diff --git a/install/installer/pkg/common/constants.go b/install/installer/pkg/common/constants.go index 9c84233ad78a8d..b8e0a4bc71a3df 100644 --- a/install/installer/pkg/common/constants.go +++ b/install/installer/pkg/common/constants.go @@ -35,7 +35,7 @@ const ( RegistryAuthSecret = "builtin-registry-auth" RegistryTLSCertSecret = "builtin-registry-certs" RegistryFacadeComponent = "registry-facade" - RegistryFacadeServicePort = 30000 + RegistryFacadeServicePort = 20000 RegistryFacadeTLSCertSecret = "builtin-registry-facade-cert" ServerComponent = "server" ServerInstallationAdminPort = 9000 diff --git a/install/installer/pkg/common/networkpolicies.go b/install/installer/pkg/common/networkpolicies.go new file mode 100644 index 00000000000000..3155de9202daf2 --- /dev/null +++ b/install/installer/pkg/common/networkpolicies.go @@ -0,0 +1,70 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package common + +import ( + corev1 "k8s.io/api/core/v1" + v1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +func AllowKubeDnsEgressRule() v1.NetworkPolicyEgressRule { + var tcp = corev1.ProtocolTCP + var udp = corev1.ProtocolUDP + + dnsEgressRule := v1.NetworkPolicyEgressRule{ + Ports: []v1.NetworkPolicyPort{ + { + Protocol: &tcp, + Port: &intstr.IntOrString{ + IntVal: 53, + }, + }, + { + Protocol: &udp, + Port: &intstr.IntOrString{ + IntVal: 53, + }, + }, + }, + To: []v1.NetworkPolicyPeer{{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "k8s-app": "kube-dns", + }, + }, + NamespaceSelector: &metav1.LabelSelector{}, + }}, + } + + return dnsEgressRule +} + +func AllowWSManagerEgressRule() v1.NetworkPolicyEgressRule { + var tcp = corev1.ProtocolTCP + + dnsEgressRule := v1.NetworkPolicyEgressRule{ + Ports: []v1.NetworkPolicyPort{ + { + Protocol: &tcp, + Port: &intstr.IntOrString{ + IntVal: 8080, + }, + }, + }, + To: []v1.NetworkPolicyPeer{{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": AppName, + "component": WSManagerComponent, + }, + }, + NamespaceSelector: &metav1.LabelSelector{}, + }}, + } + + return dnsEgressRule +} diff --git a/install/installer/pkg/components/cluster/podsecuritypolicies.go b/install/installer/pkg/components/cluster/podsecuritypolicies.go index 27dcc3071e817d..be8ba624ab6f7f 100644 --- a/install/installer/pkg/components/cluster/podsecuritypolicies.go +++ b/install/installer/pkg/components/cluster/podsecuritypolicies.go @@ -6,6 +6,7 @@ package cluster import ( "fmt" + "github.com/gitpod-io/gitpod/installer/pkg/common" corev1 "k8s.io/api/core/v1" "k8s.io/api/policy/v1beta1" diff --git a/install/installer/pkg/components/image-builder-mk3/networkpolicy.go b/install/installer/pkg/components/image-builder-mk3/networkpolicy.go index 770c4d693b4d59..798e27ef5cc12c 100644 --- a/install/installer/pkg/components/image-builder-mk3/networkpolicy.go +++ b/install/installer/pkg/components/image-builder-mk3/networkpolicy.go @@ -16,34 +16,25 @@ import ( func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) { labels := common.DefaultLabels(Component) - return []runtime.Object{&networkingv1.NetworkPolicy{ - TypeMeta: common.TypeMetaNetworkPolicy, - ObjectMeta: metav1.ObjectMeta{ - Name: Component, - Namespace: ctx.Namespace, - Labels: labels, - }, - Spec: networkingv1.NetworkPolicySpec{ - PodSelector: metav1.LabelSelector{MatchLabels: labels}, - PolicyTypes: []networkingv1.PolicyType{"Ingress", "Egress"}, - Ingress: []networkingv1.NetworkPolicyIngressRule{{ - From: []networkingv1.NetworkPolicyPeer{{ - PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{ - "component": server.Component, + return []runtime.Object{ + &networkingv1.NetworkPolicy{ + TypeMeta: common.TypeMetaNetworkPolicy, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: labels, + }, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{MatchLabels: labels}, + PolicyTypes: []networkingv1.PolicyType{"Ingress"}, + Ingress: []networkingv1.NetworkPolicyIngressRule{{ + From: []networkingv1.NetworkPolicyPeer{{ + PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{ + "component": server.Component, + }}, }}, }}, - }}, - Egress: []networkingv1.NetworkPolicyEgressRule{{ - To: []networkingv1.NetworkPolicyPeer{{ - IPBlock: &networkingv1.IPBlock{ - CIDR: "0.0.0.0/0", - Except: []string{ - // Google Compute engine special, reserved VM metadata IP - "169.254.169.254/32", - }, - }, - }}, - }}, + }, }, - }}, nil + }, nil } diff --git a/install/installer/pkg/components/registry-facade/podsecuritypolicy.go b/install/installer/pkg/components/registry-facade/podsecuritypolicy.go index 9a9d1f034acc3d..6d8bcc2d81a01b 100644 --- a/install/installer/pkg/components/registry-facade/podsecuritypolicy.go +++ b/install/installer/pkg/components/registry-facade/podsecuritypolicy.go @@ -38,8 +38,8 @@ func podsecuritypolicy(ctx *common.RenderContext) ([]runtime.Object, error) { HostIPC: false, HostPID: false, HostPorts: []v1beta1.HostPortRange{{ - Min: 30000, - Max: 33000, + Min: 20000, + Max: 20000, }}, RunAsUser: v1beta1.RunAsUserStrategyOptions{ Rule: v1beta1.RunAsUserStrategyRunAsAny, diff --git a/install/installer/pkg/components/workspace/networkpolicy.go b/install/installer/pkg/components/workspace/networkpolicy.go index 876c78991a0540..15f36b7f79c244 100644 --- a/install/installer/pkg/components/workspace/networkpolicy.go +++ b/install/installer/pkg/components/workspace/networkpolicy.go @@ -101,6 +101,7 @@ func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) { }, }, }, + common.AllowKubeDnsEgressRule(), }, }, }}, nil