Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add initial support for network policies #151

Closed
wants to merge 3 commits into from
Closed

Add initial support for network policies #151

wants to merge 3 commits into from

Conversation

DonaldKellett
Copy link
Contributor

What does this PR change?

This PR introduces initial support for network policies

Does this PR relate to any other PRs?

Inspired by #56

How will this PR impact users?

Adds the ability to enable network policies simply by setting the field networkPolicies.enabled to true

Does this PR address any GitHub or Zendesk issues?

Closes #21

How was this PR tested?

  • kind version: v0.20.0
  • K8s version (both client and server): v1.27.3
  • Helm version: v3.13.2

Internal Prometheus

  • Repository: https://prometheus-community.github.io/helm-charts
  • Chart: prometheus
  • Release name: prometheus
  • Namespace: prometheus-system

OpenCost configuration

  1. Using the defaults in charts/opencost/values.yaml
  2. With networkPolicies.enabled set to true

Does this PR require changes to documentation?

Included within the PR, please review

Have you labeled this PR and its corresponding Issue as "next release" if it should be part of the next OpenCost release? If not, why not?

Not applicable to this Helm chart repository, I believe?

@DonaldKellett
Fixes Issue #21
449c6e6 
Signed-off-by: Donald Sebastian Leung <[email protected]>
@DonaldKellett
Copy link
Contributor Author

DonaldKellett commented Nov 19, 2023
edited
Loading

kind and Prometheus configuration

asciicast

OpenCost Helm installation with default configuration

asciicast

OpenCost Helm installation with NetworkPolicies enabled

asciicast

@DonaldKellett
Copy link
Contributor Author

I propose let's keep this simple and we can refine the NetworkPolicy configuration options in future issues / PRs.

DonaldKellett
DonaldKellett commented Nov 19, 2023
View reviewed changes
charts/opencost/README.md Outdated
Comment on lines 33 to 35
| networkPolicies.enabled | bool | `false` | Whether network policies should be created |
| networkPolicies.prometheus.namespace | string | `"prometheus-system"` | Namespace where internal Prometheus is installed |
| networkPolicies.prometheus.labels | object | `{ "app.kubernetes.io/name": "prometheus" }` | Label\(s\) used to identify the server Pod\(s\) relating to the internal Prometheus |
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would like to mention that I found the current formatting of this Markdown table very distracting and difficult to work with both in Vim and VS Code.

Feel free to go ahead and fix the formatting on my behalf to match the other rows, or suggest a tool which can format the table automatically.

DonaldKellett
DonaldKellett commented Nov 19, 2023
View reviewed changes
charts/opencost/README.md Outdated
Comment on lines 93 to 96
| opencost.prometheus.internal.namespaceName | string | `"prometheus-system"` | Namespace of in-cluster Prometheus |
| opencost.prometheus.internal.podPort | int | `9090` | Pod port of in-cluster Prometheus |
| opencost.prometheus.internal.serviceName | string | `"prometheus-server"` | Service name of in-cluster Prometheus |
| opencost.prometheus.internal.servicePort | int | `80` | Service port of in-cluster Prometheus |
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took the liberty to change the defaults for these values, since the original defaults don't work with the Prometheus Helm chart which I assume is one of the most common methods of deploying Prometheus on Kubernetes. In particular, the Prometheus Helm chart names the Prometheus service as ${RELEASE_NAME}-server which the original default value of my-prometheus will never match.

With the new defaults, the OpenCost Helm chart will work out of the box without any customized configuration if Prometheus is installed via the Helm chart with the following parameters:

  • Release name: prometheus
  • Release namespace: prometheus-system

DonaldKellett
DonaldKellett commented Nov 19, 2023
View reviewed changes
charts/opencost/values.yaml Outdated
Comment on lines 21 to 33
# NetworkPolicies for ingress
networkPolicies:
# -- Specifies whether networkpolicies should be created
enabled: false

# -- Internal Prometheus settings related to NetworkPolicies
prometheus:
# -- Namespace where internal Prometheus is installed
namespace: prometheus-system
# -- Labels applied to the Prometheus server pod(s)
labels:
app.kubernetes.io/name: prometheus

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, these defaults are designed to work out of the box with the Prometheus Helm chart installed as release prometheus in namespace prometheus-system.

DonaldKellett
DonaldKellett commented Nov 19, 2023
View reviewed changes
charts/opencost/values.yaml Outdated
Comment on lines 255 to 261
serviceName: prometheus-server
# -- Namespace of in-cluster Prometheus
namespaceName: opencost
namespaceName: prometheus-system
# -- Service port of in-cluster Prometheus
port: 9090
servicePort: 80
# -- Pod port of in-cluster Prometheus
podPort: 9090
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto (OOTB with Prometheus Helm chart)

@DonaldKellett
Copy link
Contributor Author

DonaldKellett commented Nov 19, 2023
edited
Loading

Just made the following changes to the Helm chart configuration:

  1. Reverted opencost.prometheus.internal.servicePort --> opencost.prometheus.internal.port
  2. Moved opencost.prometheus.internal.podPort --> networkPolicies.prometheus.port

Rationale:

  1. Preserve original field name to retain backwards compatibility with existing OpenCost installations utilizing a custom opencost.prometheus.internal.port value
  2. The pod port of in-cluster Prometheus is only relevant when network policies are enabled

Rest assured I tested the latest changes against both the default configuration and with network policies enabled, but feel free to verify the results independently.

@mattray mattray mentioned this pull request Nov 30, 2023
Merged
mattray added a commit that referenced this pull request Nov 30, 2023
@mattray @DonaldKellett
Rebased #151 with version bump (#155)
b27ed05 
* Fixes Issue #21

Signed-off-by: Donald Sebastian Leung <[email protected]>

* Refine Helm chart configuration to maintain backwards compatibility

Signed-off-by: Donald Sebastian Leung <[email protected]>

* Version bump

Signed-off-by: Matt Ray <[email protected]>

---------

Signed-off-by: Donald Sebastian Leung <[email protected]>
Signed-off-by: Matt Ray <[email protected]>
Co-authored-by: Donald Sebastian Leung <[email protected]>
@mattray
Copy link
Collaborator

mattray commented Nov 30, 2023

Merged in #155

Thanks @DonaldKellett!

@mattray mattray closed this Nov 30, 2023
@mattray mattray mentioned this pull request Nov 30, 2023
Closed
@DonaldKellett DonaldKellett deleted the feature/netpol branch November 30, 2023 07:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattray mattray mattray approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add network policies support
2 participants
@DonaldKellett @mattray