Chart: Rework NetworkPolicies.

[Gacko]

What this PR does / why we need it:

This PR reworks the existing controller network policy which was added for the admission webhook to restrict access on all known ports instead of allowing any and adds a network policy for the default backend.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• CVE Report (Scanner found CVE and adding report)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added unit and/or e2e tests to cover my changes.
• All new and existing tests passed.
• Added Release Notes.

Does my pull request need a release note?

Any user-visible or operator-visible change qualifies for a release note. This could be a:

• CLI change
• API change
• UI change
• configuration schema change
• behavioral change
• change in non-functional attributes such as efficiency or availability, availability of a new platform
• a warning about a deprecation
• fix of a previous Known Issue
• fix of a vulnerability (CVE)

No release notes are required for changes to the following:

• Tests
• Build infrastructure
• Fixes for unreleased bugs

For more tips on writing good release notes, check out the Release Notes Handbook

Chart: Rework `NetworkPolicies`.

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @Gacko. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Gacko]

@strongjz @rikatz: Would you mind reviewing and eventually merging this? :)

[tao12345666333]

/assign

[tao12345666333]

Can you provide more explanation for why this change is necessary, given that it is a disruptive modification? Thanks

[Gacko]

Sure!

Right now there's a NetworkPolicy called {{ include "ingress-nginx.fullname" . }}-webhooks-allow and only created if the admission webhook (controller.admissionWebhooks.enabled) and its network policy (controller.admissionWebhooks.networkPolicyEnabled) are enabled. This would make sense if it would only allow access to the actual webhook ports, but actually it allows access to any port of the controller.

I first of all just renamed the manifest and made it what it's actually doing plus not binding it to the admission webhook configuration but to the controller configuration and limit access to the ports really in use. One can still disable the access to the admission webhook port by simply disabling controller.admissionWebhooks.enabled:

https://github.com/kubernetes/ingress-nginx/pull/9634/files#diff-07a869fb92716cdbb5321f9be8e26f65ade88f5ab6ed5bf073b690cf00548d3cR31

So yeah, you're right: This is breaking because I removed controller.admissionWebhooks.networkPolicyEnabled or at least replaced it by controller.networkPolicy.enabled (kind of).

Additionally I created a similar network policy for the default backend, which did not exist before, and reworked the existing network policy for the webhook patch jobs to align it to the other webhook patch job resources.

If one requires NetworkPolicies in his/hers environment, they enabled controller.admissionWebhooks.networkPolicyEnabled before and will now also enable the newly introduced and in the release notes mentioned controller.networkPolicy.enabled to make the whole ingress-nginx work in their setup, which in the end results in the same.

So from my point of view: Yeah, it's breaking, but right now in environments which require NetworkPolicies to make ingress-nginx work, it only works when you enable controller.admissionWebhooks.networkPolicyEnabled - which is way more confusing - or add a NetworkPolicy on your own. The latter is introduced in this PR. So I'm just making things work straight forward and clearer.

btw: This all is totally useless and non-breaking in environments not using restrictive / deny-by-default NetworkPolices aka it only applies to those restrictive environments and users of the latter have way more problems right now than without my change.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Gacko
Once this PR has been reviewed and has the lgtm label, please ask for approval from tao12345666333. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• charts/ingress-nginx/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubernetes-ingress-nginx ready!

Name	Link
🔨 Latest commit	862a217
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/64bbecf054a392000819932b
😎 Deploy Preview	https://deploy-preview-9634--kubernetes-ingress-nginx.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[tao12345666333]

Thank you for continuously updating this PR. I need to do some verification on it. You don't need to update it anymore before I come back. I will leave comments when I finish the review.

[Gacko]

Hey @tao12345666333! Have you been able to review this PR? Is there anything I can do to get it merged soon?

[Gacko]

@tao12345666333: I opened #10238 in favor of this PR since the base repository changed.