syz-cluster: configure network policies

Enable egress traffic for all nodes.
Configure ingress traffic on the per-need basis.

10 files changed, 140 insertions, 2 deletions

diff --git a/syz-cluster/kernel-disk/cron.yaml b/syz-cluster/kernel-disk/cron.yaml
index 8249e9c77..f20535844 100644
--- a/syz-cluster/kernel-disk/cron.yaml
+++ b/syz-cluster/kernel-disk/cron.yaml
@@ -10,6 +10,9 @@ spec:
   jobTemplate:
     spec:
       template:
+        metadata:
+          labels:
+            app: kernel-repo-update
         spec:
           restartPolicy: Never
           volumes:
diff --git a/syz-cluster/overlays/common/kustomization.yaml b/syz-cluster/overlays/common/kustomization.yaml
new file mode 100644
index 000000000..32eb3672e
--- /dev/null
+++ b/syz-cluster/overlays/common/kustomization.yaml
@@ -0,0 +1,7 @@
+# Copyright 2025 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+resources:
+  - network-deny-all.yaml
+  - network-policy-controller.yaml
+  - network-policy-git-access.yaml
diff --git a/syz-cluster/overlays/common/network-deny-all.yaml b/syz-cluster/overlays/common/network-deny-all.yaml
new file mode 100644
index 000000000..57f6ddf49
--- /dev/null
+++ b/syz-cluster/overlays/common/network-deny-all.yaml
@@ -0,0 +1,14 @@
+# Copyright 2025 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: default
+spec:
+  # Select all pods.
+  podSelector: {}
+  # Deny all ingress traffic.
+  policyTypes:
+  - Ingress
diff --git a/syz-cluster/overlays/common/network-policy-controller.yaml b/syz-cluster/overlays/common/network-policy-controller.yaml
new file mode 100644
index 000000000..2af8ca351
--- /dev/null
+++ b/syz-cluster/overlays/common/network-policy-controller.yaml
@@ -0,0 +1,21 @@
+# Copyright 2025 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: controller-access
+spec:
+  podSelector:
+    matchLabels:
+      app: controller
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: series-tracker
+    - podSelector:
+        matchLabels:
+          tier: workflow
diff --git a/syz-cluster/overlays/common/network-policy-git-access.yaml b/syz-cluster/overlays/common/network-policy-git-access.yaml
new file mode 100644
index 000000000..9fb34d86c
--- /dev/null
+++ b/syz-cluster/overlays/common/network-policy-git-access.yaml
@@ -0,0 +1,32 @@
+# Copyright 2025 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+# Allow all outbound internet access for the steps that might need to pull repos.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: series-tracker-git-access
+spec:
+  podSelector:
+    matchLabels:
+      app: series-tracker
+  policyTypes:
+  - Egress
+  egress:
+    - {}
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kernel-fetcher-git-access
+spec:
+  podSelector:
+    matchLabels:
+      app: kernel-repo-update
+  policyTypes:
+  - Egress
+  egress:
+    - {}
diff --git a/syz-cluster/overlays/dev/fake-gcs.yaml b/syz-cluster/overlays/dev/fake-gcs.yaml
index e9ebcd4e8..b5af7594c 100644
--- a/syz-cluster/overlays/dev/fake-gcs.yaml
+++ b/syz-cluster/overlays/dev/fake-gcs.yaml
@@ -52,3 +52,32 @@ spec:
     port: 4443
     targetPort: 4443
   type: LoadBalancer
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: fake-gcs-server-access
+spec:
+  podSelector:
+    matchLabels:
+      app: fake-gcs-server
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: controller
+    - podSelector:
+        matchLabels:
+          app: reporter
+    - podSelector:
+        matchLabels:
+          app: web-dashboard
+    - podSelector:
+        matchLabels:
+          tier: workflow
+    - podSelector:
+        matchLabels:
+          app: workflow-controller
diff --git a/syz-cluster/overlays/dev/kustomization.yaml b/syz-cluster/overlays/dev/kustomization.yaml
index 7283de8c1..8038adaf2 100644
--- a/syz-cluster/overlays/dev/kustomization.yaml
+++ b/syz-cluster/overlays/dev/kustomization.yaml
@@ -7,11 +7,13 @@ resources:
   - ../../series-tracker
   - ../../kernel-disk
   - ../../reporter
+  - ../common
   - global-config.yaml
   - https://github.com/argoproj/argo-workflows/releases/download/v3.6.2/install.yaml
   - workflow-roles.yaml
   - fake-gcs.yaml
   - workflow-artifacts.yaml
+  - network-policy-spanner.yaml
 
 patches:
   - target:
@@ -27,8 +29,7 @@ patches:
       - op: replace
         path: /data
         value:
-          config: |
-            executor:
+          executor: |
               env:
                 - name: STORAGE_EMULATOR_HOST
                   value: http://fake-gcs-server.default.svc.cluster.local:4443
diff --git a/syz-cluster/overlays/dev/network-policy-spanner.yaml b/syz-cluster/overlays/dev/network-policy-spanner.yaml
new file mode 100644
index 000000000..bfda8c609
--- /dev/null
+++ b/syz-cluster/overlays/dev/network-policy-spanner.yaml
@@ -0,0 +1,27 @@
+# Copyright 2025 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: cloud-spanner-access
+spec:
+  podSelector:
+    matchLabels:
+      app: cloud-spanner-emulator
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: db-mgmt
+    - podSelector:
+        matchLabels:
+          app: controller
+    - podSelector:
+        matchLabels:
+          app: web-dashboard
+    - podSelector:
+        matchLabels:
+          app: reporter
diff --git a/syz-cluster/pkg/workflow/template.yaml b/syz-cluster/pkg/workflow/template.yaml
index 1613aeae8..2cfe7a811 100644
--- a/syz-cluster/pkg/workflow/template.yaml
+++ b/syz-cluster/pkg/workflow/template.yaml
@@ -14,6 +14,9 @@ spec:
   ttlStrategy:
     # Keep finihed workflows for 12 hours after completion.
     secondsAfterCompletion: 43200
+  podMetadata:
+    labels:
+      tier: workflow
   arguments:
     parameters:
       - name: session-id
diff --git a/syz-cluster/run-local.sh b/syz-cluster/run-local.sh
index 6d5d8f629..75e7867bc 100755
--- a/syz-cluster/run-local.sh
+++ b/syz-cluster/run-local.sh
@@ -21,4 +21,5 @@ kubectl run run-local --image="$name-local" \
   --env="SPANNER_DATABASE_URI=projects/my-project/instances/my-instance/databases/db" \
   --env="LOCAL_BLOB_STORAGE_PATH=/tmp/blobs/" \
   --rm \
+  --labels="app=db-mgmt" \
   --attach -- "$@"