Skip to content

Commit

Permalink
Migrate network policies from kubectl to kubernetes provider
Browse files Browse the repository at this point in the history
  • Loading branch information
Valentin Widmer committed Oct 9, 2023
1 parent b1201eb commit 489d8b4
Show file tree
Hide file tree
Showing 2 changed files with 115 additions and 113 deletions.
224 changes: 115 additions & 109 deletions patterns/aws-vpc-cni-network-policy/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,20 +28,6 @@ provider "helm" {
}
}

provider "kubectl" {
apply_retry_count = 5
host = module.eks.cluster_endpoint
cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
load_config_file = false

exec {
api_version = "client.authentication.k8s.io/v1beta1"
command = "aws"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
}
}

data "aws_availability_zones" "available" {}

locals {
Expand Down Expand Up @@ -164,120 +150,140 @@ module "addons" {
################################################################################

# Block all ingress and egress traffic within the stars namespace
resource "kubectl_manifest" "default_deny_stars" {
yaml_body = <<YAML
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: stars
spec:
podSelector:
matchLabels: {}
YAML
resource "kubernetes_network_policy_v1" "default_deny_stars" {
metadata {
name = "default-deny"
namespace = "stars"
}
spec {
policy_types = ["Ingress"]
pod_selector {
match_labels = {}
}
}
depends_on = [module.addons]
}

# Block all ingress and egress traffic within the client namespace
resource "kubectl_manifest" "default_deny_client" {
yaml_body = <<YAML
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: client
spec:
podSelector:
matchLabels: {}
YAML
resource "kubernetes_network_policy_v1" "default_deny_client" {
metadata {
name = "default-deny"
namespace = "client"
}
spec {
policy_types = ["Ingress"]
pod_selector {
match_labels = {}
}
}
depends_on = [module.addons]
}

# Allow the management-ui to access the star application pods
resource "kubectl_manifest" "allow_traffic_from_management_ui_to_application_components" {
yaml_body = <<YAML
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: stars
name: allow-ui
spec:
podSelector:
matchLabels: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
role: management-ui
YAML
resource "kubernetes_network_policy_v1" "allow_ui_to_stars" {
metadata {
name = "allow-ui"
namespace = "stars"
}
spec {
policy_types = ["Ingress"]
pod_selector {
match_labels = {}
}
ingress {
from {
namespace_selector {
match_labels = {
role = "management-ui"
}
}
}
}
}
depends_on = [module.addons]
}

# Allow the management-ui to access the client application pods
resource "kubectl_manifest" "allow_traffic_from_management_ui_to_client" {
yaml_body = <<YAML
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: client
name: allow-ui
spec:
podSelector:
matchLabels: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
role: management-ui
YAML
resource "kubernetes_network_policy_v1" "allow_ui_to_client" {
metadata {
name = "allow-ui"
namespace = "client"
}
spec {
policy_types = ["Ingress"]
pod_selector {
match_labels = {}
}
ingress {
from {
namespace_selector {
match_labels = {
role = "management-ui"
}
}
}
}
}
depends_on = [module.addons]
}

# Allow the frontend pod to access the backend pod within the stars namespace
resource "kubectl_manifest" "allow_traffic_from_frontend_to_backend" {
yaml_body = <<YAML
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: stars
name: backend-policy
spec:
podSelector:
matchLabels:
role: backend
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
YAML
resource "kubernetes_network_policy_v1" "allow_frontend_to_backend" {
metadata {
name = "backend-policy"
namespace = "stars"
}
spec {
policy_types = ["Ingress"]
pod_selector {
match_labels = {
role = "backend"
}
}
ingress {
from {
pod_selector {
match_labels = {
role = "frontend"
}
}
}
ports {
protocol = "TCP"
port = "6379"
}
}
}
depends_on = [module.addons]
}

# Allow the client pod to access the frontend pod within the stars namespace
resource "kubectl_manifest" "allow_traffic_from_client_to_frontend" {
yaml_body = <<YAML
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: stars
name: frontend-policy
spec:
podSelector:
matchLabels:
role: frontend
ingress:
- from:
- namespaceSelector:
matchLabels:
role: client
ports:
- protocol: TCP
port: 80
YAML
resource "kubernetes_network_policy_v1" "allow_client_to_backend" {
metadata {
name = "frontend-policy"
namespace = "stars"
}

spec {
policy_types = ["Ingress"]
pod_selector {
match_labels = {
role = "frontend"
}
}
ingress {
from {
namespace_selector {
match_labels = {
role = "client"
}
}
}
ports {
protocol = "TCP"
port = "80"
}
}
}
depends_on = [module.addons]
}
4 changes: 0 additions & 4 deletions patterns/aws-vpc-cni-network-policy/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,5 @@ terraform {
source = "hashicorp/kubernetes"
version = ">= 2.20"
}
kubectl = {
source = "gavinbunney/kubectl"
version = ">= 1.14"
}
}
}

0 comments on commit 489d8b4

Please sign in to comment.