Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-add network policies back to helm chart and fix node egress #11771

Merged
merged 23 commits into from
Jan 18, 2024
Merged

Re-add network policies back to helm chart and fix node egress #11771

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
22a3644
Re-add helm network policies from prev commit:
chainchad Jan 12, 2024
5a24e01
Fix chainlink node networkpolicy egress ports
chainchad Jan 12, 2024
cdd308c
Merge branch 'develop' into re-2167/fix-network-policies-helm
chainchad Jan 12, 2024
8260e0f
Test removing network policies
chainchad Jan 16, 2024
f96c1b3
Merge branch 're-2167/fix-network-policies-helm' of github.com:smartc…
chainchad Jan 16, 2024
f5409f9
Revert "Test removing network policies"
chainchad Jan 16, 2024
951e9d7
Use proper syntax
chainchad Jan 16, 2024
bfdf619
Fix syntax
chainchad Jan 16, 2024
0a5e694
Delete egress rules on node np
chainchad Jan 16, 2024
5be830b
Create network policy for runner template
chainchad Jan 16, 2024
21a732f
Set default np to ingress only
chainchad Jan 16, 2024
ed64311
Merge branch 'develop' into re-2167/fix-network-policies-helm
chainchad Jan 16, 2024
96e36bf
Fix EOF
chainchad Jan 16, 2024
04fb325
Merge branch 're-2167/fix-network-policies-helm' of github.com:smartc…
chainchad Jan 16, 2024
fa77e17
Fix indent
chainchad Jan 17, 2024
43f9577
Include default egress rules
chainchad Jan 17, 2024
4a021c1
Rename network policy
chainchad Jan 17, 2024
562e26a
Avoid hardcode
chainchad Jan 17, 2024
0c5cbb1
test load and chaos, fix reorg
skudasov Jan 18, 2024
90987fe
Merge remote-tracking branch 'origin/re-2167/fix-network-policies-hel…
skudasov Jan 18, 2024
3b20ba1
Merge branch 'develop' into re-2167/fix-network-policies-helm
skudasov Jan 18, 2024
c01d283
Merge branch 'develop' into re-2167/fix-network-policies-helm
chainchad Jan 18, 2024
6b623dc
Merge branch 'develop' into re-2167/fix-network-policies-helm
chainchad Jan 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/chainlink-cluster/devspace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ pipelines:
run_dependencies --all
ensure_pull_secrets --all
build_images ---var DOCKER_DEFAULT_PLATFORM=linux/amd64 --all -t $(git rev-parse --short HEAD)
kubectl annotate namespace ${DEVSPACE_NAMESPACE} janitor/ttl=${NS_TTL}
kubectl label namespace/${DEVSPACE_NAMESPACE} network=crib
kubectl annotate namespace ${DEVSPACE_NAMESPACE} janitor/ttl=${NS_TTL} || true
kubectl label namespace/${DEVSPACE_NAMESPACE} network=crib || true
create_deployments --all
echo "Namespace ${DEVSPACE_NAMESPACE} will be deleted in ${NS_TTL}"
purge:
Expand Down
23 changes: 23 additions & 0 deletions charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-db
spec:
podSelector:
matchLabels:
app: {{ $.Release.Name }}-db
policyTypes:
- Ingress
ingress:
- from:
# Allow all node pods to access the database pods.
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
# Allow all runner pods to access the database pods.
- podSelector:
matchLabels:
app: runner
ports:
- protocol: TCP
port: 5432
19 changes: 19 additions & 0 deletions charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-node
spec:
podSelector:
matchLabels:
app: {{ $.Release.Name }}
policyTypes:
- Ingress
ingress:
# Allow all ingress traffic between the node pods and from runner pod.
- from:
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
- podSelector:
matchLabels:
app: runner
2 changes: 2 additions & 0 deletions charts/chainlink-cluster/templates/geth-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ spec:
- '--miner.etherbase'
- '0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266'
- '--ipcdisable'
- '--http.api'
- 'admin,debug,web3,eth,txpool,personal,miner,net'
- '--http'
- '--http.vhosts'
- '*'
Expand Down
25 changes: 25 additions & 0 deletions charts/chainlink-cluster/templates/geth-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-geth
spec:
podSelector:
matchLabels:
app: geth
policyTypes:
- Ingress
ingress:
- from:
# Allow http and websocket connections from the node pods.
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
# Allow http and websocket connections from the runner pods.
- podSelector:
matchLabels:
app: runner
ports:
- protocol: TCP
port: 8544
- protocol: TCP
port: 8546
23 changes: 23 additions & 0 deletions charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-mockserver
spec:
podSelector:
matchLabels:
app: mockserver
policyTypes:
- Ingress
ingress:
- from:
# Allow http traffic from the node pods.
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
# Allow http traffic from the runner pods.
- podSelector:
matchLabels:
app: runner
ports:
- protocol: TCP
port: 1080
27 changes: 27 additions & 0 deletions charts/chainlink-cluster/templates/networkpolicy-default-deny.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "{{ $.Release.Namespace }}"
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
19 changes: 19 additions & 0 deletions charts/chainlink-cluster/templates/runner-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-runner
spec:
podSelector:
matchLabels:
app: runner
policyTypes:
- Ingress
ingress:
# Allow all ingress traffic between the node pods and from runner pod.
- from:
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
- podSelector:
matchLabels:
app: runner
Loading