From a94f8ec2b2aa8dc234182aa822a649cb96605955 Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Wed, 9 Aug 2023 16:59:34 +0200 Subject: [PATCH 1/2] Block gossip traffic between alertmanagers in different namespace Alertmanager sometimes did build a cluster with customer installed AMs or the user workload monitoring AMs. --- class/defaults.yml | 2 + component/main.jsonnet | 2 + component/networkpolicy.libsonnet | 95 +++++++++++++++++++ .../ROOT/pages/references/parameters.adoc | 23 +++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ .../20_networkpolicy.yaml | 64 +++++++++++++ .../20_user_workload_networkpolicy.yaml | 64 +++++++++++++ 24 files changed, 1402 insertions(+) create mode 100644 component/networkpolicy.libsonnet create mode 100644 tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml create mode 100644 tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml create mode 100644 tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml diff --git a/class/defaults.yml b/class/defaults.yml index 2602df30..13951468 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -30,6 +30,8 @@ parameters: nodeSelector: node-role.kubernetes.io/infra: '' enableUserWorkload: true + enableAlertmanagerIsolationNetworkPolicy: true + enableUserWorkloadAlertmanagerIsolationNetworkPolicy: true upstreamRules: networkPlugin: openshift-sdn configs: diff --git a/component/main.jsonnet b/component/main.jsonnet index 3ae38d99..506e8f00 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -108,6 +108,8 @@ local customRules = 'alertmanager.yaml': std.manifestYamlDoc(params.alertManagerConfig), }, }, + [if params.enableAlertmanagerIsolationNetworkPolicy then '20_networkpolicy']: std.map(function(p) com.namespaced('openshift-monitoring', p), import 'networkpolicy.libsonnet'), + [if params.enableUserWorkload && params.enableUserWorkloadAlertmanagerIsolationNetworkPolicy then '20_user_workload_networkpolicy']: std.map(function(p) com.namespaced('openshift-user-workload-monitoring', p), import 'networkpolicy.libsonnet'), rbac: import 'rbac.libsonnet', prometheus_rules: rules, silence: import 'silence.jsonnet', diff --git a/component/networkpolicy.libsonnet b/component/networkpolicy.libsonnet new file mode 100644 index 00000000..7b073360 --- /dev/null +++ b/component/networkpolicy.libsonnet @@ -0,0 +1,95 @@ +local com = import 'lib/commodore.libjsonnet'; +local kap = import 'lib/kapitan.libjsonnet'; +local kube = import 'lib/kube.libjsonnet'; + +local inv = kap.inventory(); +local params = inv.parameters.openshift4_monitoring; + +[ + kube.NetworkPolicy('alertmanager-allow-web') { + spec: { + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'alertmanager', + }, + }, + policyTypes: [ + 'Ingress', + ], + ingress: [ + { + ports: [ + { + protocol: 'TCP', + port: 9092, + }, + { + protocol: 'TCP', + port: 9093, + }, + { + protocol: 'TCP', + port: 9095, + }, + { + protocol: 'TCP', + port: 9097, + }, + ], + }, + { + from: [ + { + namespaceSelector: {}, + }, + ], + }, + ], + }, + }, + kube.NetworkPolicy('allow-same-namespace') { + spec: { + ingress: [ + { + from: [ + { + podSelector: {}, + }, + ], + }, + ], + policyTypes: [ + 'Ingress', + ], + podSelector: {}, + }, + }, + kube.NetworkPolicy('allow-non-alertmanager') { + spec: { + ingress: [ + { + from: [ + { + podSelector: {}, + namespaceSelector: {}, + }, + ], + }, + ], + policyTypes: [ + 'Ingress', + ], + podSelector: { + matchExpressions: [ + { + key: 'app.kubernetes.io/name', + operator: 'NotIn', + values: [ + 'alertmanager', + ], + }, + ], + }, + }, + }, +] diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 92ec084f..0a399921 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -46,6 +46,29 @@ Choose either `openshift-sdn` or `ovn-kubernetes` depending on the installed net If a custom network plugin is used, set any other string as the value for this parameter. This ensures neither openshift-sdn nor OVN-Kubernetes monitoring rules are deployed. + +== `enableAlertmanagerIsolationNetworkPolicy` + +[horizontal] +type:: boolean +default:: `true` + +Blocks all traffic to Alertmanager pods except the allowed API traffic. + +This works around an observed accidental clustering with user workload or custom Alertmanager clusters in other namespaces. + + +== `enableUserWorkloadAlertmanagerIsolationNetworkPolicy` + +[horizontal] +type:: boolean +default:: `true` + +Blocks all traffic to Alertmanager pods except the allowed API traffic. + +This works around an observed accidental clustering with system or custom Alertmanager clusters in other namespaces. + + == `enableUserWorkload` [horizontal] diff --git a/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml new file mode 100644 index 00000000..4573e7ca --- /dev/null +++ b/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress diff --git a/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml new file mode 100644 index 00000000..7e21208d --- /dev/null +++ b/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: alertmanager-allow-web + name: alertmanager-allow-web + namespace: openshift-user-workload-monitoring +spec: + ingress: + - ports: + - port: 9092 + protocol: TCP + - port: 9093 + protocol: TCP + - port: 9095 + protocol: TCP + - port: 9097 + protocol: TCP + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-same-namespace + name: allow-same-namespace + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-non-alertmanager + name: allow-non-alertmanager + namespace: openshift-user-workload-monitoring +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: {} + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - alertmanager + policyTypes: + - Ingress From e4a3941137ae25d4c477c373f8644d9a32cf8c76 Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Thu, 10 Aug 2023 13:22:13 +0200 Subject: [PATCH 2/2] Fix ingress policy for non Alertmanager pods to allow api-server and node traffic --- component/networkpolicy.libsonnet | 12 ++---------- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- .../openshift4-monitoring/20_networkpolicy.yaml | 4 +--- .../20_user_workload_networkpolicy.yaml | 4 +--- 21 files changed, 22 insertions(+), 70 deletions(-) diff --git a/component/networkpolicy.libsonnet b/component/networkpolicy.libsonnet index 7b073360..adcde158 100644 --- a/component/networkpolicy.libsonnet +++ b/component/networkpolicy.libsonnet @@ -66,16 +66,8 @@ local params = inv.parameters.openshift4_monitoring; }, kube.NetworkPolicy('allow-non-alertmanager') { spec: { - ingress: [ - { - from: [ - { - podSelector: {}, - namespaceSelector: {}, - }, - ], - }, - ], + // from https://kubernetes.io/docs/concepts/services-networking/network-policies/#allow-all-ingress-traffic + ingress: [ {} ], policyTypes: [ 'Ingress', ], diff --git a/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/capacity-alerts-with-node-labels/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/capacity-alerts/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/custom-rules/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/release-4.11/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/release-4.12/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/release-4.13/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/remote-write/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/team-label/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/user-workload-monitoring/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml b/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml index 4573e7ca..b04b9f76 100644 --- a/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml +++ b/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name diff --git a/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml b/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml index 7e21208d..683bc044 100644 --- a/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml +++ b/tests/golden/vsphere/openshift4-monitoring/openshift4-monitoring/20_user_workload_networkpolicy.yaml @@ -51,9 +51,7 @@ metadata: namespace: openshift-user-workload-monitoring spec: ingress: - - from: - - namespaceSelector: {} - podSelector: {} + - {} podSelector: matchExpressions: - key: app.kubernetes.io/name