Network policies by jshiwamV · Pull Request #153 · MaterializeInc/materialize-terraform-self-managed

jshiwamV · 2026-02-26T18:18:01Z

Enabled Operator network policies to restrict access to operator and materialize instance pods
Added a ingress network policy from operator / mz_instance namespace to kube-system and monitoring namespace so that mz_instance can communicate system workloads.

Testing Details:

Connect from balancerd to other pods in materialize-environment

materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-environmentd-2:6875
* Host mz71qwyy52se-environmentd-2:6875 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.214
*   Trying 10.0.3.214:6875...
* Established connection to mz71qwyy52se-environmentd-2 (10.0.3.214 port 6875) from 10.0.3.184 port 57670 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-environmentd-2:6875
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer
materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-cluster-s2-replica-s1-gen-2^C875

materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-console-6d88ff6556-8lnc4:8080
* Could not resolve host: mz71qwyy52se-console-6d88ff6556-8lnc4
* Store negative name resolve for mz71qwyy52se-console-6d88ff6556-8lnc4:8080
* shutting down connection #0
curl: (6) Could not resolve host: mz71qwyy52se-console-6d88ff6556-8lnc4
materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-console:8080
* Host mz71qwyy52se-console:8080 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.134, 10.0.3.177
*   Trying 10.0.3.134:8080...
* Established connection to mz71qwyy52se-console (10.0.3.134 port 8080) from 10.0.3.184 port 52744 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-console:8080
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 400 Bad Request
< Server: nginx/1.29.5
< Date: Tue, 03 Mar 2026 10:45:17 GMT
< Content-Type: text/html
< Content-Length: 255
< Connection: close
< 
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.29.5</center>
</body>
</html>
* shutting down connection #0
materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-balancerd-765457cdfd-7l8tm:6875
* Host mz71qwyy52se-balancerd-765457cdfd-7l8tm:6875 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.184
*   Trying 10.0.3.184:6875...
* Established connection to mz71qwyy52se-balancerd-765457cdfd-7l8tm (10.0.3.184 port 6875) from 10.0.3.184 port 35288 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-balancerd-765457cdfd-7l8tm:6875
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer

Connect from PG Pod in default namespace to the materialize instance pod. It should be able to connect to balancerd and console since they have open ingress rule from 0.0.0.0/0 while it shouldn't be able to connect with environmentd pod

root@pg:/# curl -v mz71qwyy52se-console.materialize-environment:8080
* Host mz71qwyy52se-console.materialize-environment:8080 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.177, 10.0.3.134
*   Trying 10.0.3.177:8080...
* Connected to mz71qwyy52se-console.materialize-environment (10.0.3.177) port 8080
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-console.materialize-environment:8080
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 400 Bad Request
< Server: nginx/1.29.5
< Date: Tue, 03 Mar 2026 10:45:53 GMT
< Content-Type: text/html
< Content-Length: 255
< Connection: close
< 
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.29.5</center>
</body>
</html>
* shutting down connection #0
root@pg:/# curl -v mz71qwyy52se-environmentd-2.materialize-environment:6875
* Host mz71qwyy52se-environmentd-2.materialize-environment:6875 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.214
*   Trying 10.0.3.214:6875...
^C
root@pg:/# curl -v mz71qwyy52se-balancerd.materialize-environment:6875
* Host mz71qwyy52se-balancerd.materialize-environment:6875 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.254, 10.0.3.184
*   Trying 10.0.3.254:6875...
* Connected to mz71qwyy52se-balancerd.materialize-environment (10.0.3.254) port 6875
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-balancerd.materialize-environment:6875
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer

Operator to Envd connection check

materialize@sj-manual-materialize-operator-865565d75d-h5b8n:/$ curl -v mz71qwyy52se-environmentd-2.materialize-environment:6878
* Host mz71qwyy52se-environmentd-2.materialize-environment:6878 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.214
*   Trying 10.0.3.214:6878...
* Established connection to mz71qwyy52se-environmentd-2.materialize-environment (10.0.3.214 port 6878) from 10.0.2.131 port 43678 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-environmentd-2.materialize-environment:6878
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 404 Not Found
< vary: origin, access-control-request-method, access-control-request-headers
< access-control-expose-headers: *
< content-length: 0
< date: Tue, 03 Mar 2026 14:40:58 GMT
< 
* Connection #0 to host mz71qwyy52se-environmentd-2.materialize-environment:6878 left intact

Monitoring Works after Network Policy Restriction

jshiwamV · 2026-03-11T03:16:43Z

I have resolved a merge conflict. I have enabled Merge When Ready on this, it will automatically merge once approved.

jubrad · 2026-03-11T05:09:27Z

I'm working on updating the required checks see:
#163

When that merges this may need to be rebased to pick up the new workflows, then will run the full tests against cloud infra only in merge queue.

The PR is approved and I can sheppard it through tomorrow, thanks!!

jshiwamV force-pushed the network-policies branch from d9916ed to 14b0fe4 Compare March 2, 2026 16:46

jshiwamV requested review from alex-hunt-materialize and bobbyiliev March 3, 2026 15:23

jshiwamV marked this pull request as ready for review March 3, 2026 15:24

jshiwamV requested a review from jubrad March 3, 2026 15:28

jshiwamV self-assigned this Mar 3, 2026

This was referenced Mar 3, 2026

Subtask 2.2.1: Define base network policies #41

Closed

Subtask 2.2.2: Apply and validate across all cloud clusters #42

Closed

jshiwamV force-pushed the network-policies branch from f590b58 to 6a27c2c Compare March 4, 2026 17:32

jshiwamV mentioned this pull request Mar 4, 2026

Metrics server #156

Open

alex-hunt-materialize reviewed Mar 5, 2026

View reviewed changes

Comment thread aws/modules/vpc-cni/variables.tf Outdated

Comment thread aws/examples/simple/main.tf

alex-hunt-materialize previously approved these changes Mar 9, 2026

View reviewed changes

jshiwamV dismissed alex-hunt-materialize’s stale review via a26e6ab March 11, 2026 03:15

jshiwamV enabled auto-merge March 11, 2026 03:16

jubrad previously approved these changes Mar 11, 2026

View reviewed changes

jshiwamV added 11 commits March 12, 2026 19:58

add vpc cni module and enable eBPF based filtering in gke

268bbce

remove unused variable

e045a27

enable network policies in operator by default

0642d54

add network policy module

0c1be42

allow critical system/monitoring ingress to operator/mz_instance ns

173e27a

cleanup

74fb01d

enable service account via helm chart

bf146d8

allow api server egress, and fix vpc cni issues

754a1aa

fix lints

0b912d2

cleanup

c774b49

enable network policy helm vals w.r.t flag

2c2a3b7

jubrad dismissed their stale review via 2c2a3b7 March 13, 2026 01:00

jubrad force-pushed the network-policies branch from a26e6ab to 2c2a3b7 Compare March 13, 2026 01:00

jubrad approved these changes Mar 13, 2026

View reviewed changes

jshiwamV added this pull request to the merge queue Mar 13, 2026

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 13, 2026

jubrad added this pull request to the merge queue Mar 13, 2026

Merged via the queue into main with commit d690972 Mar 13, 2026
6 checks passed

jubrad deleted the network-policies branch March 13, 2026 05:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Network policies#153

Network policies#153
jubrad merged 11 commits intomainfrom
network-policies

jshiwamV commented Feb 26, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

jshiwamV commented Mar 11, 2026

Uh oh!

jubrad commented Mar 11, 2026

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jshiwamV commented Feb 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Testing Details:

Monitoring Works after Network Policy Restriction

Uh oh!

Uh oh!

Uh oh!

jshiwamV commented Mar 11, 2026

Uh oh!

jubrad commented Mar 11, 2026

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

jshiwamV commented Feb 26, 2026 •

edited

Loading