Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add UDS Operator and consolidate UDS Policies #66

Merged
merged 111 commits into from
Jan 16, 2024
Merged

feat: add UDS Operator and consolidate UDS Policies #66

merged 111 commits into from
Jan 16, 2024

Conversation

jeff-mccoy
Copy link
Member

@jeff-mccoy jeff-mccoy commented Dec 15, 2023
edited
Loading

Description

This PR consolidates all Pepr capabilities into the folder src/pepr. This PR also introduces the UDS Operator, which manages a new CRD packages under the group uds.dev/v1alpha1.

The UDS Operator manages the lifecycle of UDS Package CRs and their corresponding resources (e.g. NetworkPolicies, Istio VirtualServices, etc.). The operator uses Pepr to bind the watch operations to the enque and reconciler. The operator is responsible for:

  • enabling Istio sidecar injection in namespaces where the CR is deployed
  • establishing default-deny ingress/egress network policies
  • creating a layered allow-list based approach on top of the default deny network policies including some basic defaults such as Istio requirements and DNS egress
  • providing targeted remote endpoints network policies such as KubeAPI and CloudMetadata to make policies more DRY and provide dynamic bindings where a static definition is not possible
  • creating Istio Virtual Services & related ingress gateway network policies

Key Files and Folders

.
├── controllers          # Core business logic called by the reconciler
│   ├── istio            # Manages Istio VirtualServices and sidecar injection for UDS Packages/Namespace
│   └── network          # Manages default and generated NetworkPolicies for UDS Packages/Namespace
├── crd
│   ├── generated        # Type files generated by `uds run -f src/pepr/tasks.yaml gen-crds`
│   ├── sources          # CRD source files
│   ├── register.ts      # Registers the UDS Package CRD with the Kubernetes API
│   └── validator.ts     # Validates UDS Package CRs with Pepr
├── enque.ts             # Serializes UDS Package CRs for processing by the reconciler
├── index.ts             # Entrypoint for the UDS Operator
└── reconciler.ts        # Reconciles UDS Package CRs via the controllers

@bburky
Copy link
Member

bburky commented Dec 18, 2023
edited
Loading

What is the plan for the lifecycle of the CR? I see you set ownerReferences, which should cleanup created resources in the namespace on deletion. But what about updates? K8s.apply() is SSA, so I think it will update whole resources on changes, right? (Will it update/replace every field on a second apply, or does it merge with the old changes?)

The scenario I'm most worried about is this doesn't handle deletion on CR change. If you change the network config (but don't delete the CR), some of the old NetworkPolicies will need to be deleted.

You could consider an approach like Flux's kustomize-controller: they store a list of all the created resources in .status. On each change compare the new list of resources to the old ones and delete any that no longer should exist (perhaps have things like networkPolicies() and virtualService() return the list of resources they created or updated as an array of strings). Listing created resources in .status is also really nice for debuggability by users.

@mjnagel mjnagel mentioned this pull request Jan 16, 2024
Open
@mjnagel mjnagel dismissed stale reviews from zachariahmiller and Noxsios January 16, 2024 18:07

feedback addressed

mjnagel
mjnagel previously approved these changes Jan 16, 2024
View reviewed changes
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM at this point. I did modify the loki policies and add a Package CR for prometheus-stack so might be good to get @mikevanhemert / @zachariahmiller to confirm those pieces at least as a validation I didn't mess things up too much.

@jeff-mccoy jeff-mccoy merged commit 395c1c4 into main Jan 16, 2024
10 checks passed
@jeff-mccoy jeff-mccoy deleted the uds-operator branch January 16, 2024 20:59
@github-actions github-actions bot mentioned this pull request Jan 16, 2024
Merged
jeff-mccoy pushed a commit that referenced this pull request Jan 16, 2024
@github-actions
chore(main): release 0.8.0 (#106)
3ab93c3 
🤖 I have created a release *beep* *boop*
---


##
[0.8.0](v0.7.4...v0.8.0)
(2024-01-16)


### Features

* add UDS Operator and consolidate UDS Policies
([#66](#66))
([395c1c4](395c1c4))


### Miscellaneous

* adding unit test for registerExemptions()
([#105](#105))
([5e71fcf](5e71fcf))
* **deps:** update pepr to v0.22.2
([#104](#104))
([0555353](0555353))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
robmcelvenny pushed a commit to owen-grady/uds-core-slim-dev that referenced this pull request Jun 3, 2024
@github-actions
chore(main): release 0.8.0 (#106)
35df0cb 
🤖 I have created a release *beep* *boop*
---


##
[0.8.0](defenseunicorns/uds-core@v0.7.4...v0.8.0)
(2024-01-16)


### Features

* add UDS Operator and consolidate UDS Policies
([#66](defenseunicorns/uds-core#66))
([395c1c4](defenseunicorns/uds-core@395c1c4))


### Miscellaneous

* adding unit test for registerExemptions()
([#105](defenseunicorns/uds-core#105))
([5e71fcf](defenseunicorns/uds-core@5e71fcf))
* **deps:** update pepr to v0.22.2
([#104](defenseunicorns/uds-core#104))
([0555353](defenseunicorns/uds-core@0555353))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjnagel mjnagel mjnagel approved these changes

@zachariahmiller zachariahmiller Awaiting requested review from zachariahmiller

@Noxsios Noxsios Awaiting requested review from Noxsios

@bburky bburky Awaiting requested review from bburky

@rjferguson21 rjferguson21 Awaiting requested review from rjferguson21

@Racer159 Racer159 Awaiting requested review from Racer159

@UncleGedd UncleGedd Awaiting requested review from UncleGedd

@cmwylie19 cmwylie19 Awaiting requested review from cmwylie19

@mikevanhemert mikevanhemert Awaiting requested review from mikevanhemert

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@jeff-mccoy @bburky @UncleGedd @cmwylie19 @rjferguson21 @Racer159 @mjnagel @Noxsios @zachariahmiller