Document default NetworkPolicy behaviour

fluxcd / flux

Successor: https://github.com/fluxcd/flux2

https://fluxcd.io

Apache License 2.0

6.9k stars 1.08k forks source link

Document default NetworkPolicy behaviour #3486

Closed br0ziliy closed 3 years ago

br0ziliy commented 3 years ago

Describe the bug

Flux creates a set of NetworkPolicies that limit access to controller Pods - which is a good thing. Issue is that currently NetworkPolicies that are created during installation do allow ingress traffic to the notification controller from within the same cluster only. I suggest the documentation in https://fluxcd.io/docs/guides/webhook-receivers/ and https://fluxcd.io/docs/components/notification/receiver/ updated with the note that in order to access a webhook from the outside networks one would need to create additional NetworkPolicy to explicitly allow it.

Additional context

Flux version: v0.13.3

kingdonb commented 3 years ago

I have noticed this too, the receiver guides suggest creating a loadbalancer, but the default network policy provided seems to block the communication of the loadbalancer with the service (at least on my DOK8s cluster, with cilium, this was the case)

If you create an ingress for your receiver, the networkpolicy is (I think) configured to allow the ingress traffic to reach the notification-controller.

It would make sense for our examples to show both: a webhook ingress (my example) for Notification Controller domain, and also an explanation of how to patch or modify the NetworkPolicy such that it permits loadbalancer communication with the notification controller.

Do you have the NetworkPolicy additions required to make a LoadBalancer work, can you provide here as an example?

kingdonb commented 3 years ago

(I completely did not notice that this issue report was submitted to the wrong location)

This is a Flux 2 report. This is the Flux v1 issue repo. #3320 Flux v1 is in maintenance mode.

This should most likely be reported in fluxcd/flux2 Issues instead. Please include enough detail to clearly understand what issue is being reported, (I think I understood your report because I've seen this issue before, but I'm not at all confident the issue is that well-known to be immediately understood by anyone else without more info as context.)

br0ziliy commented 3 years ago

Oh, apologies; https://github.com/fluxcd/flux2/issues/1448 created. I rephrased it a bit and provided a bit more context, along with an example NetworkPolicy.