Skip to content

Network policies#153

Merged
jubrad merged 11 commits intomainfrom
network-policies
Mar 13, 2026
Merged

Network policies#153
jubrad merged 11 commits intomainfrom
network-policies

Conversation

@jshiwamV
Copy link
Copy Markdown
Contributor

@jshiwamV jshiwamV commented Feb 26, 2026

  • Enabled Operator network policies to restrict access to operator and materialize instance pods
  • Added a ingress network policy from operator / mz_instance namespace to kube-system and monitoring namespace so that mz_instance can communicate system workloads.

Testing Details:

Connect from balancerd to other pods in materialize-environment

materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-environmentd-2:6875
* Host mz71qwyy52se-environmentd-2:6875 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.214
*   Trying 10.0.3.214:6875...
* Established connection to mz71qwyy52se-environmentd-2 (10.0.3.214 port 6875) from 10.0.3.184 port 57670 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-environmentd-2:6875
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer
materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-cluster-s2-replica-s1-gen-2^C875

materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-console-6d88ff6556-8lnc4:8080
* Could not resolve host: mz71qwyy52se-console-6d88ff6556-8lnc4
* Store negative name resolve for mz71qwyy52se-console-6d88ff6556-8lnc4:8080
* shutting down connection #0
curl: (6) Could not resolve host: mz71qwyy52se-console-6d88ff6556-8lnc4
materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-console:8080
* Host mz71qwyy52se-console:8080 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.134, 10.0.3.177
*   Trying 10.0.3.134:8080...
* Established connection to mz71qwyy52se-console (10.0.3.134 port 8080) from 10.0.3.184 port 52744 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-console:8080
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 400 Bad Request
< Server: nginx/1.29.5
< Date: Tue, 03 Mar 2026 10:45:17 GMT
< Content-Type: text/html
< Content-Length: 255
< Connection: close
< 
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.29.5</center>
</body>
</html>
* shutting down connection #0
materialize@mz71qwyy52se-balancerd-765457cdfd-7l8tm:/$ curl -v mz71qwyy52se-balancerd-765457cdfd-7l8tm:6875
* Host mz71qwyy52se-balancerd-765457cdfd-7l8tm:6875 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.184
*   Trying 10.0.3.184:6875...
* Established connection to mz71qwyy52se-balancerd-765457cdfd-7l8tm (10.0.3.184 port 6875) from 10.0.3.184 port 35288 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-balancerd-765457cdfd-7l8tm:6875
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer

Connect from PG Pod in default namespace to the materialize instance pod. It should be able to connect to balancerd and console since they have open ingress rule from 0.0.0.0/0 while it shouldn't be able to connect with environmentd pod

root@pg:/# curl -v mz71qwyy52se-console.materialize-environment:8080
* Host mz71qwyy52se-console.materialize-environment:8080 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.177, 10.0.3.134
*   Trying 10.0.3.177:8080...
* Connected to mz71qwyy52se-console.materialize-environment (10.0.3.177) port 8080
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-console.materialize-environment:8080
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 400 Bad Request
< Server: nginx/1.29.5
< Date: Tue, 03 Mar 2026 10:45:53 GMT
< Content-Type: text/html
< Content-Length: 255
< Connection: close
< 
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.29.5</center>
</body>
</html>
* shutting down connection #0
root@pg:/# curl -v mz71qwyy52se-environmentd-2.materialize-environment:6875
* Host mz71qwyy52se-environmentd-2.materialize-environment:6875 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.214
*   Trying 10.0.3.214:6875...
^C
root@pg:/# curl -v mz71qwyy52se-balancerd.materialize-environment:6875
* Host mz71qwyy52se-balancerd.materialize-environment:6875 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.254, 10.0.3.184
*   Trying 10.0.3.254:6875...
* Connected to mz71qwyy52se-balancerd.materialize-environment (10.0.3.254) port 6875
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-balancerd.materialize-environment:6875
> User-Agent: curl/8.14.1
> Accept: */*
> 
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer

Operator to Envd connection check

materialize@sj-manual-materialize-operator-865565d75d-h5b8n:/$ curl -v mz71qwyy52se-environmentd-2.materialize-environment:6878
* Host mz71qwyy52se-environmentd-2.materialize-environment:6878 was resolved.
* IPv6: (none)
* IPv4: 10.0.3.214
*   Trying 10.0.3.214:6878...
* Established connection to mz71qwyy52se-environmentd-2.materialize-environment (10.0.3.214 port 6878) from 10.0.2.131 port 43678 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: mz71qwyy52se-environmentd-2.materialize-environment:6878
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 404 Not Found
< vary: origin, access-control-request-method, access-control-request-headers
< access-control-expose-headers: *
< content-length: 0
< date: Tue, 03 Mar 2026 14:40:58 GMT
< 
* Connection #0 to host mz71qwyy52se-environmentd-2.materialize-environment:6878 left intact

Monitoring Works after Network Policy Restriction

Screenshot 2026-03-03 at 9 00 33 PM Screenshot 2026-03-03 at 9 00 46 PM

@jshiwamV jshiwamV marked this pull request as ready for review March 3, 2026 15:24
@jshiwamV jshiwamV requested a review from jubrad March 3, 2026 15:28
@jshiwamV jshiwamV self-assigned this Mar 3, 2026
@jshiwamV jshiwamV mentioned this pull request Mar 4, 2026
Comment thread aws/modules/vpc-cni/variables.tf Outdated
Comment thread aws/examples/simple/main.tf
@jshiwamV
Copy link
Copy Markdown
Contributor Author

I have resolved a merge conflict. I have enabled Merge When Ready on this, it will automatically merge once approved.

@jshiwamV jshiwamV enabled auto-merge March 11, 2026 03:16
jubrad
jubrad previously approved these changes Mar 11, 2026
@jubrad
Copy link
Copy Markdown
Collaborator

jubrad commented Mar 11, 2026

I'm working on updating the required checks see:
#163

When that merges this may need to be rebased to pick up the new workflows, then will run the full tests against cloud infra only in merge queue.

The PR is approved and I can sheppard it through tomorrow, thanks!!

@jshiwamV jshiwamV added this pull request to the merge queue Mar 13, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 13, 2026
@jubrad jubrad added this pull request to the merge queue Mar 13, 2026
Merged via the queue into main with commit d690972 Mar 13, 2026
6 checks passed
@jubrad jubrad deleted the network-policies branch March 13, 2026 05:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants