From 3f6f4a753ac9d31c4bf339e9c6578cc1ae0c048d Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 25 Apr 2025 13:04:42 -0400 Subject: [PATCH 1/8] feat: add conditional netpol coredns --- .../chart/templates/coredns-netpol.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 src/prometheus-stack/chart/templates/coredns-netpol.yaml diff --git a/src/prometheus-stack/chart/templates/coredns-netpol.yaml b/src/prometheus-stack/chart/templates/coredns-netpol.yaml new file mode 100644 index 0000000000..62037b4265 --- /dev/null +++ b/src/prometheus-stack/chart/templates/coredns-netpol.yaml @@ -0,0 +1,24 @@ +{{ if .Values.addCorednsNetpol }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-prometheus-to-kube-dns + namespace: kube-system +spec: + podSelector: + matchLabels: + k8s-app: kube-dns + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus + ports: + - protocol: TCP + port: 9153 +{{- end -}} \ No newline at end of file From 3c54715392075b916af7ee3e9d8dc3f8101da082 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 25 Apr 2025 14:03:04 -0400 Subject: [PATCH 2/8] lint fix --- pkg-test.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 pkg-test.yaml diff --git a/pkg-test.yaml b/pkg-test.yaml new file mode 100644 index 0000000000..e12f3fdde1 --- /dev/null +++ b/pkg-test.yaml @@ -0,0 +1,17 @@ +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: test + namespace: default +spec: + network: + allow: + - direction: Ingress + remoteNamespace: "kube-system" + remoteSelector: + k8s-app: kube-dns + port: 9153 + selector: + app.kubernetes.io/name: prometheus + port: 9090 + description: "CoreDNS Metrics Queries" From 942858da582959c0a627b753f5ef882862e05961 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 25 Apr 2025 14:06:52 -0400 Subject: [PATCH 3/8] rm local file --- pkg-test.yaml | 17 ----------------- .../chart/templates/coredns-netpol.yaml | 2 +- 2 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 pkg-test.yaml diff --git a/pkg-test.yaml b/pkg-test.yaml deleted file mode 100644 index e12f3fdde1..0000000000 --- a/pkg-test.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: uds.dev/v1alpha1 -kind: Package -metadata: - name: test - namespace: default -spec: - network: - allow: - - direction: Ingress - remoteNamespace: "kube-system" - remoteSelector: - k8s-app: kube-dns - port: 9153 - selector: - app.kubernetes.io/name: prometheus - port: 9090 - description: "CoreDNS Metrics Queries" diff --git a/src/prometheus-stack/chart/templates/coredns-netpol.yaml b/src/prometheus-stack/chart/templates/coredns-netpol.yaml index 62037b4265..08d66c5c0b 100644 --- a/src/prometheus-stack/chart/templates/coredns-netpol.yaml +++ b/src/prometheus-stack/chart/templates/coredns-netpol.yaml @@ -21,4 +21,4 @@ spec: ports: - protocol: TCP port: 9153 -{{- end -}} \ No newline at end of file +{{- end -}} From 3c2881583188c7e271f2334319c1ae0b90b2dadc Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 25 Apr 2025 14:11:23 -0400 Subject: [PATCH 4/8] add license --- src/prometheus-stack/chart/templates/coredns-netpol.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/prometheus-stack/chart/templates/coredns-netpol.yaml b/src/prometheus-stack/chart/templates/coredns-netpol.yaml index 08d66c5c0b..596620306b 100644 --- a/src/prometheus-stack/chart/templates/coredns-netpol.yaml +++ b/src/prometheus-stack/chart/templates/coredns-netpol.yaml @@ -1,3 +1,6 @@ +# Copyright 2025 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{ if .Values.addCorednsNetpol }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy From 1887538be2270e66a6ce8fc05665be6f8c35ad80 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 25 Apr 2025 16:56:41 -0400 Subject: [PATCH 5/8] address feedback --- .github/bundles/rke2/uds-bundle.yaml | 5 +++++ src/prometheus-stack/chart/templates/coredns-netpol.yaml | 3 +-- src/prometheus-stack/chart/values.yaml | 2 ++ tasks/iac.yaml | 6 +++--- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index 48d2623f40..4fdf7d16bc 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -57,6 +57,11 @@ packages: value: service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" service.beta.kubernetes.io/aws-load-balancer-target-node-labels: "kubernetes.io/os=linux" + kube-prometheus-stack: + uds-prometheus-config: + values: + - path: addRke2CorednsNetpol.enabled + value: true velero: velero: variables: diff --git a/src/prometheus-stack/chart/templates/coredns-netpol.yaml b/src/prometheus-stack/chart/templates/coredns-netpol.yaml index 596620306b..8e9545f629 100644 --- a/src/prometheus-stack/chart/templates/coredns-netpol.yaml +++ b/src/prometheus-stack/chart/templates/coredns-netpol.yaml @@ -1,7 +1,6 @@ # Copyright 2025 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -{{ if .Values.addCorednsNetpol }} +{{- if (eq .Values.addRke2CorednsNetpol.enabled true) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index 7ffc8031e6..f37e7b5fdd 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -10,3 +10,5 @@ additionalNetworkAllow: [] # remoteGenerated: Anywhere # description: "from alertmanager to anywhere" # port: 443 +addRke2CorednsNetpol: + enabled: false \ No newline at end of file diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 2afe4be7bc..d0e6ad7b3c 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -65,9 +65,9 @@ tasks: break fi done - - task: util:rke2-allow-prom-kube-dns - dir: .github/test-infra/aws/rke2/ - maxTotalSeconds: 600 + # - task: util:rke2-allow-prom-kube-dns + # dir: .github/test-infra/aws/rke2/ + # maxTotalSeconds: 600 - name: create-iac actions: From a6791756266682f2ecb0dfc3c557c422a1825bd4 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 28 Apr 2025 09:53:58 -0400 Subject: [PATCH 6/8] lint fix --- src/prometheus-stack/chart/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index f37e7b5fdd..baa3808c15 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -11,4 +11,4 @@ additionalNetworkAllow: [] # description: "from alertmanager to anywhere" # port: 443 addRke2CorednsNetpol: - enabled: false \ No newline at end of file + enabled: false From e8fbe871db5523cae8e4476ecf4fc21424e4fda4 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 28 Apr 2025 12:38:56 -0400 Subject: [PATCH 7/8] address feedback --- .../chart/templates/coredns-netpol.yaml | 2 +- src/prometheus-stack/chart/values.yaml | 2 +- tasks/iac.yaml | 3 -- tasks/utils.yaml | 28 ------------------- 4 files changed, 2 insertions(+), 33 deletions(-) diff --git a/src/prometheus-stack/chart/templates/coredns-netpol.yaml b/src/prometheus-stack/chart/templates/coredns-netpol.yaml index 8e9545f629..2a279cc4a7 100644 --- a/src/prometheus-stack/chart/templates/coredns-netpol.yaml +++ b/src/prometheus-stack/chart/templates/coredns-netpol.yaml @@ -1,6 +1,6 @@ # Copyright 2025 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -{{- if (eq .Values.addRke2CorednsNetpol.enabled true) }} +{{- if .Values.rke2CorednsNetpol.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index baa3808c15..e0605a5c34 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -10,5 +10,5 @@ additionalNetworkAllow: [] # remoteGenerated: Anywhere # description: "from alertmanager to anywhere" # port: 443 -addRke2CorednsNetpol: +rke2CorednsNetpol: enabled: false diff --git a/tasks/iac.yaml b/tasks/iac.yaml index d0e6ad7b3c..aaca9d00b4 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -65,9 +65,6 @@ tasks: break fi done - # - task: util:rke2-allow-prom-kube-dns - # dir: .github/test-infra/aws/rke2/ - # maxTotalSeconds: 600 - name: create-iac actions: diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 854751b438..4cf42780b4 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -50,34 +50,6 @@ tasks: namespace: kube-system EOF uds zarf tools kubectl -n kube-system rollout restart deployment coredns - - name: rke2-allow-prom-kube-dns - actions: - - description: Create NetworkPolicy to allow Prometheus to scrape kube-dns - cmd: | - uds zarf tools kubectl apply -f - < Date: Mon, 28 Apr 2025 13:32:30 -0400 Subject: [PATCH 8/8] update bundle yaml --- .github/bundles/rke2/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index 4fdf7d16bc..6adf6cf683 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -60,7 +60,7 @@ packages: kube-prometheus-stack: uds-prometheus-config: values: - - path: addRke2CorednsNetpol.enabled + - path: rke2CorednsNetpol.enabled value: true velero: velero: