Skip to content

Commit 7f2ae42

Browse files
committed
Create kyverno policy to block access to signing server in staging
Create a policy to create an EgressFirewall in all the namespaces except internal-services to prevent communication with the signing server in namespaces other than internal-services. KFLUXINFRA-2676 Signed-off-by: Hugo Arès <hares@redhat.com>
1 parent 75f5365 commit 7f2ae42

10 files changed

Lines changed: 240 additions & 0 deletions

File tree

argo-cd-apps/base/internal/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,3 +9,4 @@ resources:
99
- cert-manager
1010
- konflux-support-ops
1111
- konflux-devlake
12+
- policies
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
apiVersion: argoproj.io/v1alpha1
2+
kind: ApplicationSet
3+
metadata:
4+
name: policies
5+
spec:
6+
generators:
7+
- clusters:
8+
values:
9+
sourceRoot: components/policies
10+
environment: ""
11+
template:
12+
metadata:
13+
name: policies-{{nameNormalized}}
14+
spec:
15+
project: default
16+
source:
17+
path: '{{values.sourceRoot}}/{{values.environment}}'
18+
repoURL: https://github.com/redhat-appstudio/infra-common-deployments.git
19+
targetRevision: main
20+
destination:
21+
namespace: konflux-policies
22+
name: in-cluster
23+
syncPolicy:
24+
automated:
25+
prune: true
26+
selfHeal: true
27+
syncOptions:
28+
- CreateNamespace=true
29+
- ServerSideApply=true
30+
retry:
31+
limit: 50
32+
backoff:
33+
duration: 10s
34+
factor: 2
35+
maxDuration: 3m
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
resources:
4+
- appset.yaml
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
apiVersion: kyverno.io/v1
2+
kind: ClusterPolicy
3+
metadata:
4+
name: block-signing-server-access
5+
status:
6+
conditions:
7+
- reason: Succeeded
8+
status: "True"
9+
type: Ready
10+
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
---
2+
apiVersion: chainsaw.kyverno.io/v1alpha1
3+
kind: Test
4+
metadata:
5+
name: egressfirewall-created-in-all-ns-but-one
6+
spec:
7+
concurrent: false
8+
description: |
9+
Tests that the ClusterPolicy for generating EgressFirewall is
10+
is creating the EgressFirewall in all namespace expect in internal-services.
11+
steps:
12+
- name: setup-crd
13+
try:
14+
- apply:
15+
file: resources/mock-egressfirewall-crd.yaml
16+
- assert:
17+
file: resources/mock-egressfirewall-crd.yaml
18+
- name: setup-permissions
19+
try:
20+
- apply:
21+
file: ../kyverno_rbac.yaml
22+
- name: Apply Kyverno ClusterPolicy and assert it exists
23+
try:
24+
- apply:
25+
file: ../block-signing-server-access.yaml
26+
- assert:
27+
file: chainsaw-assert-clusterpolicy.yaml
28+
- name: create-test-namespace
29+
try:
30+
- apply:
31+
resource:
32+
apiVersion: v1
33+
kind: Namespace
34+
metadata:
35+
name: test-ns
36+
- name: verify-egress-firewall-created
37+
try:
38+
- assert:
39+
resource:
40+
apiVersion: k8s.ovn.org/v1
41+
kind: EgressFirewall
42+
metadata:
43+
name: default
44+
namespace: test-ns
45+
- name: create-internal-services-namespace
46+
try:
47+
- apply:
48+
resource:
49+
apiVersion: v1
50+
kind: Namespace
51+
metadata:
52+
name: internal-services
53+
- name: verify-no-egress-firewall-in-internal-services
54+
try:
55+
- delete:
56+
ref:
57+
apiVersion: k8s.ovn.org/v1
58+
kind: EgressFirewall
59+
namespace: internal-services
60+
name: default
61+
expect:
62+
- check:
63+
($error != null): true
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
apiVersion: apiextensions.k8s.io/v1
2+
kind: CustomResourceDefinition
3+
metadata:
4+
name: egressfirewalls.k8s.ovn.org
5+
spec:
6+
group: k8s.ovn.org
7+
names:
8+
kind: EgressFirewall
9+
listKind: EgressFirewallList
10+
plural: egressfirewalls
11+
singular: egressfirewall
12+
shortNames:
13+
- egressfw
14+
scope: Namespaced
15+
versions:
16+
- name: v1
17+
served: true
18+
storage: true
19+
schema:
20+
openAPIV3Schema:
21+
type: object
22+
properties:
23+
spec:
24+
type: object
25+
properties:
26+
egress:
27+
type: array
28+
items:
29+
type: object
30+
properties:
31+
type:
32+
type: string
33+
enum:
34+
- Allow
35+
- Deny
36+
to:
37+
type: object
38+
properties:
39+
cidrSelector:
40+
type: string
41+
dnsName:
42+
type: string
43+
status:
44+
type: object
45+
x-kubernetes-preserve-unknown-fields: true
46+
subresources:
47+
status: {}
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
apiVersion: kyverno.io/v1
2+
kind: ClusterPolicy
3+
metadata:
4+
name: block-signing-server-access
5+
annotations:
6+
policies.kyverno.io/title: Block signing server access
7+
policies.kyverno.io/category: Firewall
8+
policies.kyverno.io/subject: EgressFirewall
9+
policies.kyverno.io/description: >-
10+
This policy automatically generates an EgressFirewall resource in all
11+
namespaces except the 'internal-services' namespace to block access to the signing server.
12+
spec:
13+
background: true
14+
rules:
15+
- name: generate-egress-firewall
16+
match:
17+
any:
18+
- resources:
19+
kinds:
20+
- /v1/Namespace
21+
exclude:
22+
any:
23+
- resources:
24+
namespaces:
25+
- internal-services
26+
generate:
27+
generateExisting: true
28+
apiVersion: k8s.ovn.org/v1
29+
kind: EgressFirewall
30+
name: default
31+
namespace: "{{request.object.metadata.name}}"
32+
synchronize: true
33+
data:
34+
spec:
35+
egress:
36+
- to:
37+
dnsName: signserver.devel.redhat.com
38+
type: Deny
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
resources:
4+
- block-signing-server-access.yaml
5+
- kyverno_rbac.yaml
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
---
2+
apiVersion: rbac.authorization.k8s.io/v1
3+
kind: ClusterRole
4+
metadata:
5+
name: kyverno-admission:viewer-egressfirewall
6+
labels:
7+
rbac.kyverno.io/aggregate-to-admission-controller: "true"
8+
rules:
9+
- apiGroups:
10+
- k8s.ovn.org
11+
resources:
12+
- egressfirewalls
13+
verbs:
14+
- list
15+
- get
16+
---
17+
apiVersion: rbac.authorization.k8s.io/v1
18+
kind: ClusterRole
19+
metadata:
20+
name: kyverno-background:manage-egressfirewall
21+
labels:
22+
rbac.kyverno.io/aggregate-to-background-controller: "true"
23+
rules:
24+
- apiGroups:
25+
- k8s.ovn.org
26+
resources:
27+
- egressfirewalls
28+
verbs:
29+
- create
30+
- get
31+
- list
32+
- delete
33+
- update
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
resources:
4+
- block-signing-server-access

0 commit comments

Comments
 (0)