Skip to content

Commit fe859b4

Browse files
committed
[public-api] Add network policy to allow connections from proxy
1 parent 45f11d6 commit fe859b4

File tree

3 files changed

+103
-0
lines changed

3 files changed

+103
-0
lines changed
Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
2+
// Licensed under the GNU Affero General Public License (AGPL).
3+
// See License-AGPL.txt in the project root for license information.
4+
5+
package public_api_server
6+
7+
import (
8+
"github.com/gitpod-io/gitpod/installer/pkg/common"
9+
networkingv1 "k8s.io/api/networking/v1"
10+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
11+
"k8s.io/apimachinery/pkg/runtime"
12+
"k8s.io/apimachinery/pkg/util/intstr"
13+
)
14+
15+
func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
16+
labels := common.DefaultLabels(Component)
17+
18+
return []runtime.Object{
19+
&networkingv1.NetworkPolicy{
20+
TypeMeta: common.TypeMetaNetworkPolicy,
21+
ObjectMeta: metav1.ObjectMeta{
22+
Name: Component,
23+
Namespace: ctx.Namespace,
24+
Labels: labels,
25+
},
26+
Spec: networkingv1.NetworkPolicySpec{
27+
PodSelector: metav1.LabelSelector{MatchLabels: labels},
28+
PolicyTypes: []networkingv1.PolicyType{"Ingress"},
29+
Ingress: []networkingv1.NetworkPolicyIngressRule{
30+
{
31+
Ports: []networkingv1.NetworkPolicyPort{
32+
{
33+
Protocol: common.TCPProtocol,
34+
Port: &intstr.IntOrString{IntVal: HTTPContainerPort},
35+
},
36+
{
37+
Protocol: common.TCPProtocol,
38+
Port: &intstr.IntOrString{IntVal: GRPCContainerPort},
39+
},
40+
},
41+
From: []networkingv1.NetworkPolicyPeer{
42+
{
43+
PodSelector: &metav1.LabelSelector{
44+
MatchLabels: map[string]string{
45+
"component": common.ProxyComponent,
46+
},
47+
},
48+
},
49+
},
50+
},
51+
},
52+
},
53+
},
54+
}, nil
55+
}
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
2+
// Licensed under the GNU Affero General Public License (AGPL).
3+
// See License-AGPL.txt in the project root for license information.package public_api_server
4+
package public_api_server
5+
6+
import (
7+
"github.com/gitpod-io/gitpod/installer/pkg/common"
8+
"github.com/stretchr/testify/require"
9+
networkingv1 "k8s.io/api/networking/v1"
10+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
11+
"k8s.io/apimachinery/pkg/util/intstr"
12+
"testing"
13+
)
14+
15+
func TestNetworkPolicy(t *testing.T) {
16+
objects, err := networkpolicy(renderContextWithPublicAPIEnabled(t))
17+
require.NoError(t, err)
18+
require.Len(t, objects, 1)
19+
20+
policy, ok := objects[0].(*networkingv1.NetworkPolicy)
21+
require.Truef(t, ok, "must cast object to network policy")
22+
23+
ingress := policy.Spec.Ingress
24+
require.Len(t, ingress, 1, "must have only one ingress rule")
25+
26+
require.Equal(t, networkingv1.NetworkPolicyIngressRule{
27+
Ports: []networkingv1.NetworkPolicyPort{
28+
{
29+
Protocol: common.TCPProtocol,
30+
Port: &intstr.IntOrString{IntVal: HTTPContainerPort},
31+
},
32+
{
33+
Protocol: common.TCPProtocol,
34+
Port: &intstr.IntOrString{IntVal: GRPCContainerPort},
35+
},
36+
},
37+
From: []networkingv1.NetworkPolicyPeer{
38+
{
39+
PodSelector: &metav1.LabelSelector{
40+
MatchLabels: map[string]string{
41+
"component": common.ProxyComponent,
42+
},
43+
},
44+
},
45+
},
46+
}, ingress[0])
47+
}

install/installer/pkg/components/public-api-server/objects.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ func Objects(ctx *common.RenderContext) ([]runtime.Object, error) {
2222
rolebinding,
2323
common.DefaultServiceAccount(Component),
2424
service,
25+
networkpolicy,
2526
)(ctx)
2627
}
2728

0 commit comments

Comments
 (0)