Redesign NetworkPolicies (#456) (#1352)

Signed-off-by: Grant Linville <[email protected]>

Author: g-linville

docs/docs/100-reference/01-command-line/acorn_install.md

@@ -21,6 +21,7 @@ acorn install
 ```
       --acorn-dns string                       enabled|disabled|auto. If enabled, containers created by Acorn will get public FQDNs. Auto functions as disabled if a custom clusterDomain has been supplied (default auto)
       --acorn-dns-endpoint string              The URL to access the Acorn DNS service
+      --allow-traffic-from-namespace strings   Namespaces that are allowed to send network traffic to all Acorn apps
       --allow-user-annotation strings          Allow these annotations to propagate to dependent objects, no effect if --ignore-user-labels-and-annotations not true
       --allow-user-label strings               Allow these labels to propagate to dependent objects, no effect if --ignore-user-labels-and-annotations not true
       --api-server-replicas int                acorn-api deployment replica count
@@ -33,12 +34,14 @@ acorn install
       --ignore-user-labels-and-annotations     Don't propagate user-defined labels and annotations to dependent objects
       --image string                           Override the default image used for the deployment
       --ingress-class-name string              The ingress class name to assign to all created ingress resources (default '')
+      --ingress-controller-namespace string    The namespace where the ingress controller runs - used to secure published HTTP ports with NetworkPolicies.
       --internal-cluster-domain string         The Kubernetes internal cluster domain (default svc.cluster.local)
       --internal-registry-prefix string        The image prefix to use when pushing internal images (example ghcr.io/my-org/)
       --lets-encrypt string                    enabled|disabled|staging. If enabled, acorn generated endpoints will be secured using TLS certificate from Let's Encrypt. Staging uses Let's Encrypt's staging environment. (default disabled)
       --lets-encrypt-email string              Required if --lets-encrypt=enabled. The email address to use for Let's Encrypt registration(default '')
       --lets-encrypt-tos-agree                 Required if --lets-encrypt=enabled. If true, you agree to the Let's Encrypt terms of service (default false)
       --manage-volume-classes                  Manually manage volume classes rather than sync with storage classes, setting to 'true' will delete Acorn-created volume classes
+      --network-policies                       Create Kubernetes NetworkPolicies which block cross-project network traffic (default true)
   -o, --output string                          Output manifests instead of applying them (json, yaml)
       --pod-security-enforce-profile string    The name of the PodSecurity profile to set (default baseline)
       --propagate-project-annotation strings   The list of keys of annotations to propagate from acorn project to app namespaces

docs/docs/30-installation/02-options.md

@@ -94,6 +94,13 @@ The default installation of Acorn will automatically create and sync any storage
 
 If an admin would rather manually manage the volume classes and not have these generated ones, then the `--manage-volume-classes` installation flag is available. The generated volume classes are not generated if this flag is used, and are deleted when the flag is set on an existing Acorn installation. If the flag is again switched off with `--manage-volume-classes=false`, then the volume classes will be generated again.
 
+## Kubernetes NetworkPolicies
+By default, Acorn will automatically create and manage Kubernetes [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to isolate Acorn projects on the network level. This behavior can be disabled by passing `--network-policies=false` to `acorn install`, and can later be re-enabled by passing `--network-policies=true`.
+
+By default, Acorn workloads that publish ports that use HTTP will be allowed to receive traffic from internal (other pods in the cluster) and external (through the cluster's ingress) sources. To secure this further, you can require all traffic to Acorn workloads flow through your ingress by specifying the `--ingress-controller-namespace` parameter during installation.
+
+To allow traffic from a specific namespace to all Acorn apps in the cluster, use `--allow-traffic-from-namespace=<namespace>`. This is useful if there is a monitoring namespace, for example, that needs to be able to connect to all the pods created by Acorn in order to scrape metrics.
+
 ## Changing install options
 If you want to change your installation options after the initial installation, just rerun `acorn install` with the new options. This will update the existing install dynamically.
 

integration/run/run_test.go

@@ -17,14 +17,17 @@ import (
 	kclient "github.com/acorn-io/acorn/pkg/k8sclient"
 	"github.com/acorn-io/acorn/pkg/labels"
 	"github.com/acorn-io/acorn/pkg/run"
+	"github.com/acorn-io/acorn/pkg/scheme"
 	"github.com/acorn-io/acorn/pkg/tolerations"
+	"github.com/acorn-io/baaah/pkg/restconfig"
 	"github.com/acorn-io/baaah/pkg/router"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8slabels "k8s.io/apimachinery/pkg/labels"
 	crClient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -1135,3 +1138,181 @@ func getStorageClassName(t *testing.T, storageClasses *storagev1.StorageClassLis
 	}
 	return storageClassName
 }
+
+func TestCrossProjectNetworkConnection(t *testing.T) {
+	helper.StartController(t)
+
+	rc, err := restconfig.New(scheme.Scheme)
+	if err != nil {
+		t.Fatal("error while getting rest config:", err)
+	}
+	ctx := helper.GetCTX(t)
+	c, _ := helper.ClientAndNamespace(t)
+	kc := helper.MustReturn(kclient.Default)
+
+	// create two separate projects in which to run two Nginx apps
+	proj1, err := c.ProjectCreate(ctx, "proj1", "local")
+	if err != nil {
+		t.Fatal("error while creating project:", err)
+	}
+	proj1Client, err := client.New(rc, proj1.Name, proj1.Status.Namespace)
+	if err != nil {
+		t.Fatal("error creating client for proj1:", err)
+	}
+
+	proj2, err := c.ProjectCreate(ctx, "proj2", "local")
+	if err != nil {
+		t.Fatal("error while creating project:", err)
+	}
+	proj2Client, err := client.New(rc, proj2.Name, proj2.Status.Namespace)
+	if err != nil {
+		t.Fatal("error creating client for proj2:", err)
+	}
+
+	t.Cleanup(func() {
+		// clean up projects
+		_, err := proj1Client.ProjectDelete(ctx, "proj1")
+		if err != nil {
+			t.Log("failed to delete project 'proj1':", err)
+		}
+		_, err = proj2Client.ProjectDelete(ctx, "proj2")
+		if err != nil {
+			t.Log("failed to delete project 'proj2':", err)
+		}
+	})
+
+	// create both apps, one in proj1 and the other in proj2
+	// app "foo" in proj1 does not publish any ports
+	// app "bar" in proj2 publishes port 80
+	fooImage, err := proj1Client.AcornImageBuild(ctx, "testdata/networkpolicy/Acornfile", nil)
+	if err != nil {
+		t.Fatal("error while building image:", err)
+	}
+	fooApp, err := proj1Client.AppRun(ctx, fooImage.ID, &client.AppRunOptions{
+		Name:            "foo",
+		TargetNamespace: proj1.Namespace,
+	})
+	if err != nil {
+		t.Fatal("error while running app:", err)
+	}
+
+	barImage, err := proj2Client.AcornImageBuild(ctx, "testdata/networkpolicy/publish.Acornfile", nil)
+	if err != nil {
+		t.Fatal("error while building image:", err)
+	}
+	barApp, err := proj2Client.AppRun(ctx, barImage.ID, &client.AppRunOptions{
+		Name:            "bar",
+		TargetNamespace: proj2.Namespace,
+	})
+	if err != nil {
+		t.Fatal("error while running app:", err)
+	}
+
+	// wait for both apps to be ready
+	helper.WaitForObject(t, helper.Watcher(t, proj1Client), &apiv1.AppList{}, fooApp, func(obj *apiv1.App) bool {
+		return obj.Status.Condition(v1.AppInstanceConditionReady).Success
+	})
+	helper.WaitForObject(t, helper.Watcher(t, proj2Client), &apiv1.AppList{}, barApp, func(obj *apiv1.App) bool {
+		return obj.Status.Condition(v1.AppInstanceConditionReady).Success
+	})
+
+	// determine pod IPs so we can test network connections
+	fooIP := getPodIPFromAppName(t, ctx, &kc, fooApp.Name, fooApp.Status.Namespace)
+	barIP := getPodIPFromAppName(t, ctx, &kc, barApp.Name, barApp.Status.Namespace)
+
+	// build an Acorn that just runs a job with the official curl container
+	curlImage1, err := proj1Client.AcornImageBuild(ctx, "testdata/networkpolicy/curl.Acornfile", nil)
+	if err != nil {
+		t.Fatal("error while building image:", err)
+	}
+	curlImage2, err := proj2Client.AcornImageBuild(ctx, "testdata/networkpolicy/curl.Acornfile", nil)
+	if err != nil {
+		t.Fatal("error while building image:", err)
+	}
+
+	checks := []struct {
+		name          string
+		client        client.Client
+		podIP         string
+		imageID       string
+		expectFailure bool
+	}{
+		{
+			name:          "curl-foo-proj1",
+			client:        proj1Client,
+			podIP:         fooIP,
+			imageID:       curlImage1.ID,
+			expectFailure: false,
+		},
+		{
+			name:    "curl-bar-proj1",
+			client:  proj1Client,
+			podIP:   barIP,
+			imageID: curlImage1.ID,
+			// even though bar has port 80 published, it should not be reachable from anything outside
+			// proj2 except for the ingress controller, so failure is expected here
+			expectFailure: true,
+		},
+		{
+			name:          "curl-foo-proj2",
+			client:        proj2Client,
+			podIP:         fooIP,
+			imageID:       curlImage2.ID,
+			expectFailure: true,
+		},
+		{
+			name:          "curl-bar-proj2",
+			client:        proj2Client,
+			podIP:         barIP,
+			imageID:       curlImage2.ID,
+			expectFailure: false,
+		},
+	}
+	for _, check := range checks {
+		t.Run(check.name, func(t *testing.T) {
+			// run curl to test the connection
+			app, err := check.client.AppRun(ctx, check.imageID, &client.AppRunOptions{
+				Name: check.name,
+				DeployArgs: map[string]any{
+					"address": check.podIP,
+				},
+			})
+			if err != nil {
+				t.Fatal("error while running app:", err)
+			}
+
+			appInstance := helper.WaitForObject(t, helper.Watcher(t, check.client), &apiv1.AppList{}, app, func(obj *apiv1.App) bool {
+				return obj.Status.JobsStatus["curl"].Failed || obj.Status.JobsStatus["curl"].Succeed
+			})
+
+			if check.expectFailure {
+				assert.Equal(t, true, appInstance.Status.JobsStatus["curl"].Failed)
+			} else {
+				assert.Equal(t, true, appInstance.Status.JobsStatus["curl"].Succeed)
+			}
+		})
+	}
+}
+
+func getPodIPFromAppName(t *testing.T, ctx context.Context, kc *crClient.WithWatch, appName, namespace string) string {
+	t.Helper()
+	selector, err := k8slabels.Parse(fmt.Sprintf("%s=%s", labels.AcornAppName, appName))
+	if err != nil {
+		t.Fatal("error creating k8s label selector:", err)
+	}
+
+	var podList corev1.PodList
+	podIP := ""
+	for podIP == "" {
+		err = (*kc).List(ctx, &podList, &kclient.ListOptions{
+			LabelSelector: selector,
+			Namespace:     namespace,
+		})
+		if err != nil {
+			t.Fatal("error listing pods:", err)
+		}
+		podIP = podList.Items[0].Status.PodIP
+	}
+
+	return podIP
+}

integration/run/testdata/networkpolicy/Acornfile

@@ -0,0 +1,6 @@
+containers: {
+	foo: {
+		image: "public.ecr.aws/docker/library/nginx:latest"
+		ports: "80/http"
+	}
+}

integration/run/testdata/networkpolicy/curl.Acornfile

@@ -0,0 +1,10 @@
+args: {
+  address: ""
+}
+
+jobs: {
+  curl: {
+    image: "curlimages/curl:latest"
+    command: ["sh", "-c", "sleep 5 && curl " + args.address]
+  }
+}

integration/run/testdata/networkpolicy/publish.Acornfile

@@ -0,0 +1,6 @@
+containers: {
+	bar: {
+		image: "ghcr.io/acorn-io/images-mirror/nginx:latest"
+		ports: publish: "80/http"
+	}
+}

pkg/apis/api.acorn.io/v1/types.go

@@ -346,6 +346,9 @@ type Config struct {
 	PropagateProjectAnnotations    []string `json:"propagateProjectAnnotations" name:"propagate-project-annotation" usage:"The list of keys of annotations to propagate from acorn project to app namespaces"`
 	PropagateProjectLabels         []string `json:"propagateProjectLabels" name:"propagate-project-label" usage:"The list of keys of labels to propagate from acorn project to app namespaces"`
 	ManageVolumeClasses            *bool    `json:"manageVolumeClasses" name:"manage-volume-classes" usage:"Manually manage volume classes rather than sync with storage classes, setting to 'true' will delete Acorn-created volume classes"`
+	NetworkPolicies                *bool    `json:"networkPolicies" name:"network-policies" usage:"Create Kubernetes NetworkPolicies which block cross-project network traffic (default true)"`
+	IngressControllerNamespace     *string  `json:"ingressControllerNamespace" name:"ingress-controller-namespace" usage:"The namespace where the ingress controller runs - used to secure published HTTP ports with NetworkPolicies."`
+	AllowTrafficFromNamespace      []string `json:"allowTrafficFromNamespace" name:"allow-traffic-from-namespace" usage:"Namespaces that are allowed to send network traffic to all Acorn apps"`
 }
 
 type EncryptionKey struct {

pkg/apis/api.acorn.io/v1/zz_generated.deepcopy.go

@@ -10,6 +10,7 @@ projects:
     config:
       acornDNS: null
       acornDNSEndpoint: null
+      allowTrafficFromNamespace: null
       allowUserAnnotations: null
       allowUserLabels: null
       autoUpgradeInterval: null
@@ -18,12 +19,14 @@ projects:
       httpEndpointPattern: null
       ignoreUserLabelsAndAnnotations: null
       ingressClassName: null
+      ingressControllerNamespace: null
       internalClusterDomain: ""
       internalRegistryPrefix: null
       letsEncrypt: null
       letsEncryptEmail: ""
       letsEncryptTOSAgree: null
       manageVolumeClasses: null
+      networkPolicies: null
       podSecurityEnforceProfile: ""
       propagateProjectAnnotations: null
       propagateProjectLabels: null
@@ -40,6 +43,7 @@ projects:
     userConfig:
       acornDNS: null
       acornDNSEndpoint: null
+      allowTrafficFromNamespace: null
       allowUserAnnotations: null
       allowUserLabels: null
       autoUpgradeInterval: null
@@ -48,12 +52,14 @@ projects:
       httpEndpointPattern: null
       ignoreUserLabelsAndAnnotations: null
       ingressClassName: null
+      ingressControllerNamespace: null
       internalClusterDomain: ""
       internalRegistryPrefix: null
       letsEncrypt: null
       letsEncryptEmail: ""
       letsEncryptTOSAgree: null
       manageVolumeClasses: null
+      networkPolicies: null
       podSecurityEnforceProfile: ""
       propagateProjectAnnotations: null
       propagateProjectLabels: null
@@ -68,6 +74,7 @@ projects:
     config:
       acornDNS: null
       acornDNSEndpoint: null
+      allowTrafficFromNamespace: null
       allowUserAnnotations: null
       allowUserLabels: null
       autoUpgradeInterval: null
@@ -76,12 +83,14 @@ projects:
       httpEndpointPattern: null
       ignoreUserLabelsAndAnnotations: null
       ingressClassName: null
+      ingressControllerNamespace: null
       internalClusterDomain: ""
       internalRegistryPrefix: null
       letsEncrypt: null
       letsEncryptEmail: ""
       letsEncryptTOSAgree: null
       manageVolumeClasses: null
+      networkPolicies: null
       podSecurityEnforceProfile: ""
       propagateProjectAnnotations: null
       propagateProjectLabels: null
@@ -98,6 +107,7 @@ projects:
     userConfig:
       acornDNS: null
       acornDNSEndpoint: null
+      allowTrafficFromNamespace: null
       allowUserAnnotations: null
       allowUserLabels: null
       autoUpgradeInterval: null
@@ -106,12 +116,14 @@ projects:
       httpEndpointPattern: null
       ignoreUserLabelsAndAnnotations: null
       ingressClassName: null
+      ingressControllerNamespace: null
       internalClusterDomain: ""
       internalRegistryPrefix: null
       letsEncrypt: null
       letsEncryptEmail: ""
       letsEncryptTOSAgree: null
       manageVolumeClasses: null
+      networkPolicies: null
       podSecurityEnforceProfile: ""
       propagateProjectAnnotations: null
       propagateProjectLabels: null