Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network Security Policy and External Network Examples and Management Strategy #64

Closed
WadeBarnes opened this issue Jan 7, 2021 · 0 comments
Closed

Network Security Policy and External Network Examples and Management Strategy #64

WadeBarnes opened this issue Jan 7, 2021 · 0 comments
Labels
documentation Improvements or additions to documentation

Comments

@WadeBarnes
Copy link
Member

WadeBarnes commented Jan 7, 2021
edited

The combination of External Network and Network Security Policy resources can be used to control access from a given pod/namespace out to external network resources. Following are some examples. The BC Government's OCP environment also does a much better job at DNS resolution, allowing host names to be defined via DNS names rather than IP addresses in many cases.

Allow a backup-container to post notifications to rocket.chat:

kind: ExternalNetwork
  name: backup
  namespace: 09e0c5-dev
spec:
  description: |
    Define the network parameters for accessing remote resources.
  entries:
  - chat.pathfinder.gov.bc.ca
  servicePorts:
  - tcp/443

kind: NetworkSecurityPolicy
  name: backup
  namespace: 09e0c5-dev
spec:
  description: |
    Allow the backup-container to access the application's database for backup purposes, as well as access to rocket.chat to log notifications.
  destination:
  - - role=db
    - app=fla
    - env=dev
    - $namespace=09e0c5-dev
  - - ext:name=backup
  source:
  - - role=backup
    - app=Backup
    - env=dev
    - $namespace=09e0c5-dev

Allow a pod to access KeyCloak and other Organization specific resources:

kind: ExternalNetwork
  name: web
  namespace: 9b71af-dev
spec:
  description: |
    Define the network parameters for accessing remote resources.
  entries:
  - wsgw.dev.some.org.ca
  - dev.oidc.gov.bc.ca
  - logontest.gov.bc.ca
  servicePorts:
  - tcp/443

kind: NetworkSecurityPolicy
  name: web
  namespace: 9b71af-dev
spec:
  description: |
    Allow the application to access a defined set of external resources.
  destination:
  - - ext:name=web
  source:
  - - role=web
    - app=a2a
    - env=dev
    - $namespace=9b71af-dev

The template snippets for the above configurations:

  - kind: ExternalNetwork
    apiVersion: security.devops.gov.bc.ca/v1alpha1
    metadata:
      name: ${NAME}${SUFFIX}
      network: ${NAME}${SUFFIX}
      labels:
        name: ${NAME}${SUFFIX}
        network: ${NAME}${SUFFIX}
        app: ${APP_NAME}${SUFFIX}
        app-group: ${APP_GROUP}
        env: ${TAG_NAME}
    spec:
      description: |
        Define the network parameters for accessing remote resources.
      entries:
        - ${API_SERVER_HOST}
        - ${KEYCLOAK_HOST}
        - ${SITEMINDER_LOGOUT_HOST}
      servicePorts:
        - tcp/443

  - kind: NetworkSecurityPolicy
    apiVersion: security.devops.gov.bc.ca/v1alpha1
    metadata:
      name: ${NAME}${SUFFIX}
      labels:
        name: ${NAME}${SUFFIX}
        app: ${APP_NAME}${SUFFIX}
        app-group: ${APP_GROUP}
        env: ${TAG_NAME}
    spec:
      description: |
        Allow the application to access a defined set of external resources.
      source:
        - - role=${ROLE}
          - app=${APP_NAME}${SUFFIX}
          - env=${TAG_NAME}
          - $namespace=${NAMESPACE_NAME}-${TAG_NAME}
      destination:
        - - ext:name=${NAME}${SUFFIX}

Other Examples

Access to an external oracle database:

The IP in this example was randomly generated for demo purposes

kind: ExternalNetwork
metadata:
  name: fdw-primary
  namespace: 7cba16-dev
spec:
  description: |
    Define the network parameters for accessing the remote database.
  entries:
  - 217.5.215.0/24
  servicePorts:
  - tcp/1521

Access to an Indy Blockchain Ledger:

kind: ExternalNetwork
  name: indy-agent
  namespace: 7cba16-dev
spec:
  description: |
    Define the network parameters for accessing remote agents.
  entries:
  - 0.0.0.0/0
  servicePorts:
  - tcp/9700:9799

Managing creation/update of Network Security Policy and External Network resources:

Network Security Policy and External Network resources are defined statically, meaning you can not use something like,

 valueFrom:
      secretKeyRef:
        ....

to dynamically reference a secret.

In order to better facilitate the management of the parameters for such resources, the BCDevOps/openshift-developer-tools have been updated to allow hostname parameters to be parsed from user provided endpoints, be stored in secrets, and then read back from secrets during updates. Allowing the static resources to be updated, while the settings are retained.

Examples of this can be found here:

The resulting create and update flows then look like this:

Create:

$ genDepls.sh -e dev -c backup

Loading settings ...
Loading settings from /c/family-law-act-app/openshift/settings.sh ...

Switching to 09e0c5-dev ...

Configuring the dev environment for . ...

Processing deployment configuration; ../openshift/templates/backup/backup-deploy.yaml ...

Reading config from ../openshift/templates/backup/backup-deploy.param ...

Reading config from ../openshift/templates/backup/backup-deploy.dev.param ...
Loading parameter overrides for ../openshift/templates/backup/backup-deploy.yaml ...

Initializing backup-deploy.overrides ...

Generating ConfigMap; backup-conf ...

WEBHOOK_URL - Please provide the webhook endpoint URL.  If left blank, the webhook integration feature will be disabled:
https://chat.pathfinder.gov.bc.ca/hooks/...

Parsing WEBHOOK_URL_HOST from WEBHOOK_URL; 'https://chat.pathfinder.gov.bc.ca/hooks/...' => 'chat.pathfinder.gov.bc.ca' ...

...

Removing temporary param override files ...
        Deleting override param file; ./backup-deploy.overrides.param ...

Deploying deployment configuration files ...

...

Update:

Wade@hvWin10x64 MINGW64 /c/family-law-act-app/openshift (master)
$ genDepls.sh -e dev -c backup -u

Loading settings ...
Loading settings from /c/family-law-act-app/openshift/settings.sh ...

Switching to 09e0c5-dev ...

Configuring the dev environment for . ...

Processing deployment configuration; ../openshift/templates/backup/backup-deploy.yaml ...

Reading config from ../openshift/templates/backup/backup-deploy.param ...

Reading config from ../openshift/templates/backup/backup-deploy.dev.param ...
Loading parameter overrides for ../openshift/templates/backup/backup-deploy.yaml ...

Initializing backup-deploy.overrides ...

Generating ConfigMap; backup-conf ...

Update operation detected ...
Skipping the prompts for the WEBHOOK_URL secret ...

Getting WEBHOOK_URL_HOST for the ExternalNetwork definition from secret ...

Preparing deployment configuration for update/replace, removing any 'Secret' objects so existing values are left untouched ...

...

Removing temporary param override files ...
        Deleting override param file; ./backup-deploy.overrides.param ...

Deploying deployment configuration files ...

...
@WadeBarnes WadeBarnes changed the title Network Security Policy and External Network Examples Network Security Policy and External Network Examples and Management Strategy Jan 7, 2021
@WadeBarnes WadeBarnes added the documentation Improvements or additions to documentation label Jan 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@WadeBarnes @mitovskaol