From cee0e5332a67a82fbade95307599ff448acbe604 Mon Sep 17 00:00:00 2001 From: Aleksandr Nogikh Date: Fri, 14 Feb 2025 21:43:28 +0100 Subject: syz-cluster: configure network policies Enable egress traffic for all nodes. Configure ingress traffic on the per-need basis. --- syz-cluster/kernel-disk/cron.yaml | 3 ++ syz-cluster/overlays/common/kustomization.yaml | 7 +++++ syz-cluster/overlays/common/network-deny-all.yaml | 14 ++++++++++ .../overlays/common/network-policy-controller.yaml | 21 ++++++++++++++ .../overlays/common/network-policy-git-access.yaml | 32 ++++++++++++++++++++++ syz-cluster/overlays/dev/fake-gcs.yaml | 29 ++++++++++++++++++++ syz-cluster/overlays/dev/kustomization.yaml | 5 ++-- .../overlays/dev/network-policy-spanner.yaml | 27 ++++++++++++++++++ syz-cluster/pkg/workflow/template.yaml | 3 ++ syz-cluster/run-local.sh | 1 + 10 files changed, 140 insertions(+), 2 deletions(-) create mode 100644 syz-cluster/overlays/common/kustomization.yaml create mode 100644 syz-cluster/overlays/common/network-deny-all.yaml create mode 100644 syz-cluster/overlays/common/network-policy-controller.yaml create mode 100644 syz-cluster/overlays/common/network-policy-git-access.yaml create mode 100644 syz-cluster/overlays/dev/network-policy-spanner.yaml (limited to 'syz-cluster') diff --git a/syz-cluster/kernel-disk/cron.yaml b/syz-cluster/kernel-disk/cron.yaml index 8249e9c77..f20535844 100644 --- a/syz-cluster/kernel-disk/cron.yaml +++ b/syz-cluster/kernel-disk/cron.yaml @@ -10,6 +10,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: kernel-repo-update spec: restartPolicy: Never volumes: diff --git a/syz-cluster/overlays/common/kustomization.yaml b/syz-cluster/overlays/common/kustomization.yaml new file mode 100644 index 000000000..32eb3672e --- /dev/null +++ b/syz-cluster/overlays/common/kustomization.yaml @@ -0,0 +1,7 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +resources: + - network-deny-all.yaml + - network-policy-controller.yaml + - network-policy-git-access.yaml diff --git a/syz-cluster/overlays/common/network-deny-all.yaml b/syz-cluster/overlays/common/network-deny-all.yaml new file mode 100644 index 000000000..57f6ddf49 --- /dev/null +++ b/syz-cluster/overlays/common/network-deny-all.yaml @@ -0,0 +1,14 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + namespace: default +spec: + # Select all pods. + podSelector: {} + # Deny all ingress traffic. + policyTypes: + - Ingress diff --git a/syz-cluster/overlays/common/network-policy-controller.yaml b/syz-cluster/overlays/common/network-policy-controller.yaml new file mode 100644 index 000000000..2af8ca351 --- /dev/null +++ b/syz-cluster/overlays/common/network-policy-controller.yaml @@ -0,0 +1,21 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: controller-access +spec: + podSelector: + matchLabels: + app: controller + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: series-tracker + - podSelector: + matchLabels: + tier: workflow diff --git a/syz-cluster/overlays/common/network-policy-git-access.yaml b/syz-cluster/overlays/common/network-policy-git-access.yaml new file mode 100644 index 000000000..9fb34d86c --- /dev/null +++ b/syz-cluster/overlays/common/network-policy-git-access.yaml @@ -0,0 +1,32 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +# Allow all outbound internet access for the steps that might need to pull repos. + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: series-tracker-git-access +spec: + podSelector: + matchLabels: + app: series-tracker + policyTypes: + - Egress + egress: + - {} + +--- + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kernel-fetcher-git-access +spec: + podSelector: + matchLabels: + app: kernel-repo-update + policyTypes: + - Egress + egress: + - {} diff --git a/syz-cluster/overlays/dev/fake-gcs.yaml b/syz-cluster/overlays/dev/fake-gcs.yaml index e9ebcd4e8..b5af7594c 100644 --- a/syz-cluster/overlays/dev/fake-gcs.yaml +++ b/syz-cluster/overlays/dev/fake-gcs.yaml @@ -52,3 +52,32 @@ spec: port: 4443 targetPort: 4443 type: LoadBalancer + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: fake-gcs-server-access +spec: + podSelector: + matchLabels: + app: fake-gcs-server + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: controller + - podSelector: + matchLabels: + app: reporter + - podSelector: + matchLabels: + app: web-dashboard + - podSelector: + matchLabels: + tier: workflow + - podSelector: + matchLabels: + app: workflow-controller diff --git a/syz-cluster/overlays/dev/kustomization.yaml b/syz-cluster/overlays/dev/kustomization.yaml index 7283de8c1..8038adaf2 100644 --- a/syz-cluster/overlays/dev/kustomization.yaml +++ b/syz-cluster/overlays/dev/kustomization.yaml @@ -7,11 +7,13 @@ resources: - ../../series-tracker - ../../kernel-disk - ../../reporter + - ../common - global-config.yaml - https://github.com/argoproj/argo-workflows/releases/download/v3.6.2/install.yaml - workflow-roles.yaml - fake-gcs.yaml - workflow-artifacts.yaml + - network-policy-spanner.yaml patches: - target: @@ -27,8 +29,7 @@ patches: - op: replace path: /data value: - config: | - executor: + executor: | env: - name: STORAGE_EMULATOR_HOST value: http://fake-gcs-server.default.svc.cluster.local:4443 diff --git a/syz-cluster/overlays/dev/network-policy-spanner.yaml b/syz-cluster/overlays/dev/network-policy-spanner.yaml new file mode 100644 index 000000000..bfda8c609 --- /dev/null +++ b/syz-cluster/overlays/dev/network-policy-spanner.yaml @@ -0,0 +1,27 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cloud-spanner-access +spec: + podSelector: + matchLabels: + app: cloud-spanner-emulator + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: db-mgmt + - podSelector: + matchLabels: + app: controller + - podSelector: + matchLabels: + app: web-dashboard + - podSelector: + matchLabels: + app: reporter diff --git a/syz-cluster/pkg/workflow/template.yaml b/syz-cluster/pkg/workflow/template.yaml index 1613aeae8..2cfe7a811 100644 --- a/syz-cluster/pkg/workflow/template.yaml +++ b/syz-cluster/pkg/workflow/template.yaml @@ -14,6 +14,9 @@ spec: ttlStrategy: # Keep finihed workflows for 12 hours after completion. secondsAfterCompletion: 43200 + podMetadata: + labels: + tier: workflow arguments: parameters: - name: session-id diff --git a/syz-cluster/run-local.sh b/syz-cluster/run-local.sh index 6d5d8f629..75e7867bc 100755 --- a/syz-cluster/run-local.sh +++ b/syz-cluster/run-local.sh @@ -21,4 +21,5 @@ kubectl run run-local --image="$name-local" \ --env="SPANNER_DATABASE_URI=projects/my-project/instances/my-instance/databases/db" \ --env="LOCAL_BLOB_STORAGE_PATH=/tmp/blobs/" \ --rm \ + --labels="app=db-mgmt" \ --attach -- "$@" -- cgit mrf-deployment