fix: support for anywhere network policies in cilium (#884)

mjnagel · web-flow · commit 5df073768eb9 · 2024-10-10T08:38:18.000-06:00
## Description Reference [this doc](https://github.com/cilium/cilium/blob/v1.16.2/Documentation/network/kubernetes/policy.rst#networkpolicy) for the limitations of Cilium with `ipBlock` based netpols. Two changes included to support this behavior: - Modifies the keycloak backchannel policy to include all namespaces instead of using the `Anywhere` generated target. This was intended to be anywhere in cluster anyways (see the deleted TODO comment in the diff). - Modifies `Anywhere` target to include both the `0.0.0.0/0` CIDR and an empty namespace selector. For any non-Cilium CNIs `0.0.0.0/0` would've already covered any in-cluster endpoints, so this only changes the behavior for Cilium. ## Related Issue Fixes #871 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml
@@ -26,13 +26,12 @@ spec:
           app: pepr-uds-core-watcher
         port: 8080
 
-      # Temp workaround for any cluster pod
-      # todo: remove this once cluster pods is a remote generated target
       - description: "Keycloak backchannel access"
         direction: Ingress
         selector:
           app.kubernetes.io/name: keycloak
-        remoteGenerated: Anywhere
+        # Allow access from anything in cluster using an empty namespace selector
+        remoteNamespace: "*"
         port: 8080
 
       # Keycloak OCSP to check certs cannot guarantee a static IP
diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts
@@ -3,7 +3,7 @@ import { V1NetworkPolicyPeer, V1NetworkPolicyPort } from "@kubernetes/client-nod
 import { kind } from "pepr";
 
 import { Allow, RemoteGenerated } from "../../crd";
-import { anywhere } from "./generators/anywhere";
+import { anywhere, anywhereInCluster } from "./generators/anywhere";
 import { cloudMetadata } from "./generators/cloudMetadata";
 import { intraNamespace } from "./generators/intraNamespace";
 import { kubeAPI } from "./generators/kubeAPI";
@@ -31,7 +31,7 @@ function getPeers(policy: Allow): V1NetworkPolicyPeer[] {
         break;
 
       case RemoteGenerated.Anywhere:
-        peers = [anywhere];
+        peers = [anywhere, anywhereInCluster];
         break;
     }
   } else if (policy.remoteNamespace !== undefined || policy.remoteSelector !== undefined) {
diff --git a/src/pepr/operator/controllers/network/generators/anywhere.ts b/src/pepr/operator/controllers/network/generators/anywhere.ts
@@ -9,3 +9,11 @@ export const anywhere: V1NetworkPolicyPeer = {
     except: [META_IP],
   },
 };
+
+/** Matches any endpoint in cluster
+ * This is primarily to support Cilium where IP based policies do not match/allow anything in-cluster
+ * Ref: https://github.com/defenseunicorns/uds-core/issues/871 and https://github.com/cilium/cilium/blob/v1.16.2/Documentation/network/kubernetes/policy.rst#networkpolicy
+ */
+export const anywhereInCluster: V1NetworkPolicyPeer = {
+  namespaceSelector: {},
+};
