Isolate etcd using Network Policies

[marwinski]

etcd shall be isolated using the following policies:

1. only network traffic from the API server in the same namespace (for the same control plane) shall be allowed.
2. no outgoing network traffic shall be allowed

(2) above might interfere with the backup infrastructure and might need further investigation.

[rfranzke]

Yes, ideally we get network policies that define fine-grained rules to only allow those components to talk to each other that really need to (not only etcd). @wyb1 started working on defining network policies for Prometheus, but I suggest that someone takes the time to investigate who needs to talk to whom and then - carefully and with an extended amount of tests - designs the network policies.

[rfranzke]

@adracus interested in this one?

[praveendhac]

Following up from the email conversation where I reported the issue first.
Issue was first reported on Gardener v0.12.0, then we did not have default NetworkPolicies on Seeds.
Current issue reported is on Gardener v0.14.1 where we have default NetworkPolicies for Seeds.

[rfranzke]

We currently only isolate the kube-apiserver as it is the only entrypoint into the seeds. Isolating the other components is definitely planned and desired, but not that critical, as nobody can directly talk to them.

[adracus]

@rfranzke I guess providing a block is very difficult with our current network policies. I think we rather require a bigger rework there, but as you also said, the priority right now is not high for this.

[marwinski]

@rfranzke, @mvladev: it appears that we have a good reason to rework the network policies. Any objections closing this ticket and working on a new - more general one?

[marwinski]

closed for the more general issue #873