Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(network): implement ingress network policies #1017

Open
wants to merge 12 commits into
base: split-deployment
Choose a base branch
from
Open

feat(network): implement ingress network policies #1017

wants to merge 12 commits into from

Conversation

andrewazores
Copy link
Member

@andrewazores andrewazores commented Jan 16, 2025
edited
Loading

Welcome to Cryostat! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

Fixes: #1008
See #814
See also cryostatio/cryostat-helm#208

Description of the change:

Mirrors the NetworkPolicy implementation for ingress traffic from the Helm PR above.

Motivation for the change:

Adds network-level isolation to various Pods created by the Operator, so that traffic to each is only allowed from expected origins (assuming the cluster supports this feature). This prevents unexpected connections to the database or storage, which could result in data being leaked if authentication is not configured or is somehow bypassed.

How to manually test:

  1. Check out and build PR
  2. Deploy, then create a Cryostat CR with 1 reports replica
  3. Wait for everything to be reconciled
  4. oc describe networkpolicy
  5. See other testing steps in Helm PR, ex. use oc run and try to curl requests to http://cryostat-sample-reports:10000 or http://cryostat-sample-storage:8333.

@andrewazores andrewazores added feat New feature or request safe-to-test labels Jan 16, 2025
@andrewazores
Copy link
Member Author

/build_test

@andrewazores
Copy link
Member Author

https://github.com/cryostatio/cryostat-operator/actions/runs/12813863402

@github-actions GitHub Actions
Copy link

/build_test completed successfully ✅.
View Actions Run.

@andrewazores andrewazores marked this pull request as ready for review January 16, 2025 18:35
@andrewazores andrewazores marked this pull request as draft January 16, 2025 18:35
@andrewazores andrewazores marked this pull request as ready for review January 16, 2025 19:40
@andrewazores
Copy link
Member Author

/build_test

@andrewazores andrewazores requested a review from ebaron January 16, 2025 19:40
@github-actions GitHub Actions
Copy link

/build_test completed successfully ✅.
View Actions Run.

@andrewazores andrewazores mentioned this pull request Jan 16, 2025
Draft
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebaron ebaron Awaiting requested review from ebaron

Assignees
No one assigned
Labels
feat New feature or request safe-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@andrewazores