1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package proxy
6

7
import (
8
	"fmt"
9

10
	"github.com/gitpod-io/gitpod/common-go/baseserver"
11
	"github.com/gitpod-io/gitpod/installer/pkg/common"
12

13
	networkingv1 "k8s.io/api/networking/v1"
14
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
15
	"k8s.io/apimachinery/pkg/runtime"
16
	"k8s.io/apimachinery/pkg/util/intstr"
17
)
18

19
func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
20
	labels := common.DefaultLabels(Component)
21

22
	return []runtime.Object{&networkingv1.NetworkPolicy{
23
		TypeMeta: common.TypeMetaNetworkPolicy,
24
		ObjectMeta: metav1.ObjectMeta{
25
			Name:      fmt.Sprintf("%s-deny-all-allow-explicit", Component),
26
			Namespace: ctx.Namespace,
27
			Labels:    labels,
28
		},
29
		Spec: networkingv1.NetworkPolicySpec{
30
			PodSelector: metav1.LabelSelector{MatchLabels: labels},
31
			PolicyTypes: []networkingv1.PolicyType{"Ingress"},
32
			Ingress: []networkingv1.NetworkPolicyIngressRule{{
33
				Ports: []networkingv1.NetworkPolicyPort{{
34
					Protocol: common.TCPProtocol,
35
					Port:     &intstr.IntOrString{IntVal: ContainerHTTPPort},
36
				}, {
37
					Protocol: common.TCPProtocol,
38
					Port:     &intstr.IntOrString{IntVal: ContainerHTTPSPort},
39
				}, {
40
					Protocol: common.TCPProtocol,
41
					Port:     &intstr.IntOrString{IntVal: ContainerSSHPort},
42
				}},
43
			}, {
44
				Ports: []networkingv1.NetworkPolicyPort{{
45
					Protocol: common.TCPProtocol,
46
					Port:     &intstr.IntOrString{IntVal: baseserver.BuiltinMetricsPort},
47
				}},
48
				From: []networkingv1.NetworkPolicyPeer{{
49
					NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
50
						"chart": common.MonitoringChart,
51
					}},
52
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
53
						"component": common.ServerComponent,
54
					}},
55
				}},
56
			}, {
57
				Ports: []networkingv1.NetworkPolicyPort{{
58
					Protocol: common.TCPProtocol,
59
					Port:     &intstr.IntOrString{IntVal: ContainerAnalyticsPort},
60
				}},
61
				From: []networkingv1.NetworkPolicyPeer{{
62
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
63
						"component": common.ServerComponent,
64
					}},
65
				}, {
66
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
67
						"component": common.WSManagerBridgeComponent,
68
					}},
69
				}, {
70
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
71
						"component": common.WSProxyComponent,
72
					}},
73
				}},
74
			}, {
75
				Ports: []networkingv1.NetworkPolicyPort{{
76
					Protocol: common.TCPProtocol,
77
					Port:     &intstr.IntOrString{IntVal: ContainerConfigcatPort},
78
				}},
79
				From: []networkingv1.NetworkPolicyPeer{{
80
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
81
						"component": common.ServerComponent,
82
					}},
83
				}, {
84
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
85
						"component": common.WSManagerBridgeComponent,
86
					}},
87
				}, {
88
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
89
						"component": common.IDEServiceComponent,
90
					}},
91
				}, {
92
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
93
						"component": common.PublicApiComponent,
94
					}},
95
				}, {
96
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
97
						"component": common.UsageComponent,
98
					}},
99
				}, {
100
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
101
						"component": common.OpenVSXProxyComponent,
102
					}},
103
				}, {
104
					PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
105
						"component": common.DashboardComponent,
106
					}},
107
				}},
108
			}},
109
		},
110
	}}, nil
111
}
112

113