You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2018/01/11 19:08:17 UTC
[GitHub] rabbah closed pull request #147: Define initial network policies for OpenWhisk deployment
rabbah closed pull request #147: Define initial network policies for OpenWhisk deployment
URL: https://github.com/apache/incubator-openwhisk-deploy-kube/pull/147
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/kubernetes/controller/controller.yml b/kubernetes/controller/controller.yml
index 48dd41e..163da4e 100644
--- a/kubernetes/controller/controller.yml
+++ b/kubernetes/controller/controller.yml
@@ -160,3 +160,30 @@ spec:
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: controller-netpol
+ namespace: openwhisk
+spec:
+ podSelector:
+ matchLabels:
+ name: controller
+ ingress:
+ # Allow nginx to connect to controller
+ - from:
+ - podSelector:
+ matchLabels:
+ name: nginx
+ ports:
+ - port: 8080
+ # Controllers can connect to each other
+ - from:
+ - podSelector:
+ matchLabels:
+ name: controller
+ ports:
+ - port: 8080
+ - port: 2552
diff --git a/kubernetes/couchdb/couchdb.yml b/kubernetes/couchdb/couchdb.yml
index 71c066b..76b349e 100644
--- a/kubernetes/couchdb/couchdb.yml
+++ b/kubernetes/couchdb/couchdb.yml
@@ -72,3 +72,28 @@ spec:
periodSeconds: 10
failureThreshold: 10
timeoutSeconds: 1
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: couchdb-netpol
+ namespace: openwhisk
+spec:
+ podSelector:
+ matchLabels:
+ name: couchdb
+ ingress:
+ # Allow controller, invoker, and any pod with access=db to connect to couchdb
+ - from:
+ - podSelector:
+ matchLabels:
+ name: controller
+ - podSelector:
+ matchLabels:
+ name: invoker
+ - podSelector:
+ matchLabels:
+ access: db
+ ports:
+ - port: 5984
diff --git a/kubernetes/kafka/kafka.yml b/kubernetes/kafka/kafka.yml
index 9f67ece..9d6b1d4 100644
--- a/kubernetes/kafka/kafka.yml
+++ b/kubernetes/kafka/kafka.yml
@@ -39,3 +39,32 @@ spec:
# zookeeper info
- name: "KAFKA_ZOOKEEPER_CONNECT"
value: "$(ZOOKEEPER_SERVICE_HOST):$(ZOOKEEPER_SERVICE_PORT_ZOOKEEPER)"
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: kafka-netpol
+ namespace: openwhisk
+spec:
+ podSelector:
+ matchLabels:
+ name: kafka
+ ingress:
+ # Allow invoker and controller to connect to kafka
+ - from:
+ - podSelector:
+ matchLabels:
+ name: controller
+ - podSelector:
+ matchLabels:
+ name: invoker
+ ports:
+ - port: 9092
+ # kafkas can connect to each other
+ - from:
+ - podSelector:
+ matchLabels:
+ name: kafka
+ ports:
+ - port: 9092
diff --git a/kubernetes/zookeeper/zookeeper.yml b/kubernetes/zookeeper/zookeeper.yml
index cd292c5..26422a5 100644
--- a/kubernetes/zookeeper/zookeeper.yml
+++ b/kubernetes/zookeeper/zookeeper.yml
@@ -1,4 +1,3 @@
----
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
@@ -26,3 +25,33 @@ spec:
containerPort: 2888
- name: leader-election
containerPort: 3888
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: zookeeper-netpol
+ namespace: openwhisk
+spec:
+ podSelector:
+ matchLabels:
+ name: zookeeper
+ ingress:
+ # Allow kafka and invoker to connect to zookeeper
+ - from:
+ - podSelector:
+ matchLabels:
+ name: kafka
+ - podSelector:
+ matchLabels:
+ name: invoker
+ ports:
+ - port: 2181
+ # zookeepers can connect to each other
+ - from:
+ - podSelector:
+ matchLabels:
+ name: zookeeper
+ ports:
+ - port: 2181
+ - port: 2888
+ - port: 3888
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services