diff --git a/charts/sourcegraph/CHANGELOG.md b/charts/sourcegraph/CHANGELOG.md index d67e9f8c..7181e681 100644 --- a/charts/sourcegraph/CHANGELOG.md +++ b/charts/sourcegraph/CHANGELOG.md @@ -8,6 +8,7 @@ Use `**BREAKING**:` to denote a breaking change ## Unreleased +- Added optional NetworkPolicies to block Executor access to Sourcegraph backend pods - Added support for overriding `replicaCount` per dedicated `worker` replica via `worker.replicas[].replicaCount`, falling back to `worker.replicaCount` when unset - Added support for overriding the image repository on a per-service basis via `.image.repository`, falling back to the global `sourcegraph.image.repository` when unset - Added livenessProbe to zoekt-webserver in indexed-search to detect and restart hung pods diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index e0dcc76f..57d30301 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -200,6 +200,8 @@ In addition to the documented values, all services also support the following va | migrator.image.defaultTag | string | `"6.0.0@sha256:ec295eb0b743da6bf56777ca6524972267a5c442b0288095e2fe12fce38ebacc"` | Docker image tag for the `migrator` image | | migrator.image.name | string | `"migrator"` | Docker image name for the `migrator` image | | migrator.resources | object | `{"limits":{"cpu":"500m","memory":"100M"},"requests":{"cpu":"100m","memory":"50M"}}` | Resource requests & limits for the `migrator` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| networkPolicy.executor.allowOtherNamespacesToReachBackendPods | bool | `false` | Allow non-executor pods from other namespaces to reach Sourcegraph backend pods | +| networkPolicy.executor.enabled | bool | `false` | Enable NetworkPolicies to block Executor access to Sourcegraph backend pods | | nodeExporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsUser":65534}` | Security context for the `node-exporter` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | | nodeExporter.enabled | bool | `true` | Enable `node-exporter` | | nodeExporter.extraArgs | list | `[]` | | diff --git a/charts/sourcegraph/templates/network-policy/executor.NetworkPolicy.yaml b/charts/sourcegraph/templates/network-policy/executor.NetworkPolicy.yaml new file mode 100644 index 00000000..fdda24a7 --- /dev/null +++ b/charts/sourcegraph/templates/network-policy/executor.NetworkPolicy.yaml @@ -0,0 +1,60 @@ +{{- if .Values.networkPolicy.executor.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "sourcegraph.name" . }}-pods-block-executors + labels: + {{- include "sourcegraph.labels" . | nindent 4 }} + deploy: sourcegraph + app.kubernetes.io/component: network-policy +spec: + podSelector: + matchLabels: + {{- include "sourcegraph.selectorLabels" . | nindent 6 }} + matchExpressions: + - key: app.kubernetes.io/component + operator: NotIn + values: + - executor + - key: sourcegraph/job-id + operator: DoesNotExist + - key: sourcegraph/run-id + operator: DoesNotExist + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: NotIn + values: + - executor + - key: sourcegraph/job-id + operator: DoesNotExist + - key: sourcegraph/run-id + operator: DoesNotExist + {{- if .Values.networkPolicy.executor.allowOtherNamespacesToReachBackendPods }} + namespaceSelector: {} + {{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "sourcegraph.name" . }}-frontend-allow-http-from-anywhere + labels: + {{- include "sourcegraph.labels" . | nindent 4 }} + deploy: sourcegraph + app.kubernetes.io/component: network-policy +spec: + podSelector: + matchLabels: + {{- include "sourcegraph.selectorLabels" . | nindent 6 }} + app: sourcegraph-frontend + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: http +{{- end }} diff --git a/charts/sourcegraph/tests/networkPolicy_test.yaml b/charts/sourcegraph/tests/networkPolicy_test.yaml new file mode 100644 index 00000000..7eda31c8 --- /dev/null +++ b/charts/sourcegraph/tests/networkPolicy_test.yaml @@ -0,0 +1,48 @@ +suite: networkPolicy +templates: + - network-policy/executor.NetworkPolicy.yaml +tests: + - it: should not render executor NetworkPolicies by default + asserts: + - hasDocuments: + count: 0 + + - it: should render executor NetworkPolicies when enabled + set: + networkPolicy: + executor: + enabled: true + asserts: + - hasDocuments: + count: 2 + - equal: + path: metadata.name + value: sourcegraph-pods-block-executors + documentIndex: 0 + - equal: + path: metadata.name + value: sourcegraph-frontend-allow-http-from-anywhere + documentIndex: 1 + - equal: + path: spec.policyTypes[0] + value: Ingress + documentIndex: 0 + - equal: + path: spec.ingress[0].ports[0].port + value: http + documentIndex: 1 + - notExists: + path: spec.ingress[0].from[0].namespaceSelector + documentIndex: 0 + + - it: should allow matching pods from every namespace when configured + set: + networkPolicy: + executor: + enabled: true + allowOtherNamespacesToReachBackendPods: true + asserts: + - equal: + path: spec.ingress[0].from[0].namespaceSelector + value: {} + documentIndex: 0 diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index 55cebae9..25f25578 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -43,6 +43,13 @@ sourcegraph: # -- Disable the creation of Kubernetes secrets objects disableKubernetesSecrets: false +networkPolicy: + executor: + # -- Enable NetworkPolicies to block Executor access to Sourcegraph backend pods + enabled: false + # -- Allow non-executor pods from other namespaces to reach Sourcegraph backend pods + allowOtherNamespacesToReachBackendPods: false + # Generic application configuration options, used by most applications below # app: # Generally matches directory name # replicaCount: 1