Add NetworkPolicy to limit traffic into Prometheus

* Allow traffic from Grafana to Prometheus in monitoring
* Allow traffic from Prometheus to Prometheus in monitoring
* NetworkPolicy denies non-whitelisted traffic. Define policy
to allow other access
This commit is contained in:
Dalton Hubble 2019-03-23 17:59:47 -07:00
parent 36e31fc9fa
commit 41a9d86bc3
2 changed files with 29 additions and 0 deletions

View File

@ -30,6 +30,7 @@ Notable changes between versions.
* Update Prometheus from v2.7.1 to [v2.8.0](https://github.com/prometheus/prometheus/releases/tag/v2.8.0) * Update Prometheus from v2.7.1 to [v2.8.0](https://github.com/prometheus/prometheus/releases/tag/v2.8.0)
* Refresh rules based on upstreams ([#426](https://github.com/poseidon/typhoon/pull/426)) * Refresh rules based on upstreams ([#426](https://github.com/poseidon/typhoon/pull/426))
* Define NetworkPolicy to allow only traffic from the Grafana addon
* Update Grafana from v6.0.0 to v6.0.2 * Update Grafana from v6.0.0 to v6.0.2
* Add liveness and readiness probes * Add liveness and readiness probes
* Refresh dashboards and organize to stay below ConfigMap size limit ([#426](https://github.com/poseidon/typhoon/pull/426)) * Refresh dashboards and organize to stay below ConfigMap size limit ([#426](https://github.com/poseidon/typhoon/pull/426))

View File

@ -0,0 +1,28 @@
# Allow Grafana access and in-cluster Prometheus scraping
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: prometheus
namespace: monitoring
spec:
podSelector:
matchLabels:
name: prometheus
ingress:
- ports:
- protocol: TCP
port: 9090
from:
- namespaceSelector:
matchLabels:
name: monitoring
podSelector:
matchLabels:
name: grafana
- namespaceSelector:
matchLabels:
name: monitoring
podSelector:
matchLabels:
name: prometheus