chore: add network policies for Harbor

charts/substra-backend/templates/network-task-deny-all.yaml

@@ -0,0 +1,14 @@
+# Deny ALL networking in launched substra ml task
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "substra.fullname". }}-deny-ingress
+  labels:
+    {{ include "substra.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      substra.ai/pod-type: compute-task
+  policyTypes:
+  - Ingress
+  - Egress

charts/substra-backend/templates/networkpolicy-registry-remote.yaml

@@ -0,0 +1,25 @@
+{{- if not .Values.containerRegistry.local }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "substra.name". }}-registry-remote-egress
+spec:
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        {{- if not .Values.server.allowLocalRequests }}
+        except:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 172.16.0.0/20
+        {{- end }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.containerRegistry.port }}
+  podSelector:
+    matchLabels:
+      role-registry-client: 'true'
+  policyTypes:
+  - Egress
+{{- end }}

charts/substra-backend/templates/networkpolicy-registry.yaml

@@ -0,0 +1,77 @@
+{{- if .Values.containerRegistry.local }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "substra.name". }}-registry-ingress
+spec:
+  podSelector:
+    matchLabels:
+      app: docker-registry
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/part-of: {{ template "substra.name" . }}
+          role-registry-client: 'true'
+  # kaniko-function-xx send requests through the service, which changes the IP address calling the registry, preventing 
+  # to connect as the connection doesn't come directly from the pod
+    - ipBlock:
+        cidr: 10.0.0.0/8
+    ports:
+    - protocol: TCP
+      port: {{ .Values.containerRegistry.port }}
+    # Nodeport range
+    - protocol: TCP
+      port: 30000
+      endPort: 32767
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "substra.name". }}-registry-egress
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/part-of: {{ template "substra.name" . }}
+      role-registry-client: 'true'
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: docker-registry
+    ports:
+    - protocol: TCP
+      port: {{ .Values.containerRegistry.port }}
+    # Nodeport range
+    - protocol: TCP
+      port: 30000
+      endPort: 32767
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "substra.name". }}-registry-kaniko-egress
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: substra-compute
+      role-registry-client: 'true'
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: docker-registry
+    ports:
+    - protocol: TCP
+      port: {{ .Values.containerRegistry.port }}
+    # Nodeport range
+    - protocol: TCP
+      port: 30000
+      endPort: 32767
+{{- end }}