diff --git a/install/installer/pkg/components/public-api-server/networkpolicy.go b/install/installer/pkg/components/public-api-server/networkpolicy.go new file mode 100644 index 00000000000000..9ec88757eb9600 --- /dev/null +++ b/install/installer/pkg/components/public-api-server/networkpolicy.go @@ -0,0 +1,55 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package public_api_server + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + networkingv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/intstr" +) + +func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) { + labels := common.DefaultLabels(Component) + + return []runtime.Object{ + &networkingv1.NetworkPolicy{ + TypeMeta: common.TypeMetaNetworkPolicy, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: labels, + }, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{MatchLabels: labels}, + PolicyTypes: []networkingv1.PolicyType{"Ingress"}, + Ingress: []networkingv1.NetworkPolicyIngressRule{ + { + Ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: common.TCPProtocol, + Port: &intstr.IntOrString{IntVal: HTTPContainerPort}, + }, + { + Protocol: common.TCPProtocol, + Port: &intstr.IntOrString{IntVal: GRPCContainerPort}, + }, + }, + From: []networkingv1.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "component": common.ProxyComponent, + }, + }, + }, + }, + }, + }, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/public-api-server/networkpolicy_test.go b/install/installer/pkg/components/public-api-server/networkpolicy_test.go new file mode 100644 index 00000000000000..361ca8768f7b0a --- /dev/null +++ b/install/installer/pkg/components/public-api-server/networkpolicy_test.go @@ -0,0 +1,47 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information.package public_api_server +package public_api_server + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + "github.com/stretchr/testify/require" + networkingv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "testing" +) + +func TestNetworkPolicy(t *testing.T) { + objects, err := networkpolicy(renderContextWithPublicAPIEnabled(t)) + require.NoError(t, err) + require.Len(t, objects, 1) + + policy, ok := objects[0].(*networkingv1.NetworkPolicy) + require.Truef(t, ok, "must cast object to network policy") + + ingress := policy.Spec.Ingress + require.Len(t, ingress, 1, "must have only one ingress rule") + + require.Equal(t, networkingv1.NetworkPolicyIngressRule{ + Ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: common.TCPProtocol, + Port: &intstr.IntOrString{IntVal: HTTPContainerPort}, + }, + { + Protocol: common.TCPProtocol, + Port: &intstr.IntOrString{IntVal: GRPCContainerPort}, + }, + }, + From: []networkingv1.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "component": common.ProxyComponent, + }, + }, + }, + }, + }, ingress[0]) +} diff --git a/install/installer/pkg/components/public-api-server/objects.go b/install/installer/pkg/components/public-api-server/objects.go index f4883b36b337f6..b4e857112744df 100644 --- a/install/installer/pkg/components/public-api-server/objects.go +++ b/install/installer/pkg/components/public-api-server/objects.go @@ -22,6 +22,7 @@ func Objects(ctx *common.RenderContext) ([]runtime.Object, error) { rolebinding, common.DefaultServiceAccount(Component), service, + networkpolicy, )(ctx) }