search

DoD-Platform-One / monitoring

Monitoring Stack Bootstrapper (Prometheus, Grafana)
https://repo1.dso.mil/big-bang/product/packages/monitoring
Apache License 2.0
2 stars 1 forks source link

Alertmanager requires egress netpol #7

Closed p1-repo-sync-bot[bot] closed 3 months ago

p1-repo-sync-bot[bot] commented 5 months ago

In order to configure Alertmanager for notifications such as smtp or slack, an egress netpol is needed. The current design blocks egress from this pod and doesn't seem to have a way to configure it within the chart. This requires deploying a separate egress netpol outside of the chart which is not desirable, especially given the chart supports configurations for external notification configurations.

Below is an example of a netpol I created manually in order to allow Alertmanager to send notifications to Slack. It would be preferably to have this enabled when a receiver is configured for the chart. 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  annotations:
    meta.helm.sh/release-name: monitoring-monitoring
    meta.helm.sh/release-namespace: monitoring
  labels:
    app.kubernetes.io/managed-by: Helm
    helm.toolkit.fluxcd.io/name: monitoring
    helm.toolkit.fluxcd.io/namespace: bigbang
  name: allow-egress-alertmanager
  namespace: monitoring
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 169.254.169.254/32
  podSelector:
    matchLabels:
      app.kubernetes.io/name: alertmanager
  policyTypes:
  - Egress
p1-repo-sync-bot[bot] commented 3 months ago

piotr.machaj commented:

It turned out there was already egress network policy for alertmanager: https://repo1.dso.mil/bigbang/product/packages/monitoring/-/blob/main/chart/templates/bigbang/networkpolicies/egress-tls.yaml?ref_type=heads I am closing this issue. I tested the alertmanager sending out message to external Slack application with following values set:

monitoring:
  enabled: true
  values:
    istio:
      hardened:
        enabled: false
    networkPolicies:
      enabled: true
      # -- This toggle enables a NetworkPolicy that will allow external egress providing the ability to send alerts to external resources like MM/Slack/etc.
      alertmanager:
        enableEgress: true
p1-repo-sync-bot[bot] commented 3 months ago

Issue 'Alertmanager requires egress netpol' closed from GitLab side