network policies

msfidelis · Jun 11, 2024 · b90e1b9 · b90e1b9
1 parent 29753cc
commit b90e1b9
Show file tree

Hide file tree

Showing 27 changed files with 424 additions and 99 deletions.
diff --git a/health-api/controllers/calculator/main.go b/health-api/controllers/calculator/main.go
@@ -171,7 +171,7 @@ func Post(c *gin.Context) {
 
 	log.Info().
 		Str("Service", "recommendations").
-		Msg("Creating remote connection with gRPC Endpoint for IMC Service")
+		Msg("Creating remote connection with gRPC Endpoint for Recommendations Service")
 
 	resRecommendations, err := recommendations.Call(ctxRecommendations, request.Weight, request.Height, resBMR.Necessity, tr)
 

diff --git a/samples/cilium/README.md b/samples/cilium/README.md
@@ -0,0 +1,10 @@
+while true; do curl --location --request POST 'health.k8s.cluster.local:30080/calculator' \
+--header 'Host: health.k8s.cluster.local' \
+--header 'Content-Type: application/json' \
+--data-raw '{ 
+   "age": 26,
+   "weight": 90.0,
+   "height": 1.77,
+   "gender": "M", 
+   "activity_intensity": "very_active"
+} ' --silent | jq . ; echo ; done; 
diff --git a/samples/cilium/bmr.yml b/samples/cilium/bmr.yml
@@ -33,7 +33,7 @@ spec:
         - name: ENVIRONMENT
           value: "dev"
         - name: ZIPKIN_COLLECTOR_ENDPOINT
-          value: http://jaeger.jaeger.svc.cluster.local:9411/api/v2/spans          
+          value: http://jaeger-collector.jaeger.svc.cluster.local:9411/api/v2/spans          
         ports:
         - containerPort: 30000
           name: http   
@@ -46,7 +46,8 @@ metadata:
   namespace: bmr
   annotations:
     prometheus.io/scrape: "true"
-    prometheus.io/port: "30000"    
+    prometheus.io/port: "30000"
+    service.cilium.io/lb-l7: enabled
   labels:
     app.kubernetes.io/name: bmr-grpc
     app.kubernetes.io/instance: health-api 
@@ -57,4 +58,97 @@ spec:
     protocol: TCP
   selector:
     app: bmr-grpc
-  type: ClusterIP
+  type: ClusterIP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-health-api-to-bmr-grpc
+  namespace: bmr
+spec:
+  endpointSelector:
+    matchLabels:
+      app: bmr-grpc
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        app: health-api
+  - toPorts:
+    - ports:
+      - port: "30000"
+        protocol: TCP
+      rules:
+        http:
+        - method: "POST"
+          path: "/bmr.BMRService/SayHello"
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-scrape
+  namespace: bmr
+spec:
+  endpointSelector:
+    matchLabels:
+      app: bmr-grpc
+  ingress:
+  - toPorts:
+    - ports:
+      - port: "30000"
+        protocol: TCP  
+  - fromEndpoints:
+    - matchLabels:
+        namespace: prometheus
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideEnvoyConfig
+metadata:
+  name: bmr-envoy-circuit-breaker
+  namespace: bmr
+spec:
+  services:
+    - name: bmr-grpc
+      namespace: bmr
+  resources:
+    - "@type": type.googleapis.com/envoy.config.listener.v3.Listener
+      name: envoy-lb-listener
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: envoy-lb-listener
+                rds:
+                  route_config_name: lb_route
+                use_remote_address: true
+                skip_xff_append: true
+                http_filters:
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+    - "@type": type.googleapis.com/envoy.config.route.v3.RouteConfiguration
+      name: lb_route
+      virtual_hosts:
+        - name: "lb_route"
+          domains: [ "*" ]
+          routes:
+            - match:
+                prefix: "/"
+              route:
+                weighted_clusters:
+                  clusters:
+                    - name: "bmr/bmr-grpc"
+                      weight: 100
+    - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
+      name: "bmr/bmr-grpc"
+      connect_timeout: 10s
+      lb_policy: ROUND_ROBIN
+      type: EDS
+      circuit_breakers:
+        thresholds:
+        - priority: "DEFAULT"
+          max_requests: 20
+          max_pending_requests: 10
+      outlier_detection:
+        split_external_local_origin_errors: true
+        consecutive_local_origin_failure: 2
diff --git a/samples/cilium/calories.yml b/samples/cilium/calories.yml
@@ -33,7 +33,7 @@ spec:
         - name: ENVIRONMENT
           value: "dev"
         - name: ZIPKIN_COLLECTOR_ENDPOINT
-          value: http://jaeger.jaeger.svc.cluster.local:9411/api/v2/spans
+          value: http://jaeger-collector.jaeger.svc.cluster.local:9411/api/v2/spans
         ports:
         - containerPort: 30000
           name: http   
@@ -46,7 +46,8 @@ metadata:
   namespace: calories
   annotations:
     prometheus.io/scrape: "true"
-    prometheus.io/port: "30000"    
+    prometheus.io/port: "30000"
+    service.cilium.io/lb-l7: enabled
   labels:
     app.kubernetes.io/name: calories-grpc
     app.kubernetes.io/instance: health-api 
@@ -57,4 +58,44 @@ spec:
     protocol: TCP
   selector:
     app: calories-grpc
-  type: ClusterIP
+  type: ClusterIP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-recommendations-to-calories-grpc
+  namespace: calories
+spec:
+  endpointSelector:
+    matchLabels:
+      app: calories-grpc
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        app: recommendations-grpc
+  - toPorts:
+    - ports:
+      - port: "30000"
+        protocol: TCP
+      rules:
+        http:
+        - method: "POST"
+          path: "/calories.CaloriesService/SayHello"
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-scrape
+  namespace: calories
+spec:
+  endpointSelector:
+    matchLabels:
+      app: calories-grpc
+  ingress:
+  - toPorts:
+    - ports:
+      - port: "30000"
+        protocol: TCP  
+  - fromEndpoints:
+    - matchLabels:
+        namespace: prometheus
diff --git a/samples/cilium/database-store-service.yml b/samples/cilium/database-store-service.yml
@@ -1,62 +1,62 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: database-store-service
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: database-store-service
-  name: database-store-service
-  namespace: database-store-service
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: database-store-service
-  template:
-    metadata:
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "8080"
-        policy.cilium.io/proxy-visibility: "<Egress/53/UDP/DNS>,<Egress/30000/TCP/HTTP>"
-      labels:
-        app: database-store-service
-        name: database-store-service
-        version: v1
-    spec:
-      containers:
-      - image: fidelissauro/database-store-service:latest
-        name: database-store-service
-        env:
-        - name: ENVIRONMENT
-          value: "dev"
-        - name: ZIPKIN_COLLECTOR_ENDPOINT
-          value: http://jaeger.jaeger.svc.cluster.local:9411/api/v2/spans
-        - name: NATS_URI
-          value: "nats://nats.nats.svc.cluster.local:4222"
-        ports:
-        - containerPort: 8080
-          name: http
-      terminationGracePeriodSeconds: 60
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: database-store-service
-  namespace: database-store-service
-  annotations:
-    prometheus.io/scrape: "true"
-    prometheus.io/port: "8080"    
-  labels:
-    app.kubernetes.io/name: database-store-service
-    app.kubernetes.io/instance: database-store-service 
-spec:
-  ports:
-  - name: web
-    port: 8080
-    protocol: TCP
-  selector:
-    app: database-store-service
-  type: ClusterIP
+# apiVersion: v1
+# kind: Namespace
+# metadata:
+#   name: database-store-service
+# ---
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   labels:
+#     app: database-store-service
+#   name: database-store-service
+#   namespace: database-store-service
+# spec:
+#   replicas: 2
+#   selector:
+#     matchLabels:
+#       app: database-store-service
+#   template:
+#     metadata:
+#       annotations:
+#         prometheus.io/scrape: "true"
+#         prometheus.io/port: "8080"
+#         policy.cilium.io/proxy-visibility: "<Egress/53/UDP/DNS>,<Egress/30000/TCP/HTTP>"
+#       labels:
+#         app: database-store-service
+#         name: database-store-service
+#         version: v1
+#     spec:
+#       containers:
+#       - image: fidelissauro/database-store-service:latest
+#         name: database-store-service
+#         env:
+#         - name: ENVIRONMENT
+#           value: "dev"
+#         - name: ZIPKIN_COLLECTOR_ENDPOINT
+#           value: http://jaeger-collector.jaeger.svc.cluster.local:9411/api/v2/spans
+#         - name: NATS_URI
+#           value: "nats://nats.nats.svc.cluster.local:4222"
+#         ports:
+#         - containerPort: 8080
+#           name: http
+#       terminationGracePeriodSeconds: 60
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: database-store-service
+#   namespace: database-store-service
+#   annotations:
+#     prometheus.io/scrape: "true"
+#     prometheus.io/port: "8080"    
+#   labels:
+#     app.kubernetes.io/name: database-store-service
+#     app.kubernetes.io/instance: database-store-service 
+# spec:
+#   ports:
+#   - name: web
+#     port: 8080
+#     protocol: TCP
+#   selector:
+#     app: database-store-service
+#   type: ClusterIP
diff --git a/samples/cilium/generic.yml b/samples/cilium/generic.yml
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-access-to-kube-dns
+  namespace: kube-system
+spec:
+  endpointSelector:
+    matchLabels:
+      k8s-app: kube-dns
+  ingress:
+  - fromEntities:
+    - cluster
diff --git a/samples/cilium/health-api.yml b/samples/cilium/health-api.yml
@@ -33,7 +33,7 @@ spec:
         - name: ENVIRONMENT
           value: "dev"
         - name: ZIPKIN_COLLECTOR_ENDPOINT
-          value: http://jaeger.jaeger.svc.cluster.local:9411/api/v2/spans          
+          value: http://jaeger-collector.jaeger.svc.cluster.local:9411/api/v2/spans          
         - name: BMR_SERVICE_ENDPOINT
           value: "bmr-grpc.bmr.svc.cluster.local:30000"
         - name: IMC_SERVICE_ENDPOINT
@@ -65,7 +65,8 @@ metadata:
   namespace: health-api
   annotations:
     prometheus.io/scrape: "true"
-    prometheus.io/port: "8080"    
+    prometheus.io/port: "8080"
+    service.cilium.io/lb-l7: enabled
   labels:
     app.kubernetes.io/name: health-api
     app.kubernetes.io/instance: health-api