Skip to content

Commit 95d083e

Browse files
fix(netpol): gebruik werkelijke productie-namespaces en label-selectors
Voorgaande versie verwees overal naar 'rig-system' en aanverwante labels, maar die namespace bestaat niet op odcn-production. De kustomize-sops CMP plugin schrijft alleen de top-level kustomization.yaml namespace om naar ARGOCD_APP_NAMESPACE (rig-prd-operations); label-selectors binnen NetworkPolicy ingress/egress regels blijven echter letterlijk staan en matchten dus niets, waardoor de cross-tenant lek bleef bestaan. Vier files herzien: - postgresql-networkpolicy.yaml: namespace rig-prd-operations, ingress-rules op kubernetes.io/metadata.name=rig-prd-operations (platform: OPI + Keycloak + co-located) plus created-by=operations-manager (tenant-namespaces; oude pre-label-era tenants zijn handmatig gepatcht). - default-deny-ingress.yaml: namespace rig-prd-operations. - minio-networkpolicy.yaml: zelfde labelmodel; ingress controller bron is openshift-ingress (odcn) ipv ingress-nginx. - vault-networkpolicy.yaml: idem. Vault wordt alleen door OPI consumed in rig-prd-operations. Tenant-namespaces zonder created-by-label (rig-prd-amt, rig-prd-test) zijn met kubectl label gepatcht voor backfill. rig-prd-example was leeg.
1 parent 3ada180 commit 95d083e

4 files changed

Lines changed: 58 additions & 88 deletions

File tree

infrastructure/bootstrap/infrastructure/minio/config/overlays/odcn/network-policies/minio-networkpolicy.yaml

Lines changed: 13 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -2,50 +2,48 @@ apiVersion: networking.k8s.io/v1
22
kind: NetworkPolicy
33
metadata:
44
name: allow-minio-access
5-
namespace: rig-system
5+
namespace: rig-prd-operations
66
spec:
77
podSelector:
88
matchLabels:
99
app.kubernetes.io/name: minio
1010

1111
ingress:
12-
# Allow S3 API access from within the rig-system namespace
12+
# Platform namespace itself (OPI co-located in rig-prd-operations).
1313
- from:
1414
- namespaceSelector:
1515
matchLabels:
16-
kubernetes.io/metadata.name: rig-system
16+
kubernetes.io/metadata.name: rig-prd-operations
1717
ports:
1818
- protocol: TCP
19-
port: 9000 # MinIO S3 API
19+
port: 9000 # S3 API
2020
- protocol: TCP
2121
port: 9001 # MinIO Console
2222

23-
# Allow S3 API access from tenant namespaces only.
24-
# Tenant namespaces are stamped with `created-by: operations-manager`
25-
# by OPI (see operations-manager/python/manifests/namespace.yaml.jinja);
26-
# infra namespaces do not carry this label. This replaces the previous
27-
# empty selector that exposed the S3 API to every namespace.
23+
# Tenant namespaces (OPI-generated, stamped with `created-by:
24+
# operations-manager`). Replaces the previous empty `namespaceSelector: {}`
25+
# that exposed the S3 API to every namespace on the cluster.
2826
- from:
2927
- namespaceSelector:
3028
matchLabels:
3129
created-by: operations-manager
3230
ports:
3331
- protocol: TCP
34-
port: 9000 # MinIO S3 API
32+
port: 9000
3533

36-
# Allow ingress controller access
34+
# OpenShift Router (ingress controller on odcn-production).
3735
- from:
3836
- namespaceSelector:
3937
matchLabels:
40-
kubernetes.io/metadata.name: ingress-nginx
38+
kubernetes.io/metadata.name: openshift-ingress
4139
ports:
4240
- protocol: TCP
4341
port: 9000
4442
- protocol: TCP
4543
port: 9001
4644

4745
egress:
48-
# Allow DNS resolution
46+
# DNS resolution.
4947
- to:
5048
- namespaceSelector: {}
5149
podSelector:
@@ -57,11 +55,11 @@ spec:
5755
- protocol: TCP
5856
port: 53
5957

60-
# Allow metrics export
58+
# Prometheus metrics scraping.
6159
- to:
6260
- namespaceSelector:
6361
matchLabels:
6462
kubernetes.io/metadata.name: monitoring
6563
ports:
6664
- protocol: TCP
67-
port: 9091 # Prometheus metrics
65+
port: 9091

infrastructure/bootstrap/infrastructure/postgresql/database/overlays/odcn/network-policies/default-deny-ingress.yaml

Lines changed: 12 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -2,30 +2,21 @@ apiVersion: networking.k8s.io/v1
22
kind: NetworkPolicy
33
metadata:
44
name: default-deny-ingress-postgres
5-
namespace: rig-system
5+
namespace: rig-prd-operations
66
spec:
7-
# Deny-by-default backstop for the PostgreSQL datastore pods only.
7+
# Explicit deny-by-default backstop for the CNPG postgres pods. K8s
8+
# NetworkPolicy semantics already make pods deny-by-default once any
9+
# policy with policyTypes: [Ingress] selects them (the allow-postgres-*
10+
# policies above do that), so this is redundant for current state. Kept
11+
# as a self-documenting baseline: if a future change removes the allow
12+
# policies, the postgres pods stay closed instead of falling back to
13+
# cluster-default open.
814
#
9-
# IMPORTANT: rig-system is NOT a datastore-only namespace. In the odcn
10-
# production bundle (infrastructure/bootstrap/clusters/odcn) the following
11-
# also deploy into rig-system WITHOUT any NetworkPolicy:
12-
# - Keycloak (keycloak/controller + keycloak/config overlays)
13-
# - Redis (redis/controller overlay)
14-
# A cluster-wide `podSelector: {}` deny here would select those pods and,
15-
# since no allow policy exists for them, black-hole all their ingress:
16-
# OPI -> Keycloak / Redis, ingress-nginx -> Keycloak, tenant apps -> OIDC.
17-
# That is a platform-wide outage worse than the cross-tenant exposure this
18-
# PR closes. The selector is therefore scoped to the CNPG postgres pods.
15+
# Scoped to the CNPG postgres pods only via cnpg.io/cluster, so it cannot
16+
# accidentally black-hole co-located workloads in rig-prd-operations
17+
# (Keycloak, MinIO, Redis, OPI).
1918
#
20-
# For those pods this is redundant with allow-postgres-access /
21-
# allow-postgres-monitoring (which already select the same pods and make
22-
# them deny-by-default under Kubernetes NetworkPolicy semantics), but it
23-
# is kept as an explicit, self-documenting baseline: if a future change
24-
# removes the allow policies, the postgres pods stay closed instead of
25-
# falling back to open.
26-
#
27-
# Egress is intentionally left unmanaged so this policy cannot break
28-
# outbound traffic.
19+
# Egress intentionally left unmanaged.
2920
podSelector:
3021
matchLabels:
3122
cnpg.io/cluster: rig-db

infrastructure/bootstrap/infrastructure/postgresql/database/overlays/odcn/network-policies/postgresql-networkpolicy.yaml

Lines changed: 21 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -2,29 +2,29 @@ apiVersion: networking.k8s.io/v1
22
kind: NetworkPolicy
33
metadata:
44
name: allow-postgres-access
5-
namespace: rig-system
5+
namespace: rig-prd-operations
66
spec:
77
podSelector:
88
matchLabels:
9-
# Match PostgreSQL cluster pods
109
cnpg.io/cluster: rig-db
1110

1211
ingress:
13-
# Allow PostgreSQL access from within the rig-system namespace
12+
# Platform namespace itself (OPI + Keycloak + co-located workloads in
13+
# rig-prd-operations all reach Postgres intra-namespace). This namespace
14+
# is bootstrap-created and intentionally does NOT carry the
15+
# `created-by: operations-manager` label; matched by name instead.
1416
- from:
1517
- namespaceSelector:
1618
matchLabels:
17-
kubernetes.io/metadata.name: rig-system
19+
kubernetes.io/metadata.name: rig-prd-operations
1820
ports:
1921
- protocol: TCP
2022
port: 5432
2123

22-
# Allow PostgreSQL access from tenant namespaces only.
23-
# Tenant namespaces are stamped with `created-by: operations-manager`
24-
# by OPI (see operations-manager/python/manifests/namespace.yaml.jinja).
25-
# Infra namespaces (rig-system, monitoring, ingress-nginx) do NOT carry
26-
# this label, so ingress is scoped to tenant workloads instead of the
27-
# previous empty selector that allowed every namespace in the cluster.
24+
# Tenant namespaces (OPI-generated, stamped with `created-by:
25+
# operations-manager` in operations-manager/python/manifests/
26+
# namespace.yaml.jinja). Pre-label-era namespaces have been backfilled
27+
# with this label so they continue to have access.
2828
- from:
2929
- namespaceSelector:
3030
matchLabels:
@@ -33,23 +33,8 @@ spec:
3333
- protocol: TCP
3434
port: 5432
3535

36-
# Allow PostgreSQL access from the operations-manager namespace.
37-
# In odcn-production OPI runs in `rig-prd-operations` (see
38-
# bootstrap/rig-system/kustomize/operations-manager/overlays/odcn-production/
39-
# kustomization.yaml). That namespace is bootstrap-created and does not
40-
# carry the `created-by: operations-manager` label (OPI doesn't generate
41-
# its own namespace), so it needs an explicit name match. Without this
42-
# rule OPI cannot reach `rig-db-rw:5432` and refuses to start.
43-
- from:
44-
- namespaceSelector:
45-
matchLabels:
46-
kubernetes.io/metadata.name: rig-prd-operations
47-
ports:
48-
- protocol: TCP
49-
port: 5432
50-
5136
egress:
52-
# Allow DNS resolution (kube-dns / CoreDNS).
37+
# DNS resolution (kube-dns / CoreDNS).
5338
- to:
5439
- namespaceSelector: {}
5540
podSelector:
@@ -61,16 +46,17 @@ spec:
6146
- protocol: TCP
6247
port: 53
6348

64-
# Allow intra-cluster traffic within rig-system: CNPG instance-to-instance
65-
# replication / WAL streaming and the in-cluster MinIO S3 backup target.
49+
# Intra-namespace traffic: CNPG instance-to-instance replication / WAL
50+
# streaming, plus reach the co-located MinIO backup-destination pod for
51+
# in-cluster backup targets.
6652
- to:
6753
- namespaceSelector:
6854
matchLabels:
69-
kubernetes.io/metadata.name: rig-system
55+
kubernetes.io/metadata.name: rig-prd-operations
7056

71-
# Allow HTTPS egress for off-cluster backup / WAL archive targets
72-
# (object storage over TLS). Assumption: backups use an HTTPS S3
73-
# endpoint; narrow this further if an in-cluster-only target is used.
57+
# HTTPS egress for off-cluster backup / WAL archive targets if the
58+
# barmanObjectStore in cluster.yaml ever points off-cluster. Narrow to a
59+
# specific CIDR when a concrete target is known (see follow-up #82).
7460
- to:
7561
- ipBlock:
7662
cidr: 0.0.0.0/0
@@ -83,18 +69,18 @@ apiVersion: networking.k8s.io/v1
8369
kind: NetworkPolicy
8470
metadata:
8571
name: allow-postgres-monitoring
86-
namespace: rig-system
72+
namespace: rig-prd-operations
8773
spec:
8874
podSelector:
8975
matchLabels:
9076
cnpg.io/cluster: rig-db
9177

9278
ingress:
93-
# Allow metrics scraping from monitoring namespace
79+
# Prometheus exporter scrape from the monitoring namespace.
9480
- from:
9581
- namespaceSelector:
9682
matchLabels:
9783
kubernetes.io/metadata.name: monitoring
9884
ports:
9985
- protocol: TCP
100-
port: 9187 # PostgreSQL exporter port
86+
port: 9187 # postgres-exporter

infrastructure/bootstrap/infrastructure/vault/config/overlays/odcn/network-policies/vault-networkpolicy.yaml

Lines changed: 12 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -2,42 +2,37 @@ apiVersion: networking.k8s.io/v1
22
kind: NetworkPolicy
33
metadata:
44
name: allow-vault-access
5-
namespace: rig-system
5+
namespace: rig-prd-operations
66
spec:
77
podSelector:
88
matchLabels:
99
app.kubernetes.io/name: vault
1010

1111
ingress:
12-
# Allow API access from within the rig-system namespace
12+
# Platform namespace itself: Vault is consumed by OPI which co-locates in
13+
# rig-prd-operations. No tenant workload needs Vault — the previous
14+
# all-namespaces rule (`namespaceSelector: {}`) is intentionally removed.
1315
- from:
1416
- namespaceSelector:
1517
matchLabels:
16-
kubernetes.io/metadata.name: rig-system
18+
kubernetes.io/metadata.name: rig-prd-operations
1719
ports:
1820
- protocol: TCP
19-
port: 8200 # Vault API port
21+
port: 8200
2022
- protocol: TCP
21-
port: 8201 # Vault cluster port
22-
23-
# NOTE: the previous rule allowed Vault API access from ALL namespaces
24-
# (`namespaceSelector: {}`). Vault is only consumed by OPI in the
25-
# rig-system namespace; no tenant workload needs Vault. The
26-
# all-namespaces rule has been removed entirely so tenant pods can no
27-
# longer reach the Vault API. Access is now limited to rig-system
28-
# (rule above) and the ingress controller (rule below).
23+
port: 8201 # cluster port for HA
2924

30-
# Allow ingress controller access
25+
# OpenShift Router (ingress controller on odcn-production) for admin UI.
3126
- from:
3227
- namespaceSelector:
3328
matchLabels:
34-
kubernetes.io/metadata.name: ingress-nginx
29+
kubernetes.io/metadata.name: openshift-ingress
3530
ports:
3631
- protocol: TCP
3732
port: 8200
3833

3934
egress:
40-
# Allow intra-cluster communication for Vault HA
35+
# Intra-cluster Vault HA.
4136
- to:
4237
- podSelector:
4338
matchLabels:
@@ -46,7 +41,7 @@ spec:
4641
- protocol: TCP
4742
port: 8201
4843

49-
# Allow DNS resolution
44+
# DNS resolution.
5045
- to:
5146
- namespaceSelector: {}
5247
podSelector:
@@ -58,7 +53,7 @@ spec:
5853
- protocol: TCP
5954
port: 53
6055

61-
# Allow outbound access for auto-unseal, if using cloud KMS
56+
# Outbound for cloud KMS auto-unseal.
6257
- to:
6358
- ipBlock:
6459
cidr: 0.0.0.0/0

0 commit comments

Comments
 (0)