Add NetworkPolicy support

trinodb · Oct 6, 2024 · ec36344 · ec36344
1 parent 4e84b51
commit ec36344
Show file tree

Hide file tree

Showing 8 changed files with 182 additions and 3 deletions.
diff --git a/.github/workflows/ci-cd.yaml b/.github/workflows/ci-cd.yaml
@@ -52,6 +52,8 @@ jobs:
         uses: helm/[email protected]
       - name: Create kind cluster
         uses: helm/[email protected]
+        with:
+          version: v0.24.0
       - name: Run tests
         run: ./test.sh ${{ matrix.args }}
 

diff --git a/charts/trino/README.md b/charts/trino/README.md
@@ -786,7 +786,59 @@ Fast distributed SQL query engine for big data analytics that helps you explore
        - path: /
          pathType: ImplementationSpecific
   ```
-* `ingress.tls` - list, default: `[]`
+* `ingress.tls` - list, default: `[]`  
+
+  Ingress [TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) configuration.
+  Example:
+  ```yaml
+   - secretName: chart-example-tls
+     hosts:
+       - chart-example.local
+  ```
+* `networkPolicy.enabled` - bool, default: `false`  
+
+  Set to true to enable Trino pod protection with a [NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/). By default, the NetworkPolicy will only allow Trino pods to communicate with each other.
+  > [!NOTE]
+  > - NetworkPolicies cannot block the ingress traffic coming directly
+  > from the Kubernetes node on which the Pod is running,
+  > and are thus incompatible with services of type `NodePort`.
+  > - When using NetworkPolicies together with JMX metrics export,
+  > additional ingress rules might be required to allow metric scraping.
+* `networkPolicy.ingress` - list, default: `[]`  
+
+  Additional ingress rules to apply to the Trino pods.
+  Example:
+  ```yaml
+   - from:
+       - ipBlock:
+           cidr: 172.17.0.0/16
+           except:
+             - 172.17.1.0/24
+       - namespaceSelector:
+           matchLabels:
+             kubernetes.io/metadata.name: prometheus
+       - podSelector:
+           matchLabels:
+             role: backend-app
+     ports:
+       - protocol: TCP
+         port: 8080
+       - protocol: TCP
+         port: 5556
+  ```
+* `networkPolicy.egress` - list, default: `[]`  
+
+  Egress rules to apply to the Trino pods.
+  Example:
+  ```yaml
+   - to:
+       - podSelector:
+           matchLabels:
+             role: log-ingestor
+     ports:
+       - protocol: TCP
+         port: 9999
+  ```
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml
@@ -7,6 +7,7 @@ metadata:
   labels:
     {{- include "trino.labels" . | nindent 4 }}
     app.kubernetes.io/component: coordinator
+    trino.io/network-policy-protection: {{ ternary "enabled" "disabled" .Values.networkPolicy.enabled }}
     {{- if .Values.coordinator.labels }}
     {{- tpl (toYaml .Values.coordinator.labels) . | nindent 4 }}
     {{- end }}
@@ -32,6 +33,7 @@ spec:
       labels:
         {{- include "trino.labels" . | nindent 8 }}
         app.kubernetes.io/component: coordinator
+        trino.io/network-policy-protection: {{ ternary "enabled" "disabled" .Values.networkPolicy.enabled }}
         {{- if .Values.coordinator.labels }}
         {{- tpl (toYaml .Values.coordinator.labels) . | nindent 8 }}
         {{- end }}

diff --git a/charts/trino/templates/deployment-worker.yaml b/charts/trino/templates/deployment-worker.yaml
@@ -8,6 +8,7 @@ metadata:
   labels:
     {{- include "trino.labels" . | nindent 4 }}
     app.kubernetes.io/component: worker
+    trino.io/network-policy-protection: {{ ternary "enabled" "disabled" .Values.networkPolicy.enabled }}
     {{- if .Values.worker.labels }}
     {{- tpl (toYaml .Values.worker.labels) . | nindent 4 }}
     {{- end }}
@@ -35,6 +36,7 @@ spec:
       labels:
         {{- include "trino.labels" . | nindent 8 }}
         app.kubernetes.io/component: worker
+        trino.io/network-policy-protection: {{ ternary "enabled" "disabled" .Values.networkPolicy.enabled }}
         {{- if .Values.worker.labels }}
         {{- tpl (toYaml .Values.worker.labels) . | nindent 8 }}
         {{- end }}

diff --git a/charts/trino/templates/networkpolicy.yaml b/charts/trino/templates/networkpolicy.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.networkPolicy.enabled }}
+{{- if eq "NodePort" .Values.service.type}}
+{{- fail "NetworkPolicy enforcement is not supported with NodePort services, as traffic reaches the Pod through the node itself, bypassing pod-level network controls." }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "trino.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "trino.labels" . | nindent 4 }}
+    app.kubernetes.io/component: network-policy
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "trino.selectorLabels" . | nindent 6 }}
+      trino.io/network-policy-protection: enabled
+  policyTypes:
+    - Ingress
+  {{- with .Values.networkPolicy.egress }}
+    - Egress
+  egress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              {{- include "trino.selectorLabels" . | nindent 14 }}
+              trino.io/network-policy-protection: enabled
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+  {{- with .Values.networkPolicy.ingress }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/trino/templates/tests/test-networkpolicy.yaml b/charts/trino/templates/tests/test-networkpolicy.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ include "trino.fullname" . }}-test-networkpolicy
+  labels:
+    {{- include "trino.labels" . | nindent 4 }}
+    app.kubernetes.io/component: test
+    test: network-policy
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  containers:
+    - name: check-connection
+      image: {{ include "trino.image" . }}
+      command: [ "/bin/bash", "-c" ]
+      args:
+        - >-
+          curl
+          {{ include "trino.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}
+          --head
+          --fail
+          --connect-timeout 10
+          --max-time 10
+          2>&1 | grep -q "timed out"
+  restartPolicy: Never
+{{- end }}
diff --git a/charts/trino/values.yaml b/charts/trino/values.yaml
@@ -948,3 +948,51 @@ ingress:
   #    hosts:
   #      - chart-example.local
   # ```
+
+networkPolicy:
+  # networkPolicy.enabled -- Set to true to enable Trino pod protection with a
+  # [NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/).
+  # By default, the NetworkPolicy will only allow Trino pods to communicate with each other.
+  # @raw
+  # > [!NOTE]
+  # > - NetworkPolicies cannot block the ingress traffic coming directly
+  # > from the Kubernetes node on which the Pod is running,
+  # > and are thus incompatible with services of type `NodePort`.
+  # > - When using NetworkPolicies together with JMX metrics export,
+  # > additional ingress rules might be required to allow metric scraping.
+  enabled: false
+  # networkPolicy.ingress -- Additional ingress rules to apply to the Trino pods.
+  # @raw
+  # Example:
+  # ```yaml
+  #  - from:
+  #      - ipBlock:
+  #          cidr: 172.17.0.0/16
+  #          except:
+  #            - 172.17.1.0/24
+  #      - namespaceSelector:
+  #          matchLabels:
+  #            kubernetes.io/metadata.name: prometheus
+  #      - podSelector:
+  #          matchLabels:
+  #            role: backend-app
+  #    ports:
+  #      - protocol: TCP
+  #        port: 8080
+  #      - protocol: TCP
+  #        port: 5556
+  # ```
+  ingress: []
+  # networkPolicy.egress -- Egress rules to apply to the Trino pods.
+  # @raw
+  # Example:
+  # ```yaml
+  #  - to:
+  #      - podSelector:
+  #          matchLabels:
+  #            role: log-ingestor
+  #    ports:
+  #      - protocol: TCP
+  #        port: 9999
+  # ```
+  egress: []
diff --git a/test-values.yaml b/test-values.yaml
@@ -24,9 +24,7 @@ additionalConfigProperties:
 service:
   annotations:
     custom/name: value
-  type: NodePort
   port: 8080
-  nodePort: 30080
 
 auth:
   # created using htpasswd -B -C 10 password.db admin
@@ -175,3 +173,13 @@ ingress:
       paths:
         - path: /
           pathType: ImplementationSpecific
+
+networkPolicy:
+  enabled: true
+  ingress:
+    - from:
+        - podSelector:
+            matchExpressions:
+              - key: test
+                operator: NotIn
+                values: [network-policy]