From 41a9d86bc37a8d757935b78b6b821ee7c958561e Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sat, 23 Mar 2019 17:59:47 -0700 Subject: [PATCH] Add NetworkPolicy to limit traffic into Prometheus * Allow traffic from Grafana to Prometheus in monitoring * Allow traffic from Prometheus to Prometheus in monitoring * NetworkPolicy denies non-whitelisted traffic. Define policy to allow other access --- CHANGES.md | 1 + addons/prometheus/network-policy.yaml | 28 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 addons/prometheus/network-policy.yaml diff --git a/CHANGES.md b/CHANGES.md index 38fdecee..ccc5a758 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,7 @@ Notable changes between versions. * Update Prometheus from v2.7.1 to [v2.8.0](https://github.com/prometheus/prometheus/releases/tag/v2.8.0) * Refresh rules based on upstreams ([#426](https://github.com/poseidon/typhoon/pull/426)) + * Define NetworkPolicy to allow only traffic from the Grafana addon * Update Grafana from v6.0.0 to v6.0.2 * Add liveness and readiness probes * Refresh dashboards and organize to stay below ConfigMap size limit ([#426](https://github.com/poseidon/typhoon/pull/426)) diff --git a/addons/prometheus/network-policy.yaml b/addons/prometheus/network-policy.yaml new file mode 100644 index 00000000..e64cdb54 --- /dev/null +++ b/addons/prometheus/network-policy.yaml @@ -0,0 +1,28 @@ +# Allow Grafana access and in-cluster Prometheus scraping +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: prometheus + namespace: monitoring +spec: + podSelector: + matchLabels: + name: prometheus + ingress: + - ports: + - protocol: TCP + port: 9090 + from: + - namespaceSelector: + matchLabels: + name: monitoring + podSelector: + matchLabels: + name: grafana + - namespaceSelector: + matchLabels: + name: monitoring + podSelector: + matchLabels: + name: prometheus +