Add network policies to enforce tenant isolation (#228)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-01-27 18:18:41 +00:00 · 2024-07-22 23:32:54 +02:00
parent 5b39ced0a1
commit ceefae03e9
19 changed files with 165 additions and 18 deletions
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
+++ b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
@@ -14,6 +14,7 @@ spec:
    metadata:
      labels:
        app: {{ .Release.Name }}-cluster-autoscaler
+        policy.cozystack.io/allow-to-apiserver: "true"
    spec:
      tolerations:
        - key: CriticalAddonsOnly
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -52,8 +52,6 @@ spec:
            emptyDisk:
              capacity: 20Gi
 {{- end }}
-
-
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
@@ -108,6 +106,9 @@ spec:
      hostname: {{ .Values.host | default (printf "%s.%s" .Release.Name $host) }}:443
      className: "{{ $ingress }}"
  deployment:
+    podAdditionalMetadata:
+      labels:
+        policy.cozystack.io/allow-to-etcd: "true"
  replicas: 2
  version: 1.30.1
 ---
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -13,6 +13,7 @@ spec:
    metadata:
      labels:
        app: {{ .Release.Name }}-kcsi-driver
+        policy.cozystack.io/allow-to-apiserver: "true"
    spec:
      serviceAccountName: {{ .Release.Name }}-kcsi
      priorityClassName: system-cluster-critical
--- a/packages/apps/kubernetes/templates/kccm/manager.yaml
+++ b/packages/apps/kubernetes/templates/kccm/manager.yaml
@@ -13,6 +13,7 @@ spec:
    metadata:
      labels:
        k8s-app: {{ .Release.Name }}-kccm
+        policy.cozystack.io/allow-to-apiserver: "true"
    spec:
      tolerations:
        - key: CriticalAddonsOnly
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg

 type: application
-version: 1.2.0
+version: 1.3.0
--- a/packages/apps/tenant/README.md
+++ b/packages/apps/tenant/README.md
@@ -56,3 +56,4 @@ tenant-u1
 | `etcd`       | Deploy own Etcd cluster                                                                                                     | `false` |
 | `monitoring` | Deploy own Monitoring Stack                                                                                                 | `false` |
 | `ingress`    | Deploy own Ingress Controller                                                                                               | `false` |
+| `isolated`   | Enforce tenant namespace with network policies                                                                              | `false` |
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -0,0 +1,124 @@
+{{- if .Values.isolated }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-internal-communication
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEndpoints:
+    - {}
+  egress:
+  - toEndpoints:
+    - {}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-communication
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEntities:
+      - world
+  egress:
+  - toEntities:
+      - world
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-from-system
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEntities:
+    - cluster
+---
+{{- if ne (include "tenant.name" .) "tenant-root" }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-from-upper-tenants
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        "kubernetes.io/metadata.name": "tenant-root"
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    - matchLabels:
+        "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+{{- end }}
+---
+{{- if not .Values.etcd }}
+{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-etcd
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      policy.cozystack.io/allow-to-etcd: "true"
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}"
+        cozystack.io/service: etcd
+{{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-apiserver
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      policy.cozystack.io/allow-to-apiserver: "true"
+  egress:
+  - toEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-dns
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        io.kubernetes.pod.namespace: kube-system
+        k8s-app: kube-dns
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-ingress
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        cozystack.io/service: ingress
+{{- end }}
--- a/packages/apps/tenant/values.schema.json
+++ b/packages/apps/tenant/values.schema.json
@@ -21,6 +21,11 @@
            "type": "boolean",
            "description": "Deploy own Ingress Controller",
            "default": false
+        },
+        "isolated": {
+            "type": "boolean",
+            "description": "Enforce tenant namespace with network policies",
+            "default": false
        }
    }
 }
--- a/packages/apps/tenant/values.yaml
+++ b/packages/apps/tenant/values.yaml
@@ -4,7 +4,9 @@
 ## @param etcd Deploy own Etcd cluster
 ## @param monitoring Deploy own Monitoring Stack
 ## @param ingress Deploy own Ingress Controller
+## @param isolated Enforce tenant namespace with network policies
 host: ""
 etcd: false
 monitoring: false
 ingress: false
+isolated: false
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -12,7 +12,8 @@ kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
 kubernetes 0.4.0 6cae6ce8
 kubernetes 0.5.0 6bd2d455
-kubernetes 0.6.0 HEAD
+kubernetes 0.6.0 4cbc8a2c
+kubernetes 0.7.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
@@ -33,7 +34,8 @@ tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
 tenant 1.1.0 4da8ac3b
-tenant 1.2.0 HEAD
+tenant 1.2.0 15478a88
+tenant 1.3.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD
--- a/packages/core/installer/images/cozystack.json
+++ b/packages/core/installer/images/cozystack.json
@@ -1,10 +1,10 @@
 {
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ta5cc9q3mqtwjyuvg8fviqhe6",
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/kmszyuycqizad8cn86dl2ji9k",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-    "digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
+    "digest": "sha256:e46f725b379d363cce488c7c3ffc7b3de62af4c841c15f48cf035cc0b2007470",
    "size": 685
  },
-  "containerimage.digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
-  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
+  "containerimage.digest": "sha256:e46f725b379d363cce488c7c3ffc7b3de62af4c841c15f48cf035cc0b2007470",
+  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest"
 }
--- a/packages/core/installer/images/cozystack.tag
+++ b/packages/core/installer/images/cozystack.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.9.0
+ghcr.io/aenix-io/cozystack/cozystack:latest
--- a/packages/core/platform/templates/namespaces.yaml
+++ b/packages/core/platform/templates/namespaces.yaml
@@ -15,6 +15,7 @@
 {{- end }}

 {{/* Add extra namespaces */}}
+{{- $_ := set $namespaces "cozy-system" true }}
 {{- $_ := set $namespaces "cozy-public" false }}

 {{- range $namespace, $privileged := $namespaces }}
@@ -24,9 +25,10 @@ kind: Namespace
 metadata:
  annotations:
    "helm.sh/resource-policy": keep
-  {{- if $privileged }}
  labels:
+    cozystack.io/system: "true"
+    {{- if $privileged }}
    pod-security.kubernetes.io/enforce: privileged
-  {{- end }}
+    {{- end }}
  name: {{ $namespace }}
 {{- end }}
--- a/packages/extra/etcd/Chart.yaml
+++ b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.1.0
+version: 2.2.0
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -33,6 +33,9 @@ spec:
      clientTrustedCASecret: etcd-ca-tls
      clientSecret: etcd-client-tls
  podTemplate:
+    metadata:
+      labels:
+        cozystack.io/service: etcd
    spec:
      topologySpreadConstraints:
      - maxSkew: 1
@@ -41,6 +44,7 @@ spec:
        labelSelector:
          matchLabels:
            app.kubernetes.io/instance: etcd
+  podDisruptionBudgetTemplate: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
--- a/packages/extra/ingress/Chart.yaml
+++ b/packages/extra/ingress/Chart.yaml
@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.3.0
+version: 1.2.0
--- a/packages/extra/ingress/templates/nginx-ingress.yaml
+++ b/packages/extra/ingress/templates/nginx-ingress.yaml
@@ -23,6 +23,9 @@ spec:
        ingressClassResource:
          name: {{ .Release.Namespace }}
          controllerValue: k8s.io/ingress-nginx-{{ .Release.Namespace }}
+        podLabels:
+          cozystack.io/service: ingress
+          policy.cozystack.io/allow-to-apiserver: "true"
        {{- if not (eq .Release.Namespace "tenant-root") }}
        admissionWebhooks:
          enabled: false
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -1,11 +1,11 @@
 etcd 1.0.0 f7eaab0
 etcd 2.0.0 a6d0f7cf
 etcd 2.0.1 6fc1cc7d
-etcd 2.1.0 HEAD
+etcd 2.1.0 2b00fcf8
+etcd 2.2.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
-ingress 1.2.0 07d666c0
-ingress 1.3.0 HEAD
+ingress 1.2.0 HEAD
 monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 HEAD