📖 Add NetworkPolicy doc #1973
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| # NetworkPolicy in OLMv1 | ||
|
|
||
| ## Overview | ||
|
|
||
| OLMv1 uses [Kubernetes NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to secure communication between components, restricting network traffic to only what's necessary for proper functionality. | ||
|
|
||
| * The catalogd NetworkPolicy is implemented [here](https://github.com/operator-framework/operator-controller/blob/main/config/base/catalogd/manager/network_policy.yaml). | ||
| * The operator-controller is implemented [here](https://github.com/operator-framework/operator-controller/blob/main/config/base/operator-controller/manager/network_policy.yaml). | ||
|
|
||
| This document explains the details of `NetworkPolicy` implementation for the core components. | ||
|
|
||
|
|
||
| ## Implementation Overview | ||
|
|
||
| NetworkPolicy is implemented for both catalogd and operator-controller components to: | ||
|
|
||
| * Restrict incoming (ingress) traffic to only required ports and services | ||
| * Control outgoing (egress) traffic patterns | ||
|
|
||
| Each component has a dedicated NetworkPolicy that applies to its respective pod through label selectors: | ||
|
|
||
| * For catalogd: `control-plane=catalogd-controller-manager` | ||
| * For operator-controller: `control-plane=operator-controller-controller-manager` | ||
|
|
||
| ### Catalogd NetworkPolicy | ||
|
|
||
| - Ingress Rules | ||
| Catalogd exposes three services, and its NetworkPolicy allows ingress traffic to the following TCP ports: | ||
|
|
||
| * 7443: Metrics server for Prometheus metrics | ||
| * 8443: Catalogd HTTPS server for catalog metadata API | ||
| * 9443: Webhook server for Mutating Admission Webhook implementation | ||
|
|
||
| All other ingress traffic to the catalogd pod is blocked. | ||
|
|
||
| - Egress Rules | ||
| Catalogd needs to communicate with: | ||
|
|
||
| * The Kubernetes API server | ||
| * Image registries specified in ClusterCatalog objects | ||
|
|
||
| Currently, all egress traffic from catalogd is allowed, to support communication with arbitrary image registries that aren't known at install time. | ||
anik120 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ### Operator-Controller NetworkPolicy | ||
|
|
||
| - Ingress Rules | ||
| Operator-controller exposes one service, and its NetworkPolicy allows ingress traffic to: | ||
|
|
||
| * 8443: Metrics server for Prometheus metrics | ||
|
|
||
| All other ingress traffic to the operator-controller pod is blocked. | ||
|
|
||
| - Egress Rules | ||
| Operator-controller needs to communicate with: | ||
|
|
||
| * The Kubernetes API server | ||
| * Catalogd's HTTPS server (on port 8443) | ||
| * Image registries specified in bundle metadata | ||
|
|
||
| Currently, all egress traffic from operator-controller is allowed to support communication with arbitrary image registries that aren't known at install time. | ||
|
There was a problem hiding this comment. What do you think about linking the code from the repo? There was a problem hiding this comment. I don't know how I feel about that tbh. If we just link the yaml file, that's self documenting 😄. This doc is to expand on that yaml file, in words. I feel like users who're adept enough at reading yaml files will find that file and know how to read it anyway, and this is for those users who will need help understanding that yaml file. Which is why I didn't include the link to the yaml file in the first place. There was a problem hiding this comment.
For me, for example, it would be much easier to check the NP directly rather than reading the documentation. So the suggestion here is simply to add a direct link to the YAML files. There was a problem hiding this comment. Added links to the |
||
|
|
||
| ## Security Considerations | ||
|
|
||
| The current implementation focuses on securing ingress traffic while allowing all egress traffic. This approach: | ||
|
|
||
| * Prevents unauthorized incoming connections | ||
| * Allows communication with arbitrary image registries | ||
| * Establishes a foundation for future refinements to egress rules | ||
|
|
||
| While allowing all egress does present some security risks, this implementation provides significant security improvements over having no network policies at all. | ||
|
|
||
| ## Troubleshooting Network Issues | ||
|
|
||
| If you encounter network connectivity issues after deploying OLMv1, consider the following: | ||
|
|
||
| * Verify NetworkPolicy support: Ensure your cluster has a CNI plugin that supports NetworkPolicy. If your Kubernetes cluster is using a Container Network Interface (CNI) plugin that doesn't support NetworkPolicy, then the NetworkPolicy resources you create will be completely ignored and have no effect whatsoever on traffic flow. | ||
| * Check pod labels: Confirm that catalogd and operator-controller pods have the correct labels for NetworkPolicy selection: | ||
|
|
||
| ```bash | ||
| # Verify catalogd pod labels | ||
| kubectl get pods -n olmv1-system --selector=control-plane=catalogd-controller-manager | ||
|
|
||
| # Verify operator-controller pod labels | ||
| kubectl get pods -n olmv1-system --selector=control-plane=operator-controller-controller-manager | ||
|
|
||
| # Compare with actual pod names | ||
| kubectl get pods -n olmv1-system | grep -E 'catalogd|operator-controller' | ||
| ``` | ||
| * Inspect logs: Check component logs for connection errors | ||
|
|
||
| For more comprehensive information on NetworkPolicy, see: | ||
|
|
||
| - How NetworkPolicy is implemented with [network plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) via the Container Network Interface (CNI) | ||
| - Installing [Network Policy Providers](https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/) documentation. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@michaelryanpeter I think it would be nice to get your help with.