feat: add NetworkPolicy support for TektonTrigger#3531
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
5fe4ace to
323945d
Compare
Introduce NetworkPolicyConfig struct embedded in component specs, allowing operators to disable NetworkPolicies or override individual policies by name. Add pkg/reconciler/common/networkpolicy with: - platform.go: PlatformParams for Kubernetes and OpenShift DNS/Prometheus defaults - networkpolicy.go: Generate() with map-merge and deterministic sorted output - networkpolicy_test.go: 13 unit tests covering merge, disable, and rule helpers Wire NetworkPolicyConfig into TektonTriggerSpec and TektonConfigSpec (reconciler integration for TektonConfig is deferred). Regenerate zz_generated.deepcopy.go. Signed-off-by: Khurram Baig <khurram.baig@gmail.com> Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
f59a9a6 to
3b008f5
Compare
d1dccb4 to
6b86fa4
Compare
Add triggersDefaultPolicies() defining four NetworkPolicies for the
Triggers workloads (controller, webhook, core-interceptors ingress,
core-interceptors egress). Platform-specific DNS and Prometheus values
are resolved at controller startup via v1alpha1.IsOpenShiftPlatform().
reconcileNetworkPolicies() applies policies as a named CustomSet
("triggers-network-policies") or cleans it up when disabled.
Signed-off-by: Khurram Baig <khurram.baig@gmail.com>
Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
6b86fa4 to
2b6f6d9
Compare
037c7e5 to
fcfc1ff
Compare
|
/retest |
fcfc1ff to
eb83f3d
Compare
| // InternetEgressRule allows egress on TCP 80 and 443 to any destination. | ||
| func InternetEgressRule() networkingv1.NetworkPolicyEgressRule { | ||
| tcpHTTP := corev1.ProtocolTCP | ||
| tcpHTTPS := corev1.ProtocolTCP |
There was a problem hiding this comment.
may be just one variable tcp := corev1.ProtocolTCP
| }, | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
- Are we missing some rules .
- liveness and readiness probe rules from kubelet
- EventListner rules (events from github to trigger event listner)
Can we also have a human readble table for the rules we allow/deny as part of the docs
| for _, p := range defaults { | ||
| merged[p.Name] = p | ||
| } | ||
| for name, spec := range cfg.Policies { |
There was a problem hiding this comment.
There is no validation for the user input, if name is empty, it will be rejected by the apiserver
Add TestTektonTriggerNetworkPolicy covering:
- Default NetworkPolicies created when TektonTrigger is Ready
- Triggers functional end-to-end with policies in place:
- CEL interceptor matching event (action=push) → PipelineRun created,
exercising interceptors ingress from all namespaces on port 8443
and interceptors → API server egress
- CEL interceptor non-matching event (action=open) → blocked by
interceptor, no new PipelineRun created
- spec.networkPolicy.disabled=true removes all policies
- Re-enabling restores all policies
Add helper functions in test/resources/networkpolicies.go:
AssertNetworkPoliciesExist, AssertNetworkPoliciesAbsent,
AssertEventListenerReady, AssertPipelineRunCreated,
AssertPipelineRunCountUnchanged.
Add testdata/triggers/ with Pipeline, TriggerBinding, TriggerTemplate,
and EventListener (with CEL interceptor) YAML fixtures.
Signed-off-by: Khurram Baig <khurram.baig@gmail.com>
Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
eb83f3d to
d8c44b9
Compare
|
@khrm Lease add release note |
Changes
Changes:
Introduces opt-in NetworkPolicy support for the TektonTrigger component.
New shared infrastructure (
pkg/reconciler/common/networkpolicy):NetworkPolicyConfigAPI type embedded in component specs — supportsdisabledflag and per-policy overrides via apoliciesmapGenerate()— merges user-supplied policies over defaults with deterministic sorted output for stable InstallerSet checksumsDefaultDenyPolicy()— shared helper for component-scoped or namespace-wide default-deny policiesPlatformParams) for Kubernetes and OpenShift DNS resolver and Prometheus namespace selectorsDNSEgressRule,APIServerEgressRule,InternetEgressRule,PrometheusIngressRule,WebhookIngressRuleTektonTrigger wiring:
triggers-network-policies):tekton-default-deny— default-deny scoped toapp.kubernetes.io/part-of: tekton-triggerspods (temporary; will move to TektonPipeline and become namespace-wide once all componentsimplement NP support)
triggers-controller— allows Prometheus ingress on port 9000triggers-webhook— allows webhook ingress on 8443 and Prometheus ingress on 9000triggers-core-interceptors— allows ingress on 8443 from all namespaces (EventListeners are user-controlled)triggers-core-interceptors-egress-internet— allows egress on TCP 80/443 for external API callsv1alpha1.IsOpenShiftPlatform()at controller startup; no extra parameters threaded through public APIsspec.networkPolicy.disabled: truecleans up all policiesNetworkPolicyConfigfield also added toTektonConfigSpec(reconciler integration deferred)Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
make test lintbefore submitting a PRSee the contribution guide for more details.
Release Notes