fix: network policy gcp (#912)

* fix: allow all egress on orchestrator-client

Signed-off-by: Guilhem Barthés <[email protected]>

* fix: allow all ingress on server

Signed-off-by: Guilhem Barthés <[email protected]>

* doc: bump chart version

Signed-off-by: Guilhem Barthés <[email protected]>

---------

Signed-off-by: Guilhem Barthés <[email protected]>

charts/substra-backend/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 <!-- towncrier release notes start -->
 
+## [26.6.2] - 2024-05-24
+
+### Changed
+
+- Allow all ingress on server pod (#912)
+- Add a variable (`orchestrator.sameCluster`) to allow more communication between backend and orchestrator (#912)
+
 ## [26.6.1] - 2024-05-23
 
 ### Fix

charts/substra-backend/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: substra-backend
 home: https://github.com/Substra
-version: 26.6.1
+version: 26.6.2
 appVersion: 0.45.0
 kubeVersion: ">= 1.19.0-0"
 description: Main package for Substra

charts/substra-backend/README.md

@@ -289,6 +289,7 @@ See [UPGRADE.md](https://github.com/Substra/substra-backend/blob/main/charts/sub
 | `orchestrator.mspID`                                      | current organization name on the Orchestrator                                                                                  | `OwkinPeerMSP`       |
 | `orchestrator.channels[0].mychannel.restricted`           | Make this channel restricted to a single organization. The server will fail if there is more than one instance in this channel | `false`              |
 | `orchestrator.channels[0].mychannel.model_export_enabled` | Allow logged-in users to download models trained on this organization                                                          | `false`              |
+| `orchestrator.sameCluster`                                | Turn this setting to on when the orchestrator is on the same cluster to allow a more relaxed network policy                    | `false`              |
 
 ### Kaniko settings
 

charts/substra-backend/templates/networkpolicy-internet.yaml

@@ -7,12 +7,6 @@ spec:
   - from:
     - ipBlock:
         cidr: 0.0.0.0/0
-        {{- if not .Values.server.allowLocalRequests }}
-        except:
-        - 10.0.0.0/8
-        - 192.168.0.0/16
-        - 172.16.0.0/20
-        {{- end }}
   podSelector:
     matchLabels:
       app.kubernetes.io/part-of: {{ template "substra.name" . }}

charts/substra-backend/templates/networkpolicy-orchestrator-client.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.orchestrator.sameCluster }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -10,12 +11,13 @@ spec:
   - Egress
   egress:
   - to:
-    - namespaceSelector: {}
-      podSelector:
-        matchLabels:
-          app.kubernetes.io/name: orchestrator
-          app.kubernetes.io/component: "server"
+    - ipBlock:
+        cidr: 10.0.0.0/8
+    - ipBlock:
+        cidr: 192.168.0.0/16
+    - ipBlock:
+        cidr: 172.16.0.0/20
     ports:
     - protocol: TCP
       port: {{ .Values.orchestrator.port }}
-
+{{- end -}}

charts/substra-backend/values.yaml

@@ -749,6 +749,9 @@ orchestrator:
         restricted: false
         model_export_enabled: false
 
+  ## @param orchestrator.sameCluster Turn this setting to on when the orchestrator is on the same cluster to allow a more relaxed network policy
+  sameCluster: false
+
 ## @section Kaniko settings
 ##
 kaniko:

examples/values/backend-org-1.yaml

@@ -115,6 +115,7 @@ privateCa:
 
 orchestrator:
   host: orchestrator-org-1-server.org-1.svc.cluster.local
+  sameCluster: true
   port: 9000
   tls:
     enabled: true

examples/values/backend-org-2.yaml

@@ -104,6 +104,7 @@ privateCa:
 
 orchestrator:
   host: orchestrator-org-1-server.org-1.svc.cluster.local
+  sameCluster: true
   port: 9000
   tls:
     enabled: true

examples/values/backend-org-3.yaml

@@ -104,6 +104,7 @@ privateCa:
 
 orchestrator:
   host: orchestrator-org-1-server.org-1.svc.cluster.local
+  sameCluster: true
   port: 9000
   tls:
     enabled: true