Merge pull request #546 from manics/network-policy

Initial network Policies for hub proxy singleuser
jupyterhub · Mar 19, 2018 · cf8d9a8 · cf8d9a8
2 parents e8cd4ac + 85e8fff
commit cf8d9a8
Show file tree

Hide file tree

Showing 7 changed files with 144 additions and 3 deletions.
diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml
@@ -173,11 +173,10 @@ data:
   {{ if .Values.singleuser.cpu.guarantee -}}
   singleuser.cpu.guarantee: {{ .Values.singleuser.cpu.guarantee | quote}}
   {{- end }}
-  {{ if .Values.singleuser.extraLabels -}}
   singleuser.extra-labels: |
-    {{ range $key, $value := .Values.singleuser.extraLabels -}}
+    hub.jupyter.org/network-access-hub: "true"
+  {{ range $key, $value := .Values.singleuser.extraLabels -}}
     {{ $key | quote }}: {{ $value | quote }}
-    {{- end }}
   {{- end }}
   {{ if .Values.singleuser.extraEnv -}}
   singleuser.extra-env: |

diff --git a/jupyterhub/templates/hub/deployment.yaml b/jupyterhub/templates/hub/deployment.yaml
@@ -12,6 +12,9 @@ spec:
         component: hub
         release: {{ .Release.Name }}
         heritage: {{ .Release.Service }}
+        hub.jupyter.org/network-access-proxy-api: "true"
+        hub.jupyter.org/network-access-proxy-http: "true"
+        hub.jupyter.org/network-access-singleuser: "true"
         {{ if .Values.hub.labels -}}
         # Because toYaml + indent is super flaky
         {{ range $key, $value := .Values.proxy.labels -}}

diff --git a/jupyterhub/templates/hub/netpol-hub.yaml b/jupyterhub/templates/hub/netpol-hub.yaml
@@ -0,0 +1,32 @@
+{{- if and .Values.hub.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hub-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      name: hub
+      app: jupyterhub
+      component: hub
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          hub.jupyter.org/network-access-hub: "true"
+    ports:
+    - protocol: TCP
+      port: 8081
+  egress:
+  # The default is to allow all egress for hub
+  # If you want to restrict it the following egress is required
+  # proxy:8001
+  # singleuser:8888
+  # Kubernetes api-server
+{{ if .Values.hub.networkPolicy.egress }}
+{{ toYaml .Values.hub.networkPolicy.egress | indent 2 }}
+{{- end }}
+{{- end }}
diff --git a/jupyterhub/templates/hub/netpol-singleuser.yaml b/jupyterhub/templates/hub/netpol-singleuser.yaml
@@ -0,0 +1,35 @@
+{{- if and .Values.singleuser.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: singleuser-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: jupyterhub
+      component: singleuser-server
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          hub.jupyter.org/network-access-singleuser: "true"
+    ports:
+    - protocol: TCP
+      port: 8888
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          name: hub
+          app: jupyterhub
+          component: hub
+    ports:
+    - protocol: TCP
+      port: 8081
+{{ if .Values.singleuser.networkPolicy.egress }}
+{{ toYaml .Values.singleuser.networkPolicy.egress | indent 2 }}
+{{- end }}
+{{- end }}
diff --git a/jupyterhub/templates/proxy/deployment.yaml b/jupyterhub/templates/proxy/deployment.yaml
@@ -25,6 +25,8 @@ spec:
         # required for kube-lego to work
         app: kube-lego
         {{- end }}
+        hub.jupyter.org/network-access-hub: "true"
+        hub.jupyter.org/network-access-singleuser: "true"
     spec:
       {{- if .Values.rbac.enabled }}
       serviceAccountName: proxy

diff --git a/jupyterhub/templates/proxy/netpol-proxy.yaml b/jupyterhub/templates/proxy/netpol-proxy.yaml
@@ -0,0 +1,49 @@
+{{- if and .Values.proxy.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: proxy-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      name: proxy
+      component: proxy
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 80
+    - protocol: TCP
+      port: 443
+    # kube-lego /healthz
+    - protocol: TCP
+      port: 8080
+    # nginx /healthz
+    - protocol: TCP
+      port: 10254
+  - from:
+    - podSelector:
+        matchLabels:
+          hub.jupyter.org/network-access-proxy-http: "true"
+    ports:
+      - protocol: TCP
+        port: 8000
+  - from:
+    - podSelector:
+        matchLabels:
+          hub.jupyter.org/network-access-proxy-api: "true"
+    ports:
+      - protocol: TCP
+        port: 8001
+  egress:
+  # The default is to allow all egress for proxy
+  # If you want to restrict it the following egress is required
+  # hub:8081
+  # singleuser:8888
+  # Kubernetes api-server
+{{- if .Values.proxy.networkPolicy.egress }}
+{{ toYaml .Values.proxy.networkPolicy.egress | indent 2 }}
+{{- end }}
+{{- end }}
diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml
@@ -39,6 +39,12 @@ hub:
   imagePullPolicy: IfNotPresent
   pdb:
     enabled: true
+  networkPolicy:
+    enabled: false
+    egress:
+      - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
 
 rbac:
   enabled: true
@@ -97,6 +103,12 @@ proxy:
       key:
       cert:
     hosts: []
+  networkPolicy:
+    enabled: false
+    egress:
+      - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
 
 
 # Google OAuth secrets
@@ -122,6 +134,15 @@ singleuser:
   cloudMetadata:
     enabled: false
     ip: 169.254.169.254
+  networkPolicy:
+    enabled: false
+    egress:
+    # Required egress is handled by other rules so it's safe to modify this
+      - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 169.254.169.254/32
   extraLabels: {}
   extraEnv: {}
   lifecycleHooks: