[kube-prometheus-stack] Add NetworkPolicy support for Alertmanager (#5318)

Co-authored-by: jkroepke
Co-authored-by: Jan-Otto Kröpke <github@jkroepke.de>

Author: samuelarogbonlo

charts/kube-prometheus-stack/Chart.yaml

@@ -31,7 +31,7 @@ name: kube-prometheus-stack
 sources:
   - https://github.com/prometheus-community/helm-charts
   - https://github.com/prometheus-operator/kube-prometheus
-version: 69.3.3
+version: 69.4.0
 appVersion: v0.80.0
 kubeVersion: ">=1.19.0-0"
 home: https://github.com/prometheus-operator/kube-prometheus

charts/kube-prometheus-stack/templates/alertmanager/networkpolicy.yaml

@@ -0,0 +1,82 @@
+{{- if and .Values.alertmanager.enabled .Values.alertmanager.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-alertmanager
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
+    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: alertmanager
+  policyTypes:
+    {{- toYaml .Values.alertmanager.networkPolicy.policyTypes | nindent 4 }}
+  ingress:
+    # Allow ingress from gateway
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.alertmanager.networkPolicy.gateway.namespace }}
+          {{- if and .Values.alertmanager.networkPolicy.gateway.podLabels (not (empty .Values.alertmanager.networkPolicy.gateway.podLabels)) }}
+          podSelector:
+            matchLabels:
+              {{- toYaml .Values.alertmanager.networkPolicy.gateway.podLabels | nindent 14 }}
+          {{- end }}
+      ports:
+        - port: {{ .Values.alertmanager.service.port }}
+          protocol: TCP
+        - port: {{ .Values.alertmanager.service.clusterPort }}
+          protocol: TCP
+    {{- if .Values.alertmanager.networkPolicy.monitoringRules.prometheus }}
+    # Allow ingress from Prometheus
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+      ports:
+        - port: {{ .Values.alertmanager.service.port }}
+          protocol: TCP
+    {{- end }}
+    {{- if .Values.alertmanager.networkPolicy.monitoringRules.loki }}
+    # Allow ingress from Loki
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: loki
+      ports:
+        - port: {{ .Values.alertmanager.service.port }}
+          protocol: TCP
+    {{- end }}
+    {{- if .Values.alertmanager.networkPolicy.enableClusterRules }}
+    # Allow ingress from other Alertmanager pods (for clustering)
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: alertmanager
+      ports:
+        - port: {{ .Values.alertmanager.service.clusterPort }}
+          protocol: TCP
+    {{- end }}
+    {{- if .Values.alertmanager.networkPolicy.monitoringRules.configReloader }}
+    # Allow ingress for config reloader metrics
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: alertmanager
+              component: config-reloader
+      ports:
+        - port: 8080
+          protocol: TCP
+    {{- end }}
+    {{- with .Values.alertmanager.networkPolicy.additionalIngress }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.alertmanager.networkPolicy.egress.enabled }}
+  egress:
+    {{- with .Values.alertmanager.networkPolicy.egress.rules }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/kube-prometheus-stack/unittests/alertmanager/networkpolicy_test.yaml

@@ -0,0 +1,150 @@
+suite: test networkpolicy
+templates:
+  - alertmanager/networkpolicy.yaml
+tests:
+  - it: should be empty if alertmanager is not enabled
+    set:
+      alertmanager.enabled: false
+      alertmanager.networkPolicy.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should be empty if networkpolicy is not enabled
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should have correct API version and kind
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: NetworkPolicy
+      - isAPIVersion:
+          of: networking.k8s.io/v1
+
+  - it: should configure gateway namespace correctly
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.gateway.namespace: custom-gateway
+    asserts:
+      - equal:
+          path: spec.ingress[0].from[0].namespaceSelector.matchLabels["kubernetes.io/metadata.name"]
+          value: custom-gateway
+
+  - it: should configure gateway pod labels correctly
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.gateway.podLabels:
+        app.kubernetes.io/name: custom-gateway
+    asserts:
+      - equal:
+          path: spec.ingress[0].from[0].podSelector.matchLabels
+          value:
+            app.kubernetes.io/name: custom-gateway
+
+  - it: should include Prometheus rules when enabled
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.monitoringRules.prometheus: true
+      alertmanager.service.port: 9093
+    asserts:
+      - matchRegex:
+          path: spec.ingress[1].from[0].podSelector.matchLabels["app.kubernetes.io/name"]
+          pattern: prometheus
+
+  - it: should include Loki rules when enabled
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.monitoringRules.loki: true
+      alertmanager.service.port: 9093
+    asserts:
+      - matchRegex:
+          path: spec.ingress[2].from[0].podSelector.matchLabels["app.kubernetes.io/name"]
+          pattern: loki
+
+  - it: should include cluster rules when enabled
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.enableClusterRules: true
+      alertmanager.service.clusterPort: 9094
+    asserts:
+      - matchRegex:
+          path: spec.ingress[3].from[0].podSelector.matchLabels["app.kubernetes.io/name"]
+          pattern: alertmanager
+
+  - it: should add additional ingress rules when specified
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.additionalIngress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  name: custom-namespace
+    asserts:
+      - equal:
+          path: spec.ingress[-1].from[0].namespaceSelector.matchLabels.name
+          value: custom-namespace
+
+  - it: should include egress rules when enabled
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.egress:
+        enabled: true
+        rules:
+          - to:
+              - podSelector:
+                  matchLabels:
+                    name: smtp-relay
+    asserts:
+      - equal:
+          path: spec.egress[0].to[0].podSelector.matchLabels.name
+          value: smtp-relay
+
+  - it: should use specified policy types
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.policyTypes:
+        - Ingress
+        - Egress
+    asserts:
+      - equal:
+          path: spec.policyTypes
+          value:
+            - Ingress
+            - Egress
+
+  - it: should handle empty gateway pod labels
+    set:
+      alertmanager.enabled: true
+      alertmanager.networkPolicy.enabled: true
+      alertmanager.networkPolicy.gateway.namespace: custom-gateway
+      alertmanager.networkPolicy.gateway.podLabels: null
+      alertmanager.networkPolicy.policyTypes[0]: Ingress
+      alertmanager.service.port: 9093
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: NetworkPolicy
+      - equal:
+          path: spec.ingress[0].from[0].namespaceSelector.matchLabels["kubernetes.io/metadata.name"]
+          value: custom-gateway
+      - equal:
+          path: spec.ingress[0].ports[0].port
+          value: 9093

charts/kube-prometheus-stack/values.yaml

@@ -408,6 +408,75 @@ alertmanager:
   ##
   forceDeployDashboards: false
 
+  ## Network Policy configuration
+  ##
+  networkPolicy:
+    # -- Enable network policy for Alertmanager
+    enabled: false
+
+    # -- Define policy types. If egress is enabled, both Ingress and Egress will be used
+    # Valid values are ["Ingress"] or ["Ingress", "Egress"]
+    ##
+    policyTypes:
+      - Ingress
+
+    # -- Gateway (formerly ingress controller) configuration
+    ##
+    gateway:
+      # -- Gateway namespace
+      ##
+      namespace: "ingress-nginx"
+      # -- Gateway pod labels
+      ##
+      podLabels:
+        app.kubernetes.io/name: ingress-nginx
+
+    # -- Additional custom ingress rules
+    ##
+    additionalIngress: []
+    # - from:
+    #   - namespaceSelector:
+    #       matchLabels:
+    #         name: another-namespace
+    #     podSelector:
+    #       matchLabels:
+    #         app: another-app
+
+    # -- Configure egress rules
+    ##
+    egress:
+      # -- Enable egress rules. When enabled, policyTypes will include Egress
+      ##
+      enabled: false
+      # -- Custom egress rules
+      ##
+      rules: []
+      # - to:
+      #   - namespaceSelector: {}
+      #     podSelector:
+      #       matchLabels:
+      #         name: smtp-relay
+      #   ports:
+      #   - port: 25
+      #     protocol: TCP
+
+    # -- Enable rules for alertmanager cluster traffic
+    ##
+    enableClusterRules: true
+
+    # -- Configure monitoring component rules
+    ##
+    monitoringRules:
+      # -- Enable ingress from Prometheus
+      ##
+      prometheus: true
+      # -- Enable ingress from Loki
+      ##
+      loki: true
+      # -- Enable ingress for config reloader metrics
+      ##
+      configReloader: true
+
   ## Service account for Alertmanager to use.
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
   ##