OCPBUGS-61088: create networkpolicy settings for in-cluster monitoring

assets/admission-webhook/network-policy-downstream.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: prometheus-operator-admission-webhook
+  namespace: openshift-monitoring
+spec:
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus-operator-admission-webhook
+  policyTypes:
+  - Ingress

assets/alertmanager/network-policy-downstream.yaml

@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: alertmanager
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: tenancy
+      protocol: TCP
+    - port: tcp-mesh
+      protocol: TCP
+    - port: udp-mesh
+      protocol: UDP
+    - port: web
+      protocol: TCP
+    - port: metrics
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: alertmanager
+  policyTypes:
+  - Ingress
+  - Egress

assets/cluster-monitoring-operator/network-policy-default-deny.yaml

@@ -0,0 +1,13 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: default-deny
+  namespace: openshift-monitoring
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

assets/cluster-monitoring-operator/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: cluster-monitoring-operator
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: cluster-monitoring-operator
+  policyTypes:
+  - Ingress
+  - Egress

assets/kube-state-metrics/network-policy-downstream.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: kube-state-metrics
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https-main
+      protocol: TCP
+    - port: https-self
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  policyTypes:
+  - Ingress
+  - Egress

assets/metrics-server/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: metrics-server
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: metrics-server
+  policyTypes:
+  - Ingress
+  - Egress

assets/monitoring-plugin/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: monitoring-plugin
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: monitoring-plugin
+  policyTypes:
+  - Ingress
+  - Egress

assets/node-exporter/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: node-exporter
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: node-exporter
+  policyTypes:
+  - Ingress
+  - Egress

assets/openshift-state-metrics/network-policy-downstream.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: openshift-state-metrics
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https-main
+      protocol: TCP
+    - port: https-self
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: openshift-state-metrics
+  policyTypes:
+  - Ingress
+  - Egress

assets/prometheus-k8s/network-policy-downstream.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: prometheus
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: web
+      protocol: TCP
+    - port: metrics
+      protocol: TCP
+    - port: grpc
+      protocol: TCP
+    - port: thanos-proxy
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  policyTypes:
+  - Ingress
+  - Egress

assets/prometheus-operator/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: prometheus-operator
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus-operator
+  policyTypes:
+  - Ingress
+  - Egress

assets/telemeter-client/network-policy-downstream.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: telemeter-client
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: https
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: telemeter-client
+  policyTypes:
+  - Ingress
+  - Egress

assets/thanos-querier/network-policy-downstream.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: cluster-monitoring-operator
+    app.kubernetes.io/part-of: openshift-monitoring
+  name: thanos-querier
+  namespace: openshift-monitoring
+spec:
+  egress:
+  - {}
+  ingress:
+  - ports:
+    - port: web
+      protocol: TCP
+    - port: tenancy
+      protocol: TCP
+    - port: tenancy-rules
+      protocol: TCP
+    - port: metrics
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: thanos-query
+  policyTypes:
+  - Ingress
+  - Egress

jsonnet/components/admission-webhook.libsonnet

@@ -168,4 +168,33 @@ function(params)
         },
       ],
     },
+    // Allow access to prometheus-operator-admission-webhook 8443(port name is https) port
+    networkPolicyDownstream: {
+      apiVersion: 'networking.k8s.io/v1',
+      kind: 'NetworkPolicy',
+      metadata: {
+        name: 'prometheus-operator-admission-webhook',
+        namespace: 'openshift-monitoring',
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            'app.kubernetes.io/name': 'prometheus-operator-admission-webhook',
+          },
+        },
+        policyTypes: [
+          'Ingress',
+        ],
+        ingress: [
+          {
+            ports: [
+              {
+                port: 'https',
+                protocol: 'TCP',
+              },
+            ],
+          },
+        ],
+      },
+    },
   }

jsonnet/components/alertmanager.libsonnet

@@ -440,4 +440,54 @@ function(params)
         ],
       },
     },
+    // Allow access to alertmanager 9092(port name: tenancy)/9095(port name: web)/9097(port name: metrics)
+    // and 9094(port name: udp-mesh for UDP, port name: tcp-mesh for TCP) ports
+    networkPolicyDownstream: {
+      apiVersion: 'networking.k8s.io/v1',
+      kind: 'NetworkPolicy',
+      metadata: {
+        name: 'alertmanager',
+        namespace: cfg.namespace,
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            'app.kubernetes.io/name': 'alertmanager',
+          },
+        },
+        policyTypes: [
+          'Ingress',
+          'Egress',
+        ],
+        ingress: [
+          {
+            ports: [
+              {
+                port: 'tenancy',
+                protocol: 'TCP',
+              },
+              {
+                port: 'tcp-mesh',
+                protocol: 'TCP',
+              },
+              {
+                port: 'udp-mesh',
+                protocol: 'UDP',
+              },
+              {
+                port: 'web',
+                protocol: 'TCP',
+              },
+              {
+                port: 'metrics',
+                protocol: 'TCP',
+              },
+            ],
+          },
+        ],
+        egress: [
+          {},
+        ],
+      },
+    },
   }