From da93cb0989a2fcd5cd72d5e06e1d2d23cd26908d Mon Sep 17 00:00:00 2001 From: Mateusz Gozdek Date: Wed, 26 Aug 2020 17:47:12 +0200 Subject: [PATCH] aws-ebs-csi-driver: add NetworkPolicy allowing access to metadata After we created aws-ebs-csi-driver component, we added a patch to Lokomotive, which deploys a Global Network Policy, which blocks access to EC2 Instance Metadata by default for all pods, which ended up breaking the component functionality. The issue was not spotted before, as the component does not have readiness probes defined, which has been reported upstream: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/548 This commit fixes the component functionality, by adding the NetworkPolicy object selecting the controller pods, which unblocks all egress traffic for it, which bypasses the Global Network Policy. Closes #864 Signed-off-by: Mateusz Gozdek --- .../templates/networkpolicy.yaml | 18 ++++++++++++++++++ pkg/assets/generated_assets.go | 8 ++++++++ 2 files changed, 26 insertions(+) create mode 100644 assets/charts/components/aws-ebs-csi-driver/templates/networkpolicy.yaml diff --git a/assets/charts/components/aws-ebs-csi-driver/templates/networkpolicy.yaml b/assets/charts/components/aws-ebs-csi-driver/templates/networkpolicy.yaml new file mode 100644 index 000000000..f5defb547 --- /dev/null +++ b/assets/charts/components/aws-ebs-csi-driver/templates/networkpolicy.yaml @@ -0,0 +1,18 @@ +# Lokomotive-specific change. +# +# Bypass Global Network Policy blocking access to EC2 instance metadata +# endpoint by allowing controller pods to connect to everything, as +# other pods can. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ebs-csi-controller-allow-all-egress +spec: + podSelector: + matchLabels: + app: ebs-csi-controller + {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} + egress: + - {} + policyTypes: + - Egress diff --git a/pkg/assets/generated_assets.go b/pkg/assets/generated_assets.go index 121f440ac..4220d696f 100644 --- a/pkg/assets/generated_assets.go +++ b/pkg/assets/generated_assets.go @@ -138,6 +138,13 @@ var vfsgenAssets = func() http.FileSystem { compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x24\xcc\xb1\x4e\x03\x31\x0c\x06\xe0\x3d\x4f\xf1\xab\xfb\x05\x55\x62\x40\x59\x61\xe9\x80\x90\x40\x62\xf7\x25\x2e\x58\xcd\x39\x47\xec\xb4\x43\xe9\xbb\xa3\xa3\xfb\xa7\x8f\x56\xf9\xe4\x6e\xd2\x34\xc1\xbc\x75\xfa\xe2\x78\x7a\xb2\x28\xed\xe1\xbc\x9f\xd9\x69\x1f\x4e\xa2\x25\xe1\xf9\xe3\xf0\xd2\xe5\xcc\x3d\x2c\xec\x54\xc8\x29\x05\x40\x69\xe1\x04\x9e\x2d\x66\x93\x48\x17\x8b\xb9\x2d\x01\xa8\x34\x73\xb5\x4d\x00\xd7\xeb\x04\xd1\x5c\x47\x61\xec\xe8\x62\x13\xcf\x36\x65\x93\xa9\xfc\x7f\xf1\x6e\x77\x88\xf8\x85\x8a\x16\x56\xc7\x23\x6e\xb7\x60\x2b\xe7\xad\x20\x77\xca\xdf\xef\xfc\x33\xa4\x73\x49\xf0\x3e\x38\x00\x6b\x2b\x07\x3d\xb6\x37\x7d\x6d\x43\x3d\xe1\x48\xd5\x38\xfc\x05\x00\x00\xff\xff\xb6\x90\x9b\xde\xd1\x00\x00\x00"), }, + "/charts/components/aws-ebs-csi-driver/templates/networkpolicy.yaml": &vfsgen۰CompressedFileInfo{ + name: "networkpolicy.yaml", + modTime: time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC), + uncompressedSize: 479, + + compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x6c\x90\xc1\xce\xd3\x30\x10\x84\xef\x7e\x8a\xd1\x9f\x2b\x09\x82\x03\x42\x3d\x82\x7e\x71\xa9\x10\x12\x88\xfb\xc6\x59\xd2\x55\xdc\x5d\xcb\x6b\x5a\x45\xa5\xef\x8e\xdc\x34\xe2\xc2\xc5\xb2\xc7\x33\xe3\xcf\xdb\xe1\x68\x8b\x9d\xad\xca\x85\x7b\xcf\x1c\xe5\x97\x44\xc4\x13\xe9\xcc\x43\xe8\x42\x87\x4f\x6b\x26\x77\x7c\x49\x36\x52\xc2\x57\xae\x57\x2b\x0b\xbe\x59\x92\xb8\x62\x4c\x16\x17\xd1\x19\x14\x23\xbb\xa3\x1a\x5e\x3f\xbf\x87\xa8\x57\xd2\xc8\x38\x73\xa5\x89\x2a\x85\x0e\xac\x53\x36\xd1\x8a\x71\x05\xa5\x64\xd7\x16\x8b\xa6\xb5\x58\x4a\x5c\x90\x6d\x7a\xe4\xa3\xa9\x72\xac\x6d\xcb\x17\x2e\x6b\x3d\x89\xce\x6f\x40\x1e\x3a\x58\x3d\xed\xce\x48\x3a\x04\xca\xf2\x93\x8b\x8b\xe9\x01\xba\x91\x89\xce\xc3\xf2\xd1\x07\xb1\xb7\x97\x77\x61\x11\x9d\x0e\x3b\xf4\xc6\x1c\x76\xa6\x43\x00\x94\xce\x7c\x00\x8f\xde\x47\x97\xfe\x1f\x4d\xff\x20\x6c\x6b\xcf\x73\x61\xf7\xd0\x66\xd3\x12\xd9\xa6\xef\x9c\x38\x56\x2b\xed\x08\x9c\xa9\xc6\xd3\x91\x46\x4e\xbe\x09\x00\xe5\xfc\xbf\xd2\xe7\xed\xed\xd6\x43\x34\xa6\xdf\x13\xe3\x85\xae\xde\xef\xce\xa9\xc8\x85\xcb\xe0\xcf\xfa\xad\xf3\x05\x03\xfe\x40\x45\x27\xd6\x8a\x0f\xb8\xdf\x03\xb0\x31\xb5\xe7\x7a\xdc\xee\x0f\xaa\xf6\xb5\x1f\x6b\xe6\xa7\xfa\xba\x51\xff\x0d\x00\x00\xff\xff\xeb\x04\x97\x11\xdf\x01\x00\x00"), + }, "/charts/components/aws-ebs-csi-driver/templates/node.yaml": &vfsgen۰CompressedFileInfo{ name: "node.yaml", modTime: time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC), @@ -5235,6 +5242,7 @@ var vfsgenAssets = func() http.FileSystem { fs["/charts/components/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml"].(os.FileInfo), fs["/charts/components/aws-ebs-csi-driver/templates/controller.yaml"].(os.FileInfo), fs["/charts/components/aws-ebs-csi-driver/templates/csidriver.yaml"].(os.FileInfo), + fs["/charts/components/aws-ebs-csi-driver/templates/networkpolicy.yaml"].(os.FileInfo), fs["/charts/components/aws-ebs-csi-driver/templates/node.yaml"].(os.FileInfo), fs["/charts/components/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml"].(os.FileInfo), fs["/charts/components/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml"].(os.FileInfo),