From 88d97ff36a3348163b7fb2579b2248f252810b91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guilhem=20Barth=C3=A9s?= <guilhem.barthes@owkin.com>
Date: Thu, 23 May 2024 11:39:32 +0200
Subject: [PATCH] chore: network policy (#409)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Description

<!-- Please reference issue if any. -->

<!-- Please include a summary of your changes. -->

Fixes FL-1457

## Companion PR

- https://github.com/Substra/substra-backend/pull/875

## How has this been tested?

[CI there](https://github.com/Substra/substra-backend/pull/875)

<!-- Please describe the tests that you ran to verify your changes.  -->

## Checklist

- [ ] [changelog](../CHANGELOG.md) was updated with notable changes
- [ ] documentation was updated

---------

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>
---
 charts/orchestrator/CHANGELOG.md              |  8 +++++
 charts/orchestrator/Chart.yaml                |  2 +-
 .../templates/job-migrations.yaml             |  2 ++
 .../templates/networkpolicy-database.yaml     | 24 ++++++++++++++
 .../templates/networkpolicy-deny-all.yaml     | 10 ++++++
 .../networkpolicy-orchestrator-client.yaml    | 20 ++++++++++++
 .../networkpolicy-orchestrator-common.yaml    | 32 +++++++++++++++++++
 .../networkpolicy-orchestrator-server.yaml    | 25 +++++++++++++++
 8 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 charts/orchestrator/templates/networkpolicy-database.yaml
 create mode 100644 charts/orchestrator/templates/networkpolicy-deny-all.yaml
 create mode 100644 charts/orchestrator/templates/networkpolicy-orchestrator-client.yaml
 create mode 100644 charts/orchestrator/templates/networkpolicy-orchestrator-common.yaml
 create mode 100644 charts/orchestrator/templates/networkpolicy-orchestrator-server.yaml

diff --git a/charts/orchestrator/CHANGELOG.md b/charts/orchestrator/CHANGELOG.md
index c3e8e4f5..ef8fdf78 100644
--- a/charts/orchestrator/CHANGELOG.md
+++ b/charts/orchestrator/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- towncrier release notes start -->
 
+## [8.7.0] - 2024-05-21
+
+### Added
+
+- Network policies that:
+  -  Limit connection from pods to the DB (except from server and migrations) 
+  -  Allow server pod to communicate with internet (outside of cluster) and pods that have the label `role-orchestrator-client: 'true'`
+
 ## [8.6.0] - 2024-04-15
 
 ### Changed
diff --git a/charts/orchestrator/Chart.yaml b/charts/orchestrator/Chart.yaml
index 72a2ffb8..ad88457c 100644
--- a/charts/orchestrator/Chart.yaml
+++ b/charts/orchestrator/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: orchestrator
 description: substra orchestration
 type: application
-version: 8.6.0
+version: 8.7.0
 appVersion: 0.40.0
 kubeVersion: ">= 1.19.0-0"
 icon: https://avatars.githubusercontent.com/u/84009910?s=400
diff --git a/charts/orchestrator/templates/job-migrations.yaml b/charts/orchestrator/templates/job-migrations.yaml
index b97fd9b0..71d899ee 100644
--- a/charts/orchestrator/templates/job-migrations.yaml
+++ b/charts/orchestrator/templates/job-migrations.yaml
@@ -11,6 +11,8 @@ spec:
   template:
     metadata:
       name: {{ include "orchestrator.migrations.fullname" . }}
+      labels:
+        {{- include "orchestrator.migrations.labels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
diff --git a/charts/orchestrator/templates/networkpolicy-database.yaml b/charts/orchestrator/templates/networkpolicy-database.yaml
new file mode 100644
index 00000000..cac7922f
--- /dev/null
+++ b/charts/orchestrator/templates/networkpolicy-database.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "orchestrator.name" . }}-database
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: primary
+      app.kubernetes.io/name: postgresql
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "orchestrator.migrations.labels" . | nindent 10 }}
+    - podSelector:
+        matchLabels:
+          {{- include "orchestrator.server.labels" . | nindent 10 }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.database.port }}
+  egress: []
diff --git a/charts/orchestrator/templates/networkpolicy-deny-all.yaml b/charts/orchestrator/templates/networkpolicy-deny-all.yaml
new file mode 100644
index 00000000..83436070
--- /dev/null
+++ b/charts/orchestrator/templates/networkpolicy-deny-all.yaml
@@ -0,0 +1,10 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "orchestrator.name" . }}-deny-all
+spec:
+  podSelector:
+    matchLabels:
+      {{ include "orchestrator.common.selectorLabels" . | nindent 6 }}
+  ingress: []
+  egress: []
diff --git a/charts/orchestrator/templates/networkpolicy-orchestrator-client.yaml b/charts/orchestrator/templates/networkpolicy-orchestrator-client.yaml
new file mode 100644
index 00000000..0b806735
--- /dev/null
+++ b/charts/orchestrator/templates/networkpolicy-orchestrator-client.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "orchestrator.name" . }}-backend-client-ingress
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "orchestrator.server.labels" . | nindent 10 }}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          role-orchestrator-client: 'true'
+    ports:
+    - protocol: TCP
+      port: {{ .Values.service.port }}
+
diff --git a/charts/orchestrator/templates/networkpolicy-orchestrator-common.yaml b/charts/orchestrator/templates/networkpolicy-orchestrator-common.yaml
new file mode 100644
index 00000000..f44becb9
--- /dev/null
+++ b/charts/orchestrator/templates/networkpolicy-orchestrator-common.yaml
@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "orchestrator.name" . }}-common
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "orchestrator.common.labels" . | nindent 6 }}
+  policyTypes:
+  - Egress
+  egress:
+    - to:
+      # Allow internal DNS reslution
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+        podSelector:
+          matchLabels:
+            k8s-app: kube-dns
+      ports:
+      - protocol: TCP
+        port: 53
+      - protocol: UDP
+        port: 53
+    - to:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/component: primary
+            app.kubernetes.io/name: postgresql
+      ports:
+      - protocol: TCP
+        port: {{ .Values.database.port }}
diff --git a/charts/orchestrator/templates/networkpolicy-orchestrator-server.yaml b/charts/orchestrator/templates/networkpolicy-orchestrator-server.yaml
new file mode 100644
index 00000000..e6d6a0ab
--- /dev/null
+++ b/charts/orchestrator/templates/networkpolicy-orchestrator-server.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "orchestrator.name" . }}-server
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "orchestrator.server.labels" . | nindent 10 }}
+  policyTypes:
+  - Ingress
+  ingress:
+    # Allow communication from internet
+    - from:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          except:
+          - 10.0.0.0/8
+          - 192.168.0.0/16
+          - 172.16.0.0/20
+      ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 80
+