CoCalc -- networkpolicy.go

GitHub Repository: gitpod-io/gitpod
Path: blob/main/install/installer/pkg/components/workspace/networkpolicy.go
²⁵⁰¹ views
1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package workspace
6

7
import (
8
	"fmt"
9

10
	"github.com/gitpod-io/gitpod/installer/pkg/common"
11
	agentsmith "github.com/gitpod-io/gitpod/installer/pkg/components/agent-smith"
12
	"github.com/gitpod-io/gitpod/installer/pkg/components/proxy"
13
	wsdaemon "github.com/gitpod-io/gitpod/installer/pkg/components/ws-daemon"
14
	networkingv1 "k8s.io/api/networking/v1"
15
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
16
	"k8s.io/apimachinery/pkg/runtime"
17
	"k8s.io/apimachinery/pkg/util/intstr"
18
)
19

20
func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
21
	labels := common.DefaultLabels(Component)
22

23
	podSelectorLabels := map[string]string{
24
		"app":                     "gitpod",
25
		"component":               Component,
26
		"gitpod.io/networkpolicy": "default",
27
	}
28

29
	return []runtime.Object{&networkingv1.NetworkPolicy{
30
		TypeMeta: common.TypeMetaNetworkPolicy,
31
		ObjectMeta: metav1.ObjectMeta{
32
			Name:      fmt.Sprintf("%s-default", Component),
33
			Namespace: ctx.Namespace,
34
			Labels:    labels,
35
		},
36
		Spec: networkingv1.NetworkPolicySpec{
37
			PodSelector: metav1.LabelSelector{MatchLabels: podSelectorLabels},
38
			PolicyTypes: []networkingv1.PolicyType{"Ingress", "Egress"},
39
			Ingress: []networkingv1.NetworkPolicyIngressRule{
40
				{
41
					From: []networkingv1.NetworkPolicyPeer{
42
						{
43
							PodSelector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(proxy.Component)},
44
						},
45
					},
46
				},
47
				{
48
					From: []networkingv1.NetworkPolicyPeer{
49
						{
50
							PodSelector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(common.WSProxyComponent)},
51
						},
52
					},
53
				},
54
				{
55
					From: []networkingv1.NetworkPolicyPeer{
56
						{
57
							PodSelector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(agentsmith.Component)},
58
						},
59
					},
60
				},
61
				{
62
					From: []networkingv1.NetworkPolicyPeer{
63
						{
64
							PodSelector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(wsdaemon.Component)},
65
						},
66
					},
67
				},
68
				{
69
					Ports: []networkingv1.NetworkPolicyPort{
70
						{
71
							Protocol: common.TCPProtocol,
72
							Port:     &intstr.IntOrString{IntVal: 23000},
73
						},
74
					},
75
					From: []networkingv1.NetworkPolicyPeer{
76
						{
77
							NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
78
								"chart": common.MonitoringChart,
79
							}},
80
							PodSelector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(common.ServerComponent)},
81
						},
82
					},
83
				},
84
			},
85
			Egress: []networkingv1.NetworkPolicyEgressRule{
86
				{
87
					To: []networkingv1.NetworkPolicyPeer{
88
						{
89
							IPBlock: &networkingv1.IPBlock{
90
								CIDR: "0.0.0.0/0",
91
								// Google Compute engine special, reserved VM metadata IP
92
								Except: []string{"169.254.169.254/32"},
93
							},
94
						},
95
					},
96
				},
97
				{
98
					To: []networkingv1.NetworkPolicyPeer{
99
						{
100
							PodSelector: &metav1.LabelSelector{MatchLabels: common.DefaultLabels(proxy.Component)},
101
						},
102
					},
103
				},
104
				common.AllowKubeDnsEgressRule(),
105
			},
106
		},
107
	}}, nil
108
}
109

110
Product

Resources

Company
