chore: network policy (#409)

## Description

<!-- Please reference issue if any. -->

<!-- Please include a summary of your changes. -->

Fixes FL-1457

## Companion PR

- Substra/substra-backend#875

## How has this been tested?

[CI there](Substra/substra-backend#875)

<!-- Please describe the tests that you ran to verify your changes.  -->

## Checklist

- [ ] [changelog](../CHANGELOG.md) was updated with notable changes
- [ ] documentation was updated

---------

Signed-off-by: Guilhem Barthés <[email protected]>

charts/orchestrator/CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- towncrier release notes start -->
 
+## [8.7.0] - 2024-05-21
+
+### Added
+
+- Network policies that:
+  -  Limit connection from pods to the DB (except from server and migrations) 
+  -  Allow server pod to communicate with internet (outside of cluster) and pods that have the label `role-orchestrator-client: 'true'`
+
 ## [8.6.0] - 2024-04-15
 
 ### Changed

charts/orchestrator/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: orchestrator
 description: substra orchestration
 type: application
-version: 8.6.0
+version: 8.7.0
 appVersion: 0.40.0
 kubeVersion: ">= 1.19.0-0"
 icon: https://avatars.githubusercontent.com/u/84009910?s=400

charts/orchestrator/templates/job-migrations.yaml

@@ -11,6 +11,8 @@ spec:
   template:
     metadata:
       name: {{ include "orchestrator.migrations.fullname" . }}
+      labels:
+        {{- include "orchestrator.migrations.labels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:

charts/orchestrator/templates/networkpolicy-database.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "orchestrator.name" . }}-database
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: primary
+      app.kubernetes.io/name: postgresql
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "orchestrator.migrations.labels" . | nindent 10 }}
+    - podSelector:
+        matchLabels:
+          {{- include "orchestrator.server.labels" . | nindent 10 }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.database.port }}
+  egress: []

charts/orchestrator/templates/networkpolicy-deny-all.yaml

@@ -0,0 +1,10 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "orchestrator.name" . }}-deny-all
+spec:
+  podSelector:
+    matchLabels:
+      {{ include "orchestrator.common.selectorLabels" . | nindent 6 }}
+  ingress: []
+  egress: []

charts/orchestrator/templates/networkpolicy-orchestrator-client.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "orchestrator.name" . }}-backend-client-ingress
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "orchestrator.server.labels" . | nindent 10 }}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          role-orchestrator-client: 'true'
+    ports:
+    - protocol: TCP
+      port: {{ .Values.service.port }}
+

charts/orchestrator/templates/networkpolicy-orchestrator-common.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "orchestrator.name" . }}-common
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "orchestrator.common.labels" . | nindent 6 }}
+  policyTypes:
+  - Egress
+  egress:
+    - to:
+      # Allow internal DNS reslution
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+        podSelector:
+          matchLabels:
+            k8s-app: kube-dns
+      ports:
+      - protocol: TCP
+        port: 53
+      - protocol: UDP
+        port: 53
+    - to:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/component: primary
+            app.kubernetes.io/name: postgresql
+      ports:
+      - protocol: TCP
+        port: {{ .Values.database.port }}

charts/orchestrator/templates/networkpolicy-orchestrator-server.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "orchestrator.name" . }}-server
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "orchestrator.server.labels" . | nindent 10 }}
+  policyTypes:
+  - Ingress
+  ingress:
+    # Allow communication from internet
+    - from:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          except:
+          - 10.0.0.0/8
+          - 192.168.0.0/16
+          - 172.16.0.0/20
+      ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 80
+