ingress + # # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls + # remoteGenerated: Anywhere + # selector: + # app: kube-prometheus-stack-operator + # port: 10250 + # description: "Webhook" + # todo: lockdown egress to scrape targets - direction: Egress remoteNamespace: "" From 0f11ffa393657610b88d23ad74e3e7e4bbd24bcb Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 20 Feb 2024 12:09:11 -0700 Subject: [PATCH 2/2] fix: webhook ingress/mtls --- src/neuvector/chart/templates/uds-package.yaml | 14 +++++++------- .../chart/templates/uds-package.yaml | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index c097ce346..b44a25f73 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -31,13 +31,13 @@ spec: selector: app: neuvector-updater-pod - # - direction: Ingress - # # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls - # remoteGenerated: Anywhere - # selector: - # app: neuvector-controller-pod - # port: 30443 - # description: "Webhook" + - direction: Ingress + # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls + remoteGenerated: Anywhere + selector: + app: neuvector-controller-pod + port: 30443 + description: "Webhook" - direction: Ingress remoteNamespace: monitoring diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index d4acd62eb..5574573bc 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -33,13 +33,13 @@ spec: selector: app: kube-prometheus-stack-admission-patch - # - direction: Ingress - # # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls - # remoteGenerated: Anywhere - # selector: - # app: kube-prometheus-stack-operator - # port: 10250 - # description: "Webhook" + - direction: Ingress + # todo: evaluate a "KubeAPI" _ingress_ generated rule for webhook calls + remoteGenerated: Anywhere + selector: + app: kube-prometheus-stack-operator + port: 10250 + description: "Webhook" # todo: lockdown egress to scrape targets - direction: Egress