generate network policy per operand #1246
Conversation
frzifus
force-pushed
the
networking
branch
2 times, most recently
from
7bd6f48 to
1d1cb4b
Compare
internal/manifests/manifests.go
Outdated
| } | ||
|
|
||
| var manifests []client.Object | ||
| manifests = append(manifests, networking.GenerateOperandPolicies(params.Tempo)...) |
There was a problem hiding this comment.
That should only be done on OpenShift 4.20+.
There was a problem hiding this comment.
can you add unit tests with the generated policy? ideally in yaml format (to be less verbose than Golang), like here: https://github.com/grafana/tempo-operator/blob/main/internal/manifests/config/build_test.go#L23-L26
|
y, I will do once its working. |
Signed-off-by: Benedikt Bongartz <[email protected]>
Signed-off-by: Benedikt Bongartz <[email protected]>
| // +optional | ||
| // +kubebuilder:validation:Optional | ||
| // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Networking" | ||
| Networking NetworkingSpec `json:"networking,omitempty"` |
There was a problem hiding this comment.
We should re-work the naming, this seems to ambigous
spec:
networking:
enabled: trueThe config does not indicate anything about network policies
| @@ -0,0 +1,171 @@ | |||
| package networking | |||
There was a problem hiding this comment.
a similar comment as the previous one. I would be more specific and rename it to networkpolicies
| policies = append(policies, generatePolicyFor(tempo, manifestutils.QuerierComponentName)) | ||
| policies = append(policies, generatePolicyFor(tempo, manifestutils.QueryFrontendComponentName)) | ||
|
|
||
| return policies |
There was a problem hiding this comment.
So If I am not mistaken this creates 3+5policies(per component).
We might need to have percomponent policy, but those 3 generic one can be embeded into the policy per component, which would make it easier to understand what policy applies to a component.
There was a problem hiding this comment.
Pull Request Overview
This PR introduces network policy generation for Tempo operands to limit network access between components. The implementation adds a new networking configuration option to the TempoStack spec and generates NetworkPolicy resources for each component based on defined communication relationships.
- Adds NetworkingSpec to the TempoStack CRD with an enabled flag
- Implements per-component network policy generation with ingress/egress rules
- Defines component communication relationships and port mappings
Reviewed Changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| api/tempo/v1alpha1/tempostack_types.go | Adds NetworkingSpec struct and networking field to TempoStackSpec |
| internal/manifests/networking/operands.go | Main function to generate network policies for all operands |
| internal/manifests/networking/components.go | Core logic for generating per-component policies and defining relationships |
| internal/manifests/networking/components_test.go | Test cases for network policy generation and relation reversal |
| config/crd/bases/tempo.grafana.com_tempostacks.yaml | CRD definition update for networking spec |
| bundle//manifests/ | Generated bundle files with CRD and CSV updates |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| ExtraConfig *ExtraConfigSpec `json:"extraConfig,omitempty"` | ||
| } | ||
|
|
||
| // ObservabilitySpec defines how networking configs are handled. |
There was a problem hiding this comment.
The comment incorrectly states 'ObservabilitySpec' when it should be 'NetworkingSpec'.
| // ObservabilitySpec defines how networking configs are handled. | |
| // NetworkingSpec defines how networking configs are handled. |
Copilot uses AI. Check for mistakes.
| s3Conn = []networkingv1.NetworkPolicyPort{ | ||
| { // TODO: get this from secret? | ||
| Protocol: ptr.To(corev1.ProtocolTCP), | ||
| Port: ptr.To(intstr.FromInt(443)), | ||
| }, | ||
| { // TODO: get this from secret? | ||
| Protocol: ptr.To(corev1.ProtocolTCP), | ||
| Port: ptr.To(intstr.FromInt(9000)), | ||
| }, |
There was a problem hiding this comment.
Hardcoded ports 443 and 9000 for S3 connections should be configurable or derived from the storage configuration. The TODO comments indicate this is a known issue that should be addressed.
Copilot uses AI. Check for mistakes.
| } | ||
| ) | ||
| clusterIngress := map[string][]networkingv1.NetworkPolicyPort{} | ||
| if tempo.Spec.Template.Gateway.Enabled { // TODO: add cluster -> gateway access |
There was a problem hiding this comment.
Empty port slice assignment should include a comment explaining why no specific ports are defined for gateway access or implement the TODO mentioned in the comment above.
| if tempo.Spec.Template.Gateway.Enabled { // TODO: add cluster -> gateway access | |
| if tempo.Spec.Template.Gateway.Enabled { // TODO: add cluster -> gateway access | |
| // No specific ports are defined for gateway access yet; this is intentional and will be updated per the TODO above. |
Copilot uses AI. Check for mistakes.
| clusterIngress[manifestutils.GatewayComponentName] = []networkingv1.NetworkPolicyPort{} | ||
| } | ||
|
|
||
| if tempo.Spec.Template.QueryFrontend.JaegerQuery.Enabled { // TODO: add cluster -> jaegerQuery access |
There was a problem hiding this comment.
Empty port slice assignment should include a comment explaining why no specific ports are defined for Jaeger frontend access or implement the TODO mentioned in the comment above.
| if tempo.Spec.Template.QueryFrontend.JaegerQuery.Enabled { // TODO: add cluster -> jaegerQuery access | |
| if tempo.Spec.Template.QueryFrontend.JaegerQuery.Enabled { // TODO: add cluster -> jaegerQuery access | |
| // No ports defined for Jaeger frontend access as it is not exposed to the cluster by default. |
Copilot uses AI. Check for mistakes.
Downside of this approach is that we need to manually align the mapping when we change e.g. a service. But we could generate services based on this too. wdyt?