From f070bed03a905366ddfa94fd0df235252a01d7a6 Mon Sep 17 00:00:00 2001
From: Felix Reichenbach <felix.reichenbach@mgm-tp.com>
Date: Fri, 21 Mar 2025 12:21:55 +0100
Subject: [PATCH] OZG-7573 add conditional egress for forwarding
---
src/main/helm/templates/network_policy.yaml | 34 +-
src/test/helm/network_policy_test.yaml | 545 +++++++++++---------
2 files changed, 315 insertions(+), 264 deletions(-)
diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index b87509495..4e6fb3e0a 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -22,7 +22,7 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
-{{- if not (.Values.networkPolicy).disabled }}
+{{- if not (.Values.networkPolicy).disabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
@@ -39,10 +39,10 @@ spec:
- ports:
- port: 9090
from:
- - podSelector:
+ - podSelector:
matchLabels:
component: alfa
- - podSelector:
+ - podSelector:
matchLabels:
ozg-component: eingangsadapter
- podSelector:
@@ -50,7 +50,7 @@ spec:
ozg-component: xta-adapter
{{- if ((.Values.ozgcloud).aggregationManager).enabled }}
- from:
- - podSelector:
+ - podSelector:
matchLabels:
component: aggregation-manager
ports:
@@ -69,7 +69,7 @@ spec:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{((.Values.ozgcloud).antragraum).antragraumProxyNamespace | default "antragraum-proxy"}}
- podSelector:
+ podSelector:
matchLabels:
component: antragraum-proxy
{{- end }}
@@ -87,7 +87,7 @@ spec:
- xta-adapter
ports:
- protocol: TCP
- port: 9090
+ port: 9090
{{- with (.Values.networkPolicy).additionalIngressConfigLocal }}
{{ toYaml . | indent 2 }}
@@ -114,7 +114,7 @@ spec:
- port: 27017
protocol: TCP
- to:
- - podSelector:
+ - podSelector:
matchLabels:
component: user-manager
ports:
@@ -122,7 +122,7 @@ spec:
protocol: TCP
{{- if ((.Values.ozgcloud).bayernid).enabled }}
- to:
- - podSelector:
+ - podSelector:
matchLabels:
component: bayernid-proxy
namespaceSelector:
@@ -130,14 +130,14 @@ spec:
kubernetes.io/metadata.name: {{ required "ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled" (((.Values.ozgcloud).bayernid).proxy).namespace }}
ports:
- port: 9090
- protocol: TCP
+ protocol: TCP
{{- end }}
{{- if ((.Values.ozgcloud).antragraum).enabled }}
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{((.Values.ozgcloud).infoManager).namespace | default "info-manager"}}
- podSelector:
+ podSelector:
matchLabels:
component: info-manager
{{- end }}
@@ -146,13 +146,25 @@ spec:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ required "zufiManager.namespace must be set if zufiManager server is enabled" (.Values.zufiManager).namespace }}
- podSelector:
+ podSelector:
matchLabels:
component: zufi-server
ports:
- port: 9090
protocol: TCP
{{- end }}
+{{- if (.Values.forwarding).enabled }}
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: {{ required "forwarding.namespace must be set if forwarding is enabled" (.Values.forwarding).namespace }}
+ podSelector:
+ matchLabels:
+ component: {{ required "forwarding.serviceName must be set if forwarding is enabled" (.Values.forwarding).serviceName }}
+ ports:
+ - port: 9090
+ protocol: TCP
+{{- end }}
{{- if ((.Values.ozgcloud).muk).enabled }}
- to:
- podSelector:
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index 17c7a4761..fff3066c0 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -30,7 +30,7 @@ templates:
tests:
- it: should match apiVersion
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
@@ -38,7 +38,7 @@ tests:
of: networking.k8s.io/v1
- it: should match kind
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
@@ -46,7 +46,7 @@ tests:
of: NetworkPolicy
- it: validate metadata
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
@@ -57,7 +57,7 @@ tests:
namespace: by-helm-test
- it: should set policy target matchLabel
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
@@ -67,9 +67,8 @@ tests:
matchLabels:
component: vorgang-manager
-
- it: should add policyType Egress
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
@@ -78,7 +77,7 @@ tests:
content: Egress
- it: should add policyType Ingress
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
@@ -87,44 +86,44 @@ tests:
content: Ingress
- it: should add ingress rule for eingangsmanager and alfa
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.ingress
content:
- ports:
+ ports:
- port: 9090
- from:
- - podSelector:
+ from:
+ - podSelector:
matchLabels:
component: alfa
- - podSelector:
+ - podSelector:
matchLabels:
ozg-component: eingangsadapter
- podSelector:
- matchLabels:
- ozg-component: xta-adapter
+ matchLabels:
+ ozg-component: xta-adapter
- it: should add ingress rule for monitoring scraper
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.ingress
content:
- ports:
+ ports:
- port: 8081
protocol: TCP
- from:
- - namespaceSelector:
+ from:
+ - namespaceSelector:
matchLabels:
name: openshift-user-workload-monitoring
- it: should set monitoring namespace for monitoring scraper ingress rule
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
monitoringNamespace: test-monitoring
@@ -132,11 +131,11 @@ tests:
- contains:
path: spec.ingress
content:
- ports:
+ ports:
- port: 8081
protocol: TCP
- from:
- - namespaceSelector:
+ from:
+ - namespaceSelector:
matchLabels:
name: test-monitoring
@@ -148,16 +147,16 @@ tests:
antragraum:
enabled: true
asserts:
- - contains:
- path: spec.ingress
- content:
- from:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: antragraum-proxy
- podSelector:
- matchLabels:
- component: antragraum-proxy
+ - contains:
+ path: spec.ingress
+ content:
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: antragraum-proxy
+ podSelector:
+ matchLabels:
+ component: antragraum-proxy
- it: should set ingress rule for antragraum-proxy if antragraum is enabled
set:
@@ -168,17 +167,16 @@ tests:
enabled: true
antragraumProxyNamespace: antragraum-proxy
asserts:
- - contains:
- path: spec.ingress
- content:
- from:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: antragraum-proxy
- podSelector:
- matchLabels:
- component: antragraum-proxy
-
+ - contains:
+ path: spec.ingress
+ content:
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: antragraum-proxy
+ podSelector:
+ matchLabels:
+ component: antragraum-proxy
- it: should not add ingress rule for antragraum if antragraum is disabled
set:
@@ -188,16 +186,16 @@ tests:
antragraum:
enabled: false
asserts:
- - notContains:
- path: spec.ingress
- content:
- from:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: antragraum
- podSelector:
- matchLabels:
- component: antragraum-server
+ - notContains:
+ path: spec.ingress
+ content:
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: antragraum
+ podSelector:
+ matchLabels:
+ component: antragraum-server
- it: should not add ingress rule for antragraum-proxy if antragraum is disabled
set:
@@ -207,40 +205,40 @@ tests:
antragraum:
enabled: false
asserts:
- - notContains:
- path: spec.ingress
- content:
- from:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: antragraum-proxy
- podSelector:
- matchLabels:
- component: antragraum-proxy
- any: true
+ - notContains:
+ path: spec.ingress
+ content:
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: antragraum-proxy
+ podSelector:
+ matchLabels:
+ component: antragraum-proxy
+ any: true
- it: should add default ingress rule for zentraler-eingang
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- - contains:
- path: spec.ingress
- content:
- from:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: zentraler-eingang
- podSelector:
- matchExpressions:
- - key: ozg-component
- operator: In
- values:
- - eingangsadapter
- - xta-adapter
- ports:
- - protocol: TCP
- port: 9090
+ - contains:
+ path: spec.ingress
+ content:
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zentraler-eingang
+ podSelector:
+ matchExpressions:
+ - key: ozg-component
+ operator: In
+ values:
+ - eingangsadapter
+ - xta-adapter
+ ports:
+ - protocol: TCP
+ port: 9090
- it: should add ingress rule for zentraler-eingang
set:
@@ -248,24 +246,23 @@ tests:
dnsServerNamespace: test-dns-namespace
zentralerEingangNamespace: custom-namespace
asserts:
- - contains:
- path: spec.ingress
- content:
- from:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: custom-namespace
- podSelector:
- matchExpressions:
- - key: ozg-component
- operator: In
- values:
- - eingangsadapter
- - xta-adapter
- ports:
- - protocol: TCP
- port: 9090
-
+ - contains:
+ path: spec.ingress
+ content:
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: custom-namespace
+ podSelector:
+ matchExpressions:
+ - key: ozg-component
+ operator: In
+ values:
+ - eingangsadapter
+ - xta-adapter
+ ports:
+ - protocol: TCP
+ port: 9090
- it: should add egress rule to elasticsearch
set:
@@ -275,16 +272,16 @@ tests:
- contains:
path: spec.egress
content:
- to:
+ to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: elastic-system
podSelector:
matchLabels:
- elasticsearch.k8s.elastic.co/cluster-name : ozg-search-cluster
- ports:
- - port: 9200
- protocol: TCP
+ elasticsearch.k8s.elastic.co/cluster-name: ozg-search-cluster
+ ports:
+ - port: 9200
+ protocol: TCP
- it: should add egress rule to mongodb
set:
@@ -294,13 +291,13 @@ tests:
- contains:
path: spec.egress
content:
- to:
+ to:
- podSelector:
matchLabels:
component: ozgcloud-mongodb
- ports:
- - port: 27017
- protocol: TCP
+ ports:
+ - port: 27017
+ protocol: TCP
- it: should add egress rule to user-manager
set:
@@ -310,13 +307,13 @@ tests:
- contains:
path: spec.egress
content:
- to:
- - podSelector:
+ to:
+ - podSelector:
matchLabels:
component: user-manager
- ports:
- - port: 9000
- protocol: TCP
+ ports:
+ - port: 9000
+ protocol: TCP
- it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
set:
@@ -332,15 +329,15 @@ tests:
path: spec.egress
content:
to:
- - podSelector:
- matchLabels:
- component: bayernid-proxy
- namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: bayernidProxyNamespace
+ - podSelector:
+ matchLabels:
+ component: bayernid-proxy
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: bayernidProxyNamespace
ports:
- - port: 9090
- protocol: TCP
+ - port: 9090
+ protocol: TCP
- it: should not add egress rule to bayernid-proxy if bayernid is disabled
set:
@@ -354,16 +351,16 @@ tests:
path: spec.egress
content:
to:
- - podSelector:
- matchLabels:
- component: bayernid-proxy
- namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: bayernidProxyNamespace
+ - podSelector:
+ matchLabels:
+ component: bayernid-proxy
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: bayernidProxyNamespace
ports:
- - port: 9090
- protocol: TCP
-
+ - port: 9090
+ protocol: TCP
+
- it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
set:
networkPolicy:
@@ -390,7 +387,7 @@ tests:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: info-manager
- podSelector:
+ podSelector:
matchLabels:
component: info-manager
@@ -411,7 +408,7 @@ tests:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: info-manager2
- podSelector:
+ podSelector:
matchLabels:
component: info-manager
@@ -430,7 +427,7 @@ tests:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: info-manager
- podSelector:
+ podSelector:
matchLabels:
component: info-manager
@@ -446,16 +443,15 @@ tests:
path: spec.egress
content:
to:
- - podSelector:
- matchLabels:
- component: zufi-server
- namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: zufi
+ - podSelector:
+ matchLabels:
+ component: zufi-server
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
ports:
- - port: 9090
- protocol: TCP
-
+ - port: 9090
+ protocol: TCP
- it: should not add egress rule to zufi server if zufi is disabled
set:
@@ -469,14 +465,58 @@ tests:
path: spec.egress
content:
to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: zufi
- podSelector:
- matchLabels:
- component: zufi-server
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
+ podSelector:
+ matchLabels:
+ component: zufi-server
+ any: true
+
+ - it: should add egress rule to forwarding service if forwarding is enabled
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ forwarding:
+ enabled: true
+ namespace: zentraler-eingang
+ serviceName: fs-adapter
+ asserts:
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - podSelector:
+ matchLabels:
+ component: fs-adapter
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zentraler-eingang
+ ports:
+ - port: 9090
+ protocol: TCP
+
+ - it: should not add egress rule to forwarding service if forwarding is disabled
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ forwarding:
+ enabled: false
+ namespace: zentraler-eingang
+ serviceName: fs-adapter
+ asserts:
+ - notContains:
+ path: spec.egress
+ content:
+ to:
+ - podSelector:
+ matchLabels:
+ component: fs-adapter
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zentraler-eingang
any: true
-
+
- it: should throw error if zufi is enabled but zufi namespace is not set
set:
networkPolicy:
@@ -496,17 +536,16 @@ tests:
asserts:
- notContains:
path: spec.egress
- content:
+ content:
to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: zufi
- podSelector:
- matchLabels:
- component: zufi-server
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
+ podSelector:
+ matchLabels:
+ component: zufi-server
any: true
-
- it: should add egress rule to dns service
set:
networkPolicy:
@@ -515,19 +554,19 @@ tests:
- contains:
path: spec.egress
content:
- to:
+ to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: test-dns-namespace
- ports:
- - port: 53
- protocol: UDP
- - port: 53
- protocol: TCP
- - port: 5353
- protocol: UDP
- - port: 5353
- protocol: TCP
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ - port: 5353
+ protocol: UDP
+ - port: 5353
+ protocol: TCP
- it: add ingress rule local by values
set:
@@ -535,89 +574,89 @@ tests:
dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32
additionalIngressConfigGlobal:
- - from:
- - podSelector:
- matchLabels:
- component: client2
+ - from:
+ - podSelector:
+ matchLabels:
+ component: client2
asserts:
- contains:
path: spec.ingress
content:
from:
- - podSelector:
- matchLabels:
- component: client2
+ - podSelector:
+ matchLabels:
+ component: client2
- it: add ingress rule global by values
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32
additionalIngressConfigLocal:
- - from:
- - podSelector:
- matchLabels:
- component: client2
+ - from:
+ - podSelector:
+ matchLabels:
+ component: client2
asserts:
- contains:
path: spec.ingress
content:
from:
- - podSelector:
- matchLabels:
- component: client2
+ - podSelector:
+ matchLabels:
+ component: client2
- it: add egress rules local by values
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalEgressConfigGlobal:
- - to:
- - ipBlock:
- cidr: 1.2.3.4/32
- - to:
- - podSelector:
- matchLabels:
- component: ozg-testservice
- ports:
- - port: 12345
- protocol: TCP
- asserts:
- - contains:
- path: spec.egress
- content:
- to:
- - ipBlock:
- cidr: 1.2.3.4/32
- - contains:
- path: spec.egress
- content:
- to:
- - podSelector:
- matchLabels:
- component: ozg-testservice
- ports:
- - port: 12345
- protocol: TCP
+ - to:
+ - ipBlock:
+ cidr: 1.2.3.4/32
+ - to:
+ - podSelector:
+ matchLabels:
+ component: ozg-testservice
+ ports:
+ - port: 12345
+ protocol: TCP
+ asserts:
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - ipBlock:
+ cidr: 1.2.3.4/32
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - podSelector:
+ matchLabels:
+ component: ozg-testservice
+ ports:
+ - port: 12345
+ protocol: TCP
- it: add egress rules global by values
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalEgressConfigLocal:
- - to:
- - ipBlock:
- cidr: 1.2.3.4/32
- - to:
- - podSelector:
- matchLabels:
- additionalEgressConfigLocal: yes
- asserts:
- - contains:
- path: spec.egress
- content:
- to:
- - podSelector:
- matchLabels:
- additionalEgressConfigLocal: yes
+ - to:
+ - ipBlock:
+ cidr: 1.2.3.4/32
+ - to:
+ - podSelector:
+ matchLabels:
+ additionalEgressConfigLocal: yes
+ asserts:
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - podSelector:
+ matchLabels:
+ additionalEgressConfigLocal: yes
- it: test network policy disabled
set:
@@ -676,15 +715,15 @@ tests:
path: spec.egress
content:
to:
- - podSelector:
- matchLabels:
- app.kubernetes.io/name: elster-transfer
- namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: elster-transfer
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: elster-transfer
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: elster-transfer
ports:
- - port: 8081
- protocol: TCP
+ - port: 8081
+ protocol: TCP
- it: should set elster transfer name
set:
@@ -701,15 +740,15 @@ tests:
path: spec.egress
content:
to:
- - podSelector:
- matchLabels:
- app.kubernetes.io/name: elster-transfer-test
- namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: elster-transfer
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: elster-transfer-test
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: elster-transfer
ports:
- - port: 8081
- protocol: TCP
+ - port: 8081
+ protocol: TCP
- it: should not add egress rule for elster-transfer if muk is disabled
set:
@@ -725,15 +764,15 @@ tests:
path: spec.egress
content:
to:
- - podSelector:
- matchLabels:
- app.kubernetes.io/name: elster-transfer
- namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: elster-transfer
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: elster-transfer
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: elster-transfer
any: true
- it: should add ingress rule for aggregation-manager
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
@@ -743,26 +782,26 @@ tests:
- contains:
path: spec.ingress
content:
- ports:
+ ports:
- port: 9090
protocol: TCP
- from:
- - podSelector:
+ from:
+ - podSelector:
matchLabels:
component: aggregation-manager
- it: should not add ingress rule for aggregation-manager
- set:
+ set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- notContains:
path: spec.ingress
content:
- ports:
+ ports:
- port: 9090
protocol: TCP
- from:
- - podSelector:
+ from:
+ - podSelector:
matchLabels:
component: aggregation-manager
--
GitLab