diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index be922dd551..43fdb13abf 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -173,11 +173,10 @@ data: {{ if .Values.singleuser.cpu.guarantee -}} singleuser.cpu.guarantee: {{ .Values.singleuser.cpu.guarantee | quote}} {{- end }} - {{ if .Values.singleuser.extraLabels -}} singleuser.extra-labels: | - {{ range $key, $value := .Values.singleuser.extraLabels -}} + hub.jupyter.org/network-access-hub: "true" + {{ range $key, $value := .Values.singleuser.extraLabels -}} {{ $key | quote }}: {{ $value | quote }} - {{- end }} {{- end }} {{ if .Values.singleuser.extraEnv -}} singleuser.extra-env: | diff --git a/jupyterhub/templates/hub/deployment.yaml b/jupyterhub/templates/hub/deployment.yaml index 29e070cbac..3e47184ef8 100644 --- a/jupyterhub/templates/hub/deployment.yaml +++ b/jupyterhub/templates/hub/deployment.yaml @@ -12,6 +12,9 @@ spec: component: hub release: {{ .Release.Name }} heritage: {{ .Release.Service }} + hub.jupyter.org/network-access-proxy-api: "true" + hub.jupyter.org/network-access-proxy-http: "true" + hub.jupyter.org/network-access-singleuser: "true" {{ if .Values.hub.labels -}} # Because toYaml + indent is super flaky {{ range $key, $value := .Values.proxy.labels -}} diff --git a/jupyterhub/templates/hub/netpol-hub.yaml b/jupyterhub/templates/hub/netpol-hub.yaml new file mode 100644 index 0000000000..4ede374e44 --- /dev/null +++ b/jupyterhub/templates/hub/netpol-hub.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.hub.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: hub-network-policy +spec: + podSelector: + matchLabels: + name: hub + app: jupyterhub + component: hub + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + hub.jupyter.org/network-access-hub: "true" + ports: + - protocol: TCP + port: 8081 + egress: + # The default is to allow all egress for hub + # If you want to restrict it the following egress is required + # proxy:8001 + # singleuser:8888 + # Kubernetes api-server +{{ if .Values.hub.networkPolicy.egress }} +{{ toYaml .Values.hub.networkPolicy.egress | indent 2 }} +{{- end }} +{{- end }} diff --git a/jupyterhub/templates/hub/netpol-singleuser.yaml b/jupyterhub/templates/hub/netpol-singleuser.yaml new file mode 100644 index 0000000000..f885c22323 --- /dev/null +++ b/jupyterhub/templates/hub/netpol-singleuser.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.singleuser.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: singleuser-network-policy +spec: + podSelector: + matchLabels: + app: jupyterhub + component: singleuser-server + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + hub.jupyter.org/network-access-singleuser: "true" + ports: + - protocol: TCP + port: 8888 + egress: + - to: + - podSelector: + matchLabels: + name: hub + app: jupyterhub + component: hub + ports: + - protocol: TCP + port: 8081 +{{ if .Values.singleuser.networkPolicy.egress }} +{{ toYaml .Values.singleuser.networkPolicy.egress | indent 2 }} +{{- end }} +{{- end }} diff --git a/jupyterhub/templates/proxy/deployment.yaml b/jupyterhub/templates/proxy/deployment.yaml index e23ad82e34..d011f8fb36 100644 --- a/jupyterhub/templates/proxy/deployment.yaml +++ b/jupyterhub/templates/proxy/deployment.yaml @@ -25,6 +25,8 @@ spec: # required for kube-lego to work app: kube-lego {{- end }} + hub.jupyter.org/network-access-hub: "true" + hub.jupyter.org/network-access-singleuser: "true" spec: {{- if .Values.rbac.enabled }} serviceAccountName: proxy diff --git a/jupyterhub/templates/proxy/netpol-proxy.yaml b/jupyterhub/templates/proxy/netpol-proxy.yaml new file mode 100644 index 0000000000..518f3ad5ae --- /dev/null +++ b/jupyterhub/templates/proxy/netpol-proxy.yaml @@ -0,0 +1,49 @@ +{{- if and .Values.proxy.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: proxy-network-policy +spec: + podSelector: + matchLabels: + name: proxy + component: proxy + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + # kube-lego /healthz + - protocol: TCP + port: 8080 + # nginx /healthz + - protocol: TCP + port: 10254 + - from: + - podSelector: + matchLabels: + hub.jupyter.org/network-access-proxy-http: "true" + ports: + - protocol: TCP + port: 8000 + - from: + - podSelector: + matchLabels: + hub.jupyter.org/network-access-proxy-api: "true" + ports: + - protocol: TCP + port: 8001 + egress: + # The default is to allow all egress for proxy + # If you want to restrict it the following egress is required + # hub:8081 + # singleuser:8888 + # Kubernetes api-server +{{- if .Values.proxy.networkPolicy.egress }} +{{ toYaml .Values.proxy.networkPolicy.egress | indent 2 }} +{{- end }} +{{- end }} diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml index dc94d2d8fe..2c9f786bb7 100644 --- a/jupyterhub/values.yaml +++ b/jupyterhub/values.yaml @@ -39,6 +39,12 @@ hub: imagePullPolicy: IfNotPresent pdb: enabled: true + networkPolicy: + enabled: false + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 rbac: enabled: true @@ -97,6 +103,12 @@ proxy: key: cert: hosts: [] + networkPolicy: + enabled: false + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 # Google OAuth secrets @@ -122,6 +134,15 @@ singleuser: cloudMetadata: enabled: false ip: 169.254.169.254 + networkPolicy: + enabled: false + egress: + # Required egress is handled by other rules so it's safe to modify this + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 169.254.169.254/32 extraLabels: {} extraEnv: {} lifecycleHooks: