Adds NetworkPolicies to all components of Kube-prometheus #1650
Conversation
|
Hmmm strange, this same setup worked when running locally 🤔 |
|
I'm not really sure what is wrong here, testing locally works... @prometheus-operator/kube-prometheus-reviewers any idea why e2e tests doesn't work with NetworkPolicies during CI? |
|
Does it work locally? |
|
yes it does 🤔 |
|
Alright, after @simonpasquier's suggestions, I've created another branch that only adds Calico to the CI just to make sure that it wasn't the problem here. Turns out that only by adding Calico, and not adding any network policy, our CI already fails. I'm not that knowledgeable about Kubernetes Networking, so I still haven't figured out why that breaks the CI. |
|
@ArthurSens - I did take a look. Also no clue right now why it fails on CI with Calico installed. FWIW I checked out your branch and ran the tests locally on OS X and they passed too :/ |
Signed-off-by: ArthurSens <[email protected]>
…d prometheus Signed-off-by: GitHub <[email protected]> (cherry picked from commit 86e16b5)
Signed-off-by: GitHub <[email protected]> (cherry picked from commit 233a8ac)
Signed-off-by: GitHub <[email protected]> (cherry picked from commit df68b8d)
Signed-off-by: paulfantom <[email protected]> Signed-off-by: Paweł Krupa (paulfantom) <[email protected]> (cherry picked from commit d3ea314) (cherry picked from commit d24c347)
|
OKEY! Replacing Calico with Cilium did the trick 🚀 I believe this PR is ready for review now :) |
There was a problem hiding this comment.
@ArthurSens - great job, looks good to me overall but I wonder if we should update the quickstart guide also?
Good point! I'm not sure if that's needed though... Network policies should be a no-op on Kubernetes without a plugin with support for it, so this should work out-of-the-box. I'm not entirely sure we want to add another step to the quickstart guide to enable this. I think quickstart should have the less amount of friction possible 🤔
|
|
@ArthurSens - thanks for the link, I wasn't aware of the no-op situation and in that case it make perfect sense to keep the quickstart as simple as possible. All good my side then. Will wait for some eyes from @paulfantom /others |
|
I'm merging since there were no oppositions so far 🙂 |
|
FWIW, this seems to have completely broken my relatively ordinary setup on |
|
@werdnum you have to do the opposite: You have to create a NetworkPolicy that allows access from your ingress (controller) Pods to the Grafana Pod, deleting all NetworkPolicies removes any access restrictions for this namespace. |
Is there some kind of affordance in the templates to do so? Ideally there's something in Seems like this should have been marked as a breaking change. |
I did some digging and provided an example of how to modify the NetworkPolicies in #1960. Not quite what you were asking for, but I have little experience with Helm. |
Description
This is continuing the work started at #1470.
It adds NetworkPolicies to all components of the stack:
Extra changes to make sure we keep supporting NetworkPolicies without breaking anything:
Fixes #1596
Type of change
What type of changes does your code introduce to the kube-prometheus? Put an
xin the box that apply.CHANGE(fix or feature that would cause existing functionality to not work as expected)FEATURE(non-breaking change which adds functionality)BUGFIX(non-breaking change which fixes an issue)ENHANCEMENT(non-breaking change which improves existing functionality)NONE(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry
Please put a one-line changelog entry below. Later this will be copied to the changelog file.