Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial network Policies for hub proxy singleuser #546

Merged
merged 6 commits into from
Mar 19, 2018
Merged

Initial network Policies for hub proxy singleuser #546

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
caa277d
Initial network Policies for hub proxy singleuser
manics Feb 28, 2018
3e94aed
Remove default namespace in netpol
manics Mar 6, 2018
48566bd
Add more ports including k8s api-server
manics Mar 6, 2018
4f1dffd
Replace network policy ingress rules with matchLabel
manics Mar 6, 2018
acbee66
Remove access from singleuser to proxy
manics Mar 15, 2018
85e8fff
Allow all egress for hub proxy by default
manics Mar 15, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions jupyterhub/templates/hub/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,11 +170,10 @@ data:
{{ if .Values.singleuser.cpu.guarantee -}}
singleuser.cpu.guarantee: {{ .Values.singleuser.cpu.guarantee | quote}}
{{- end }}
{{ if .Values.singleuser.extraLabels -}}
singleuser.extra-labels: |
{{ range $key, $value := .Values.singleuser.extraLabels -}}
hub.jupyter.org/network-access-hub: "true"
{{ range $key, $value := .Values.singleuser.extraLabels -}}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{ if .Values.singleuser.extraEnv -}}
singleuser.extra-env: |
Expand Down
3 changes: 3 additions & 0 deletions jupyterhub/templates/hub/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ spec:
component: hub
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
hub.jupyter.org/network-access-proxy-api: "true"
hub.jupyter.org/network-access-proxy-http: "true"
hub.jupyter.org/network-access-singleuser: "true"
{{ if .Values.hub.labels -}}
# Because toYaml + indent is super flaky
{{ range $key, $value := .Values.proxy.labels -}}
Expand Down
49 changes: 49 additions & 0 deletions jupyterhub/templates/hub/netpol-hub.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{{- if and .Values.hub.networkPolicy.enabled }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spot-checking this PR from the fuuuture

what does {{- if and <XXX> }} accomplish? To the untrained eye it seems like this is a typo, or is there a particular use for if and in the context of jinja?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(nb. these aren't jinja templates but go templates)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure it's a typo that's Mostly Harmless(tm)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: hub-network-policy
spec:
podSelector:
matchLabels:
name: hub
app: jupyterhub
component: hub
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
hub.jupyter.org/network-access-hub: "true"
ports:
- protocol: TCP
port: 8081
egress:
- to:
- podSelector:
matchLabels:
name: proxy
component: proxy
ports:
- protocol: TCP
port: 8001
- to:
- podSelector:
matchLabels:
app: jupyterhub
component: singleuser-server
ports:
- protocol: TCP
port: 8888
- ports:
# Kubernetes api-server
- protocol: TCP
port: 443
- protocol: TCP
port: 6443
{{ if .Values.hub.networkPolicy.egress }}
{{ toYaml .Values.hub.networkPolicy.egress | indent 2 }}
{{- end }}
{{- end }}
45 changes: 45 additions & 0 deletions jupyterhub/templates/hub/netpol-singleuser.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{{- if and .Values.singleuser.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: singleuser-network-policy
spec:
podSelector:
matchLabels:
app: jupyterhub
component: singleuser-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
hub.jupyter.org/network-access-singleuser: "true"
ports:
- protocol: TCP
port: 8888
egress:
- to:
- podSelector:
matchLabels:
name: hub
app: jupyterhub
component: hub
ports:
- protocol: TCP
port: 8081
- to:
- podSelector:
matchLabels:
name: proxy
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

single-user servers do not need egress to the proxy I think, since all connections will be initiated by the proxy.

component: proxy
ports:
- protocol: TCP
port: 8000
- protocol: TCP
port: 8001
{{ if .Values.singleuser.networkPolicy.egress }}
{{ toYaml .Values.singleuser.networkPolicy.egress | indent 2 }}
{{- end }}
{{- end }}
2 changes: 2 additions & 0 deletions jupyterhub/templates/proxy/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ spec:
# required for kube-lego to work
app: kube-lego
{{- end }}
hub.jupyter.org/network-access-hub: "true"
hub.jupyter.org/network-access-singleuser: "true"
spec:
{{- if .Values.rbac.enabled }}
serviceAccountName: proxy
Expand Down
67 changes: 67 additions & 0 deletions jupyterhub/templates/proxy/netpol-proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
{{- if and .Values.proxy.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: proxy-network-policy
spec:
podSelector:
matchLabels:
name: proxy
component: proxy
policyTypes:
- Ingress
- Egress
ingress:
- ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
# kube-lego /healthz
- protocol: TCP
port: 8080
# nginx /healthz
- protocol: TCP
port: 10254
- from:
- podSelector:
matchLabels:
hub.jupyter.org/network-access-proxy-http: "true"
ports:
- protocol: TCP
port: 8000
- from:
- podSelector:
matchLabels:
hub.jupyter.org/network-access-proxy-api: "true"
ports:
- protocol: TCP
port: 8001
egress:
- to:
- podSelector:
matchLabels:
name: hub
app: jupyterhub
component: hub
ports:
- protocol: TCP
port: 8081
- to:
- podSelector:
matchLabels:
app: jupyterhub
component: singleuser-server
ports:
- protocol: TCP
port: 8888
- ports:
# Kubernetes api-server
- protocol: TCP
port: 443
- protocol: TCP
port: 6443
{{- if .Values.proxy.networkPolicy.egress }}
{{ toYaml .Values.proxy.networkPolicy.egress | indent 2 }}
{{- end }}
{{- end }}
25 changes: 25 additions & 0 deletions jupyterhub/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ hub:
imagePullPolicy: IfNotPresent
pdb:
enabled: true
networkPolicy:
enabled: false
egress:
# The following can be removed unless external auth is used
- to:
- ipBlock:
cidr: 0.0.0.0/0

rbac:
enabled: true
Expand Down Expand Up @@ -97,6 +104,15 @@ proxy:
key:
cert:
hosts: []
networkPolicy:
enabled: false
egress:
# May be required for lets-encrypt? Otherwise should be safe to disable
- ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443


# Google OAuth secrets
Expand All @@ -122,6 +138,15 @@ singleuser:
cloudMetadata:
enabled: false
ip: 169.254.169.254
networkPolicy:
enabled: false
egress:
# Required egress is handled by other rules so it's safe to modify this
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32
extraLabels: {}
extraEnv: {}
lifecycleHooks:
Expand Down