Add network policies

charts/sourcegraph/CHANGELOG.md

@@ -8,6 +8,7 @@ Use `**BREAKING**:` to denote a breaking change
 
 ## Unreleased
 
+- Added optional NetworkPolicies to block Executor access to Sourcegraph backend pods
 - Added livenessProbe to zoekt-webserver in indexed-search to detect and restart hung pods
 - Fix Pod Disruption Budget for sourcegraph-frontend
 - Added a startup probe to the gitserver statefulset to give it time to run the on-disk migration from repo names to repo IDs

charts/sourcegraph/README.md

@@ -199,6 +199,8 @@ In addition to the documented values, all services also support the following va
 | migrator.image.defaultTag | string | `"6.0.0@sha256:ec295eb0b743da6bf56777ca6524972267a5c442b0288095e2fe12fce38ebacc"` | Docker image tag for the `migrator` image |
 | migrator.image.name | string | `"migrator"` | Docker image name for the `migrator` image |
 | migrator.resources | object | `{"limits":{"cpu":"500m","memory":"100M"},"requests":{"cpu":"100m","memory":"50M"}}` | Resource requests & limits for the `migrator` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| networkPolicy.executor.allowOtherNamespacesToReachBackendPods | bool | `false` | Allow non-executor pods from other namespaces to reach Sourcegraph backend pods |
+| networkPolicy.executor.enabled | bool | `false` | Enable NetworkPolicies to block Executor access to Sourcegraph backend pods |
 | nodeExporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsUser":65534}` | Security context for the `node-exporter` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | nodeExporter.enabled | bool | `true` | Enable `node-exporter` |
 | nodeExporter.extraArgs | list | `[]` |  |

charts/sourcegraph/templates/network-policy/executor.NetworkPolicy.yaml

@@ -0,0 +1,60 @@
+{{- if .Values.networkPolicy.executor.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "sourcegraph.name" . }}-pods-block-executors
+  labels:
+    {{- include "sourcegraph.labels" . | nindent 4 }}
+    deploy: sourcegraph
+    app.kubernetes.io/component: network-policy
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "sourcegraph.selectorLabels" . | nindent 6 }}
+    matchExpressions:
+      - key: app.kubernetes.io/component
+        operator: NotIn
+        values:
+          - executor
+      - key: sourcegraph/job-id
+        operator: DoesNotExist
+      - key: sourcegraph/run-id
+        operator: DoesNotExist
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: NotIn
+                values:
+                  - executor
+              - key: sourcegraph/job-id
+                operator: DoesNotExist
+              - key: sourcegraph/run-id
+                operator: DoesNotExist
+          {{- if .Values.networkPolicy.executor.allowOtherNamespacesToReachBackendPods }}
+          namespaceSelector: {}
+          {{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "sourcegraph.name" . }}-frontend-allow-http-from-anywhere
+  labels:
+    {{- include "sourcegraph.labels" . | nindent 4 }}
+    deploy: sourcegraph
+    app.kubernetes.io/component: network-policy
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "sourcegraph.selectorLabels" . | nindent 6 }}
+      app: sourcegraph-frontend
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: http
+{{- end }}

charts/sourcegraph/tests/networkPolicy_test.yaml

@@ -0,0 +1,48 @@
+suite: networkPolicy
+templates:
+  - network-policy/executor.NetworkPolicy.yaml
+tests:
+  - it: should not render executor NetworkPolicies by default
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should render executor NetworkPolicies when enabled
+    set:
+      networkPolicy:
+        executor:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 2
+      - equal:
+          path: metadata.name
+          value: sourcegraph-pods-block-executors
+        documentIndex: 0
+      - equal:
+          path: metadata.name
+          value: sourcegraph-frontend-allow-http-from-anywhere
+        documentIndex: 1
+      - equal:
+          path: spec.policyTypes[0]
+          value: Ingress
+        documentIndex: 0
+      - equal:
+          path: spec.ingress[0].ports[0].port
+          value: http
+        documentIndex: 1
+      - notExists:
+          path: spec.ingress[0].from[0].namespaceSelector
+        documentIndex: 0
+
+  - it: should allow matching pods from every namespace when configured
+    set:
+      networkPolicy:
+        executor:
+          enabled: true
+          allowOtherNamespacesToReachBackendPods: true
+    asserts:
+      - equal:
+          path: spec.ingress[0].from[0].namespaceSelector
+          value: {}
+        documentIndex: 0

charts/sourcegraph/values.yaml

@@ -43,6 +43,13 @@ sourcegraph:
   # -- Disable the creation of Kubernetes secrets objects
   disableKubernetesSecrets: false
 
+networkPolicy:
+  executor:
+    # -- Enable NetworkPolicies to block Executor access to Sourcegraph backend pods
+    enabled: false
+    # -- Allow non-executor pods from other namespaces to reach Sourcegraph backend pods
+    allowOtherNamespacesToReachBackendPods: false
+
 # Generic application configuration options, used by most applications below
 # app: # Generally matches directory name
 #   replicaCount: 1