Restrict access to the kube-proxy to local pod connections only (#516)

* Restrict apex client network access to localhost. * Update image pull policy. * Update cert-persister to latest image. --------- Co-authored-by: Jooseppi Luna <jooseppi_luna@dell.com>
dell · Mar 4, 2024 · f269388 · f269388
1 parent 6e68350
commit f269388
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 40 deletions.
diff --git a/bundle/manifests/dell-csm-operator.clusterserviceversion.yaml b/bundle/manifests/dell-csm-operator.clusterserviceversion.yaml
@@ -36,7 +36,7 @@ metadata:
  "name": "kubernetes-proxy"
  },
  {
- "image": "dellemc/connectivity-cert-persister-k8s:0.7.0",
+ "image": "dellemc/connectivity-cert-persister-k8s:0.11.0",
  "imagePullPolicy": "IfNotPresent",
  "name": "cert-persister"
  }
@@ -3572,7 +3572,7 @@ spec:
  name: metadataretriever
  - image: docker.io/dellemc/connectivity-client-docker-k8s:1.2.3
  name: dell-connectivity-client
- - image: docker.io/dellemc/connectivity-cert-persister-k8s:0.7.0
+ - image: docker.io/dellemc/connectivity-cert-persister-k8s:0.11.0
  name: cert-persister
  skips:
  - dell-csm-operator.v1.4.2

diff --git a/config/samples/storage_v1_csm_connectivity_client.yaml b/config/samples/storage_v1_csm_connectivity_client.yaml
@@ -22,7 +22,7 @@ spec:
  image: bitnami/kubectl:1.28
  imagePullPolicy: IfNotPresent
  - name: cert-persister
- image: dellemc/connectivity-cert-persister-k8s:0.7.0
+ image: dellemc/connectivity-cert-persister-k8s:0.11.0
  imagePullPolicy: IfNotPresent
 ---
 apiVersion: v1

diff --git a/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml b/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml
@@ -126,7 +126,7 @@ spec:
  containers:
  - name: connectivity-client-docker-k8s
  image: "<CONNECTIVITY_CLIENT_IMAGE>"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
  args:
  - "--aggregator"
  - <AGGREGATOR_URL>
@@ -208,26 +208,14 @@ spec:
  - ALL
  - name: kubernetes-proxy
  image: "<KUBERNETES_PROXY_IMAGE>"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
  command: [ "kubectl" ]
  args:
  - "proxy"
  - "--port=8001"
- - "--address=0.0.0.0"
- - "--accept-hosts=^.*$"
+ - "--address=127.0.0.1"
+ - "--accept-hosts=^localhost$,^127.0.0.1$"
  - "--v=5"
- ports:
- - containerPort: 8001
- livenessProbe:
- httpGet:
- path: /api/v1
- port: 8001
- scheme: HTTP
- initialDelaySeconds: 5
- timeoutSeconds: 2
- periodSeconds: 30
- successThreshold: 1
- failureThreshold: 3
  securityContext:
  readOnlyRootFilesystem: false
  allowPrivilegeEscalation: false
@@ -238,7 +226,7 @@ spec:
  - ALL
  - name: cert-persister
  image: "<CERT_PERSISTER_IMAGE>"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
  env:
  - name: DCM_IDENTITY_LOCATION
  valueFrom:
@@ -259,7 +247,7 @@ spec:
  initContainers:
  - name: connectivity-client-init
  image: "<ACC_INIT_CONTAINER_IMAGE>"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
  env:
  - name: DCM_IDENTITY_LOCATION
  valueFrom:

diff --git a/samples/connectivity_client_v100.yaml b/samples/connectivity_client_v100.yaml
@@ -22,7 +22,7 @@ spec:
  image: bitnami/kubectl:1.28
  imagePullPolicy: IfNotPresent
  - name: cert-persister
- image: dellemc/connectivity-cert-persister-k8s:0.7.0
+ image: dellemc/connectivity-cert-persister-k8s:0.11.0
  imagePullPolicy: IfNotPresent
 ---
 apiVersion: v1

diff --git a/tests/config/clientconfig/apex/v1.0.0/statefulset.yaml b/tests/config/clientconfig/apex/v1.0.0/statefulset.yaml
@@ -125,7 +125,7 @@ spec:
  securityContext:
  {}
  image: "<CONNECTIVITY_CLIENT_IMAGE>"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
  args:
  - "--aggregator"
  - <AGGREGATOR_URL>
@@ -199,29 +199,17 @@ spec:
  failureThreshold: 3
  - name: kubernetes-proxy
  image: "<KUBERNETES_PROXY_IMAGE>"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
  command: [ "kubectl" ]
  args:
  - "proxy"
  - "--port=8001"
- - "--address=0.0.0.0"
- - "--accept-hosts=^.*$"
+ - "--address=127.0.0.1"
+ - "--accept-hosts=^localhost$,^127.0.0.1$"
  - "--v=5"
- ports:
- - containerPort: 8001
- livenessProbe:
- httpGet:
- path: /api/v1
- port: 8001
- scheme: HTTP
- initialDelaySeconds: 5
- timeoutSeconds: 2
- periodSeconds: 30
- successThreshold: 1
- failureThreshold: 3
  - name: cert-persister
  image: "<CERT_PERSISTER_IMAGE>"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
  env:
  - name: DCM_IDENTITY_LOCATION
  valueFrom:
@@ -234,7 +222,7 @@ spec:
  initContainers:
  - name: connectivity-client-init
  image: "<ACC_INIT_CONTAINER_IMAGE>"
- imagePullPolicy: Always
+ imagePullPolicy: IfNotPresent
  env:
  - name: DCM_IDENTITY_LOCATION
  valueFrom: