Skip to content

Commit

Permalink
Update Redis Sentinel NetworkPolicy Rules (#42)
Browse files Browse the repository at this point in the history
This PR entirely eliminates the redis network policies, retaining only
the sentinel network policy.
Additionally, it introduces an extra `egress` rule for sentinels to
ensure they can connect only within their own namespace.

---------

Co-authored-by: Aaron Kuehler <[email protected]>
  • Loading branch information
rurkss and indiebrain authored Feb 9, 2024
1 parent f323073 commit 55611bc
Show file tree
Hide file tree
Showing 7 changed files with 56 additions and 324 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ Also check this project's [releases](https://github.com/powerhome/redis-operator

## Unreleased

## [v2.0.1] - 2024-02-09

### Fixed
- [Sentinels shoud only be allowed to talk to pods belonging to their RedisFailover Custom Resource](https://github.com/powerhome/redis-operator/pull/42).

Update notes:

This update modifies how the operator generates network policies. In version v2.0.0, there were two separate network policies: one for Redis and another for Redis Sentinels. From version v2.0.1 onwards, the operator will only generate a network policy for Sentinels. It is crucial to be aware that following the upgrade to this version, the existing network policy for Redis instances will persist and must be deleted manually.

## [v2.0.0] - 2024-01-18

### Added
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
VERSION := v2.0.0
VERSION := v2.0.1

# Name of this service/application
SERVICE_NAME := redis-operator
Expand Down
14 changes: 0 additions & 14 deletions mocks/operator/redisfailover/service/RedisFailoverClient.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 0 additions & 3 deletions operator/redisfailover/ensurer.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,6 @@ func (w *RedisFailoverHandler) Ensure(rf *redisfailoverv1.RedisFailover, labels
}

if !(len(rf.Spec.NetworkPolicyNsList) == 0) {
if err := w.rfService.EnsureRedisNetworkPolicy(rf, labels, or); err != nil {
return err
}
if err := w.rfService.EnsureSentinelNetworkPolicy(rf, labels, or); err != nil {
return err
}
Expand Down
9 changes: 0 additions & 9 deletions operator/redisfailover/service/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ type RedisFailoverClient interface {
EnsureHAProxyRedisMasterConfigmap(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureHAProxyRedisMasterService(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureRedisHeadlessService(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureRedisNetworkPolicy(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureSentinelNetworkPolicy(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureSentinelService(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureSentinelConfigMap(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
Expand Down Expand Up @@ -87,14 +86,6 @@ func generateComponentLabel(componentType string) map[string]string {
}
}

// EnsureRedisNetworkPolicy makes sure the redis network policy exists
func (r *RedisFailoverKubeClient) EnsureRedisNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error {
svc := generateRedisNetworkPolicy(rf, labels, ownerRefs)
err := r.K8SService.CreateOrUpdateNetworkPolicy(rf.Namespace, svc)
r.setEnsureOperationMetrics(svc.Namespace, svc.Name, "EnsureRedisNetworkPolicy", rf.Name, err)
return err
}

// EnsureSentinelNetworkPolicy makes sure the redis network policy exists
func (r *RedisFailoverKubeClient) EnsureSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error {
svc := generateSentinelNetworkPolicy(rf, labels, ownerRefs)
Expand Down
72 changes: 14 additions & 58 deletions operator/redisfailover/service/generator.go
Original file line number Diff line number Diff line change
Expand Up @@ -456,63 +456,6 @@ func generateHAProxyRedisSlaveService(rf *redisfailoverv1.RedisFailover, labels
}
}

func generateRedisNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) *np.NetworkPolicy {
name := GetRedisNetworkPolicyName(rf)
namespace := rf.Namespace

networkPolicyNsList := rf.Spec.NetworkPolicyNsList

selectorLabels := generateSelectorLabels(redisRoleName, rf.Name)
labels = util.MergeLabels(labels, selectorLabels)

metricsTargetPort := intstr.FromInt(9121)
redisTargetPort := intstr.FromInt(int(rf.Spec.Redis.Port))

peers := []np.NetworkPolicyPeer{}

for _, inputPeer := range networkPolicyNsList {

labelKey := inputPeer.MatchLabelKey
labelValue := inputPeer.MatchLabelValue

peers = append(peers, np.NetworkPolicyPeer{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{labelKey: labelValue},
},
})
}

ports := make([]np.NetworkPolicyPort, 0)
ports = append(ports, np.NetworkPolicyPort{
Port: &redisTargetPort,
}, np.NetworkPolicyPort{
Port: &metricsTargetPort,
})

return &np.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: labels,
OwnerReferences: ownerRefs,
},
Spec: np.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: util.MergeLabels(
map[string]string{"redisfailovers.databases.spotahome.com/name": rf.Name},
generateComponentLabel("redis"),
),
},
Ingress: []np.NetworkPolicyIngressRule{
np.NetworkPolicyIngressRule{
From: peers,
Ports: ports,
},
},
},
}
}

func generateSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) *np.NetworkPolicy {
name := GetSentinelNetworkPolicyName(rf)
namespace := rf.Namespace
Expand Down Expand Up @@ -543,6 +486,8 @@ func generateSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map
Port: &sentinelTargetPort,
})

redisfailoverLabels := map[string]string{"redisfailovers.databases.spotahome.com/name": rf.Name}

return &np.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -553,7 +498,7 @@ func generateSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map
Spec: np.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: util.MergeLabels(
map[string]string{"redisfailovers.databases.spotahome.com/name": rf.Name},
redisfailoverLabels,
generateComponentLabel("sentinel"),
),
},
Expand All @@ -563,6 +508,17 @@ func generateSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map
Ports: ports,
},
},
Egress: []np.NetworkPolicyEgressRule{
np.NetworkPolicyEgressRule{
To: []np.NetworkPolicyPeer{
np.NetworkPolicyPeer{
PodSelector: &metav1.LabelSelector{
MatchLabels: redisfailoverLabels,
},
},
},
},
},
},
}
}
Expand Down
Loading

0 comments on commit 55611bc

Please sign in to comment.