diff --git a/config/networkpolicy/kustomization.yaml b/config/networkpolicy/kustomization.yaml new file mode 100644 index 00000000000..41420197536 --- /dev/null +++ b/config/networkpolicy/kustomization.yaml @@ -0,0 +1,9 @@ +resources: +- networkpolicy.yaml + +namespace: openshift-adp + +# Add common labels to all NetworkPolicy resources +commonLabels: + app.kubernetes.io/name: oadp-operator + app.kubernetes.io/part-of: oadp-operator diff --git a/config/networkpolicy/networkpolicy.yaml b/config/networkpolicy/networkpolicy.yaml new file mode 100644 index 00000000000..52cd9d28649 --- /dev/null +++ b/config/networkpolicy/networkpolicy.yaml @@ -0,0 +1,90 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: oadp-default-deny-labelled + labels: + app.kubernetes.io/name: oadp-networkpolicy + app.kubernetes.io/component: network-security + app.kubernetes.io/part-of: oadp-operator + app.kubernetes.io/managed-by: olm +spec: + # Limited Default Deny Policy: + # This policy selects pods managed by oadp-operator and blocks all traffic by default, + # except for the specific ingress/egress rules defined below. + # It allows OADP to coexist with other workloads in the same namespace. + podSelector: + matchLabels: + app.kubernetes.io/managed-by: "oadp-operator" + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-monitoring + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-user-workload-monitoring + ports: + - protocol: TCP + port: 8085 + - protocol: TCP + port: 8443 + - ports: + - protocol: TCP + port: 9443 + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 443 + - protocol: TCP + port: 6443 + # Explicitly allow access to DNS + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + - protocol: UDP + port: 5353 + - protocol: TCP + port: 5353 + # Explicitly allow access to Kubernetes API Server + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: default + ports: + - protocol: TCP + port: 443 + # Explicitly allow access to OpenShift API Server + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-apiserver + ports: + - protocol: TCP + port: 443 + # Explicitly allow access to Kubernetes API Server (OpenShift Namespace) + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-kube-apiserver + ports: + - protocol: TCP + port: 443 + - protocol: TCP + port: 6443 diff --git a/docs/NetworkPolicies/README.md b/docs/NetworkPolicies/README.md new file mode 100644 index 00000000000..947320b67b0 --- /dev/null +++ b/docs/NetworkPolicies/README.md @@ -0,0 +1,273 @@ +# NetworkPolicies for OADP (OpenShift API for Data Protection) + +This directory contains NetworkPolicy configurations for securing OADP components in your Kubernetes cluster. NetworkPolicies provide a way to control network traffic flow between pods and other network endpoints at the application layer. + +## What are NetworkPolicies? + +NetworkPolicies are Kubernetes resources that define how groups of pods are allowed to communicate with each other and other network endpoints. They work at the IP address or port level (OSI layer 3 or 4) and provide a way to implement network segmentation and micro-segmentation within your cluster. + +As described in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/), NetworkPolicies use labels to select pods and define rules that specify what traffic is allowed to and from those pods. + +## Prerequisites + +- Your cluster must be using a Container Network Interface (CNI) plugin that supports NetworkPolicies (such as Calico, Cilium, Weave Net, or others) +- NetworkPolicies are namespaced resources and only affect pods in the same namespace + +## OADP NetworkPolicy Configuration + +The `network_policy.yaml` file in this directory defines a NetworkPolicy specifically designed for OADP components. Here's what it does: + +### Policy Overview + +```yaml +name: default-deny-labelled +``` + +This policy implements a **default-deny approach** for pods managed by the OADP operator, meaning that by default, all network traffic is blocked except for explicitly allowed connections. + +### Pod Selection + +```yaml +podSelector: + matchLabels: + app.kubernetes.io/managed-by: "oadp-operator" +``` + +The policy applies to all pods that have the label `app.kubernetes.io/managed-by: "oadp-operator"`. This typically includes: +- Velero pods +- OADP operator pods +- Other OADP-related components + +### Traffic Rules + +#### Ingress Rules (Incoming Traffic) + +```yaml +ingress: +- from: + - podSelector: {} +# Allow OpenShift Monitoring +- from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-monitoring + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-user-workload-monitoring + ports: + - protocol: TCP + port: 8085 # Velero Metrics + - protocol: TCP + port: 8443 # Controller Metrics +# Allow API Server Webhooks +- ports: + - protocol: TCP + port: 9443 # Webhook +``` + +**What this allows:** +- **Internal Communication**: Allows incoming traffic from **any pod within the same namespace**. +- **Monitoring**: Allows OpenShift Monitoring stack to scrape metrics from OADP components (ports 8085, 8443). +- **Webhooks**: Allows the Kubernetes API server to communicate with OADP validation/mutation webhooks (port 9443). + +#### Egress Rules (Outgoing Traffic) + +The policy defines multiple egress rules to ensure comprehensive connectivity: + +**1. General Network Access** +```yaml +- to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 443 + - protocol: TCP + port: 6443 +``` + +**What this allows:** +- Outbound HTTPS traffic (port 443) to any IP address. +- Outbound traffic to Kubernetes API servers (port 6443). +- This covers cloud storage providers, external APIs, container registries, and external/host-networked API servers. + +**2. DNS Resolution** +```yaml +- to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-dns + podSelector: + matchLabels: + dns.operator.openshift.io/daemonset-dns: default + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + - protocol: UDP + port: 5353 + - protocol: TCP + port: 5353 +``` + +**What this allows:** +- DNS queries to the OpenShift DNS service (ports 53 and 5353). +- Uses specific selectors for the `openshift-dns` namespace and `dns-default` pods. + +**3. Kubernetes API Access (Explicit)** +```yaml +# Allow access to Kubernetes API Server +- to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: default + ports: + - protocol: TCP + port: 443 + +# Allow access to OpenShift API Server +- to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-apiserver + ports: + - protocol: TCP + port: 443 + +# Allow access to Kubernetes API Server (OpenShift Namespace) +- to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-kube-apiserver + ports: + - protocol: TCP + port: 443 + - protocol: TCP + port: 6443 +``` + +**What this allows:** +- Explicitly allows traffic to the Kubernetes API server (in `default` and `openshift-kube-apiserver` namespaces) and OpenShift API server (in `openshift-apiserver` namespace). +- Ensures internal Service Network traffic is permitted even if broader rules don't apply to cluster services in some CNI configurations. +- Covers both port 443 (Service) and 6443 (Pod/Endpoint) for the API server. + +## Why These Rules Matter for OADP + +### Security Benefits + +1. **Principle of Least Privilege**: Only allows the minimum network access required for OADP to function +2. **Attack Surface Reduction**: Limits potential network-based attacks on OADP components +3. **Compliance**: Helps meet security compliance requirements for network segmentation + +### OADP-Specific Requirements + +OADP components need specific network access to function properly: + +- **Cloud Storage Access**: HTTPS (443) for communicating with cloud storage APIs +- **DNS Resolution**: Required to resolve cloud storage endpoint names +- **Inter-Component Communication**: OADP pods may need to communicate with each other within the namespace +- **Monitoring**: The OpenShift Monitoring stack needs to reach OADP metrics endpoints +- **Webhooks**: The Kubernetes API server needs to reach the OADP operator for CR validation + +## Applying the NetworkPolicy + +To apply this NetworkPolicy to your cluster: + +```bash +kubectl apply -f network_policy.yaml -n +``` + +Replace `` with the namespace where OADP is installed (typically `openshift-adp`). + +## Monitoring and Troubleshooting + +### Verifying the Policy + +Check if the NetworkPolicy is applied: +```bash +kubectl get networkpolicy -n +kubectl describe networkpolicy default-deny-labelled -n +``` + +### Common Issues + +1. **DNS Resolution Failures**: If OADP components can't resolve domain names, verify the DNS egress rule +2. **Cloud Storage Connection Issues**: Ensure the HTTPS egress rule allows traffic to your storage provider +3. **Inter-Pod Communication Problems**: Check that pods have the correct labels and the ingress rule is configured properly + +### Debugging Network Connectivity + +If you suspect NetworkPolicy issues: + +1. Check pod labels: + ```bash + kubectl get pods -n --show-labels + ``` + +2. Test connectivity from within a pod: + ```bash + kubectl exec -it -n -- nslookup + kubectl exec -it -n -- curl -I https:// + ``` + +## Customizing the Policy + +You may need to modify the NetworkPolicy based on your specific requirements: + +### Adding Additional Egress Rules + +If your OADP setup requires access to additional services, add more egress rules: + +```yaml +egress: +- to: + - ipBlock: + cidr: 10.0.0.0/8 # Private network range + ports: + - protocol: TCP + port: 9000 # MinIO or other S3-compatible storage +``` + +### Restricting Cloud Access + +To limit access to specific cloud provider IP ranges instead of allowing all internet traffic: + +```yaml +egress: +- to: + - ipBlock: + cidr: 52.219.0.0/16 # AWS S3 IP range example + ports: + - protocol: TCP + port: 443 +``` + +## Important Considerations + +### Pod Lifecycle + +As noted in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/), when a NetworkPolicy is first applied, there may be a brief period where pods are started without full network isolation. OADP pods should be resilient to temporary network connectivity issues during startup. + +### CNI Plugin Compatibility + +Ensure your CNI plugin fully supports NetworkPolicies. Some features (like `endPort` ranges) may not be supported by all plugins. + +### Default Behavior + +Remember that NetworkPolicies implement a "default deny" model. If no NetworkPolicy selects a pod, all traffic is allowed. Once a pod is selected by any NetworkPolicy, only traffic explicitly allowed by those policies will be permitted. + +## Additional Resources + +- [Kubernetes NetworkPolicy Documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) +- [OADP Documentation](https://docs.openshift.com/container-platform/latest/backup_and_restore/application_backup_and_restore/oadp-features-plugins.html) +- [OpenShift Network Security](https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html) + +## Contributing + +When modifying NetworkPolicies for OADP: + +1. Test thoroughly in a development environment +2. Verify that all OADP functionality continues to work +3. Document any changes and the reasoning behind them +4. Consider the security implications of any new rules