prometheus-operator icon indicating copy to clipboard operation
prometheus-operator copied to clipboard
verified publisher icon prometheus-operator

[Feature] strong `networkPolicy` for the `operator` container

Open jcpunk opened this issue 2 years ago • 6 comments

What is missing? A networkPolicy for the operator container that only permits required ingress and egress ports.

Why do we need it?

Folks with strong security requirements may be required to set a default deny. Having a policy that permits the operator container to run with the minimum ports it requires will simplify deployment.

Environment

Regulated

  • Prometheus Operator version:

    0.64.0

Anything else we need to know?:

https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-egress-traffic

This is specifically targeted at the operator container and not the generated containers from the CRDs.

jcpunk avatar Apr 11 '23 20:04 jcpunk

Not sure what is the request here, I believe there's nothing blocking the user to deploy a network policy for the operator container, is there?

Could you let me know if I misunderstood the issue?

ArthurSens avatar Apr 11 '23 22:04 ArthurSens

It would be nice if there was a policy provided with the bundle so I could be sure I'm not blocking something necessary.

jcpunk avatar Apr 11 '23 22:04 jcpunk

Oh, indeed it would be great to harden the networking rules for the operator but it would be hard to provide something general enough for everybody I believe. Different companies probably have different network configurations.

Do you have something in mind that is safe enough to not break someone's environment?

ArthurSens avatar Apr 11 '23 22:04 ArthurSens

Alas, I don't know enough about what it needs networking wise...

perhaps something like:

  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          component: kube-apiserver
    ports:
    - port: 443
      protocol: TCP
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: default
      podSelector:
        matchLabels:
          component: kube-apiserver
    ports:
    - port: 443
      protocol: TCP

jcpunk avatar Apr 11 '23 23:04 jcpunk

IIUC the ask here, the goal if for the network policy to only target the operator itself rather than the components it deploys. Now I'm not an expert on NetworkPolicies but I think it might be feasible to support this. However, some testing has to be performed beforehand to correctly identify the Policy that we should enforce.

I'm adding the help wanted label in case someone wants to give it a go

JoaoBraveCoding avatar Apr 13 '23 09:04 JoaoBraveCoding

It would be nice if there was a policy provided with the bundle so I could be sure I'm not blocking something necessary.

bundle.yaml is only meant as a starting point. For production usage, you want more control about how the resources are deployed and you'll typically use kube-prometheus or Helm charts.

simonpasquier avatar May 16 '23 15:05 simonpasquier