diff --git a/charts/sourcegraph/CHANGELOG.md b/charts/sourcegraph/CHANGELOG.md index a9470df5..afbb0970 100644 --- a/charts/sourcegraph/CHANGELOG.md +++ b/charts/sourcegraph/CHANGELOG.md @@ -8,6 +8,7 @@ Use `**BREAKING**:` to denote a breaking change ## Unreleased +- Added optional NetworkPolicies to block Executor access to Sourcegraph backend pods - Added livenessProbe to zoekt-webserver in indexed-search to detect and restart hung pods - Fix Pod Disruption Budget for sourcegraph-frontend - Added a startup probe to the gitserver statefulset to give it time to run the on-disk migration from repo names to repo IDs diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index 6d7cc78a..565afb5b 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -199,6 +199,8 @@ In addition to the documented values, all services also support the following va | migrator.image.defaultTag | string | `"6.0.0@sha256:ec295eb0b743da6bf56777ca6524972267a5c442b0288095e2fe12fce38ebacc"` | Docker image tag for the `migrator` image | | migrator.image.name | string | `"migrator"` | Docker image name for the `migrator` image | | migrator.resources | object | `{"limits":{"cpu":"500m","memory":"100M"},"requests":{"cpu":"100m","memory":"50M"}}` | Resource requests & limits for the `migrator` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| networkPolicy.executor.allowOtherNamespacesToReachBackendPods | bool | `false` | Allow non-executor pods from other namespaces to reach Sourcegraph backend pods | +| networkPolicy.executor.enabled | bool | `false` | Enable NetworkPolicies to block Executor access to Sourcegraph backend pods | | nodeExporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsUser":65534}` | Security context for the `node-exporter` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | | nodeExporter.enabled | bool | `true` | Enable `node-exporter` | | nodeExporter.extraArgs | list | `[]` | | diff --git a/charts/sourcegraph/templates/network-policy/executor.NetworkPolicy.yaml b/charts/sourcegraph/templates/network-policy/executor.NetworkPolicy.yaml new file mode 100644 index 00000000..fdda24a7 --- /dev/null +++ b/charts/sourcegraph/templates/network-policy/executor.NetworkPolicy.yaml @@ -0,0 +1,60 @@ +{{- if .Values.networkPolicy.executor.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "sourcegraph.name" . }}-pods-block-executors + labels: + {{- include "sourcegraph.labels" . | nindent 4 }} + deploy: sourcegraph + app.kubernetes.io/component: network-policy +spec: + podSelector: + matchLabels: + {{- include "sourcegraph.selectorLabels" . | nindent 6 }} + matchExpressions: + - key: app.kubernetes.io/component + operator: NotIn + values: + - executor + - key: sourcegraph/job-id + operator: DoesNotExist + - key: sourcegraph/run-id + operator: DoesNotExist + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: NotIn + values: + - executor + - key: sourcegraph/job-id + operator: DoesNotExist + - key: sourcegraph/run-id + operator: DoesNotExist + {{- if .Values.networkPolicy.executor.allowOtherNamespacesToReachBackendPods }} + namespaceSelector: {} + {{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "sourcegraph.name" . }}-frontend-allow-http-from-anywhere + labels: + {{- include "sourcegraph.labels" . | nindent 4 }} + deploy: sourcegraph + app.kubernetes.io/component: network-policy +spec: + podSelector: + matchLabels: + {{- include "sourcegraph.selectorLabels" . | nindent 6 }} + app: sourcegraph-frontend + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: http +{{- end }} diff --git a/charts/sourcegraph/tests/networkPolicy_test.yaml b/charts/sourcegraph/tests/networkPolicy_test.yaml new file mode 100644 index 00000000..7eda31c8 --- /dev/null +++ b/charts/sourcegraph/tests/networkPolicy_test.yaml @@ -0,0 +1,48 @@ +suite: networkPolicy +templates: + - network-policy/executor.NetworkPolicy.yaml +tests: + - it: should not render executor NetworkPolicies by default + asserts: + - hasDocuments: + count: 0 + + - it: should render executor NetworkPolicies when enabled + set: + networkPolicy: + executor: + enabled: true + asserts: + - hasDocuments: + count: 2 + - equal: + path: metadata.name + value: sourcegraph-pods-block-executors + documentIndex: 0 + - equal: + path: metadata.name + value: sourcegraph-frontend-allow-http-from-anywhere + documentIndex: 1 + - equal: + path: spec.policyTypes[0] + value: Ingress + documentIndex: 0 + - equal: + path: spec.ingress[0].ports[0].port + value: http + documentIndex: 1 + - notExists: + path: spec.ingress[0].from[0].namespaceSelector + documentIndex: 0 + + - it: should allow matching pods from every namespace when configured + set: + networkPolicy: + executor: + enabled: true + allowOtherNamespacesToReachBackendPods: true + asserts: + - equal: + path: spec.ingress[0].from[0].namespaceSelector + value: {} + documentIndex: 0 diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index aa3a04c4..cb3959cc 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -43,6 +43,13 @@ sourcegraph: # -- Disable the creation of Kubernetes secrets objects disableKubernetesSecrets: false +networkPolicy: + executor: + # -- Enable NetworkPolicies to block Executor access to Sourcegraph backend pods + enabled: false + # -- Allow non-executor pods from other namespaces to reach Sourcegraph backend pods + allowOtherNamespacesToReachBackendPods: false + # Generic application configuration options, used by most applications below # app: # Generally matches directory name # replicaCount: 1