diff --git a/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator.rb b/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator.rb index f980243830e0d444b7997d3272a7b98c2c59b354..565ea0dfa9731ca563a15cc3aa9258904e5c316f 100644 --- a/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator.rb +++ b/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator.rb @@ -66,7 +66,8 @@ def self.generate_desired_config(workspace:, include_all_resources:, logger:) namespace: workspace.namespace, labels: labels, annotations: annotations, - gitlab_workspaces_proxy_namespace: gitlab_workspaces_proxy_namespace + gitlab_workspaces_proxy_namespace: gitlab_workspaces_proxy_namespace, + egress_ip_rules: remote_development_agent_config.network_policy_egress ) desired_config.append(network_policy) end @@ -217,8 +218,16 @@ def self.get_domain_template_annotation(name:, dns_zone:) # @param [Hash] labels # @param [Hash] annotations # @param [string] gitlab_workspaces_proxy_namespace + # @param [Array] egress_rules # @return [Hash] - def self.get_network_policy(name:, namespace:, labels:, annotations:, gitlab_workspaces_proxy_namespace:) + def self.get_network_policy( + name:, + namespace:, + labels:, + annotations:, + gitlab_workspaces_proxy_namespace:, + egress_ip_rules: + ) policy_types = [ - "Ingress", - "Egress" @@ -241,18 +250,18 @@ def self.get_network_policy(name:, namespace:, labels:, annotations:, gitlab_wor "kubernetes.io/metadata.name": "kube-system" } } - egress_except_cidr = [ - - "10.0.0.0/8", - - "172.16.0.0/12", - - "192.168.0.0/16" - ] egress = [ - { to: [{ ipBlock: { cidr: "0.0.0.0/0", except: egress_except_cidr } }] }, { ports: [{ port: 53, protocol: "TCP" }, { port: 53, protocol: "UDP" }], to: [{ namespaceSelector: kube_system_namespace_selector }] } ] + egress_ip_rules.each do |egress_rule| + symbolized_egress_rule = egress_rule.deep_symbolize_keys + egress.append( + { to: [{ ipBlock: { cidr: symbolized_egress_rule[:allow], except: symbolized_egress_rule[:except] } }] } + ) + end { apiVersion: "networking.k8s.io/v1", diff --git a/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator_prev1.rb b/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator_prev1.rb index 99b90344c96f09f5b7b5a5fb893c492ef0762652..d1f239674f4335e185fdd05bc8d8a7b030ff3038 100644 --- a/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator_prev1.rb +++ b/ee/lib/remote_development/workspaces/reconcile/output/desired_config_generator_prev1.rb @@ -153,11 +153,11 @@ def self.get_network_policy(name:, namespace:, labels:, annotations:, gitlab_wor - "192.168.0.0/16" ] egress = [ - { to: [{ ipBlock: { cidr: "0.0.0.0/0", except: egress_except_cidr } }] }, { ports: [{ port: 53, protocol: "TCP" }, { port: 53, protocol: "UDP" }], to: [{ namespaceSelector: kube_system_namespace_selector }] - } + }, + { to: [{ ipBlock: { cidr: "0.0.0.0/0", except: egress_except_cidr } }] } ] { diff --git a/ee/spec/lib/remote_development/workspaces/reconcile/main_integration_spec.rb b/ee/spec/lib/remote_development/workspaces/reconcile/main_integration_spec.rb index def739555fa3f27e2fb11f397088a8b232f2751b..12fd1f70a5841d9eaa9caf9a35ee888c212edba0 100644 --- a/ee/spec/lib/remote_development/workspaces/reconcile/main_integration_spec.rb +++ b/ee/spec/lib/remote_development/workspaces/reconcile/main_integration_spec.rb @@ -17,6 +17,7 @@ let_it_be(:user) { create(:user) } let_it_be(:agent) { create(:ee_cluster_agent, :with_remote_development_agent_config) } + let(:egress_ip_rules) { agent.remote_development_agent_config.network_policy_egress } let(:logger) { instance_double(::Logger) } @@ -189,7 +190,7 @@ end end - context 'when only some workspaces fail in devfile flattener' do + context 'when only some workspaces fail in devfile flattener' do # rubocop:disable RSpec/MultipleMemoizedHelpers -- Need these memoized helpers to test effectively let(:workspace) do create(:workspace, name: "workspace1", agent: agent, user: user, force_include_all_resources: false) end @@ -333,7 +334,11 @@ let(:deployment_resource_version_from_agent) { workspace.deployment_resource_version } let(:expected_config_to_apply) do - create_config_to_apply(workspace: workspace, started: expected_value_for_started) + create_config_to_apply( + workspace: workspace, + started: expected_value_for_started, + egress_ip_rules: egress_ip_rules + ) end let(:expected_workspace_rails_infos) { [expected_workspace_rails_info] } @@ -440,7 +445,11 @@ let(:expected_value_for_started) { false } let(:expected_config_to_apply) do - create_config_to_apply(workspace: workspace, started: expected_value_for_started) + create_config_to_apply( + workspace: workspace, + started: expected_value_for_started, + egress_ip_rules: egress_ip_rules + ) end it 'returns the proper response' do @@ -510,7 +519,8 @@ create_config_to_apply( workspace: unprovisioned_workspace, started: expected_value_for_started, - include_all_resources: true + include_all_resources: true, + egress_ip_rules: egress_ip_rules ) end diff --git a/ee/spec/lib/remote_development/workspaces/reconcile/output/desired_config_generator_spec.rb b/ee/spec/lib/remote_development/workspaces/reconcile/output/desired_config_generator_spec.rb index 3597767d400c8813590e4b7e72143cc107f3c54e..bd3c14fa696bb6ac23d6e603a49aedb3828f9f12 100644 --- a/ee/spec/lib/remote_development/workspaces/reconcile/output/desired_config_generator_spec.rb +++ b/ee/spec/lib/remote_development/workspaces/reconcile/output/desired_config_generator_spec.rb @@ -16,6 +16,7 @@ let(:deployment_resource_version_from_agent) { workspace.deployment_resource_version } let(:network_policy_enabled) { true } let(:gitlab_workspaces_proxy_namespace) { 'gitlab-workspaces' } + let(:egress_ip_rules) { agent.remote_development_agent_config.network_policy_egress } let(:workspace) do create( @@ -33,7 +34,8 @@ workspace: workspace, started: started, include_network_policy: network_policy_enabled, - include_all_resources: include_all_resources + include_all_resources: include_all_resources, + egress_ip_rules: egress_ip_rules ) ) end diff --git a/ee/spec/lib/remote_development/workspaces/reconcile/output/devfile_parser_spec.rb b/ee/spec/lib/remote_development/workspaces/reconcile/output/devfile_parser_spec.rb index 9a6c913aa12cb9ab94ee40ebccfd7a356bd0422e..b92e908625777bad7f493fd7c806015a48027311 100644 --- a/ee/spec/lib/remote_development/workspaces/reconcile/output/devfile_parser_spec.rb +++ b/ee/spec/lib/remote_development/workspaces/reconcile/output/devfile_parser_spec.rb @@ -28,6 +28,7 @@ let(:domain_template) { "{{.port}}-#{workspace.name}.#{workspace.dns_zone}" } let(:env_var_secret_name) { "#{workspace.name}-env-var" } let(:file_secret_name) { "#{workspace.name}-file" } + let(:egress_ip_rules) { RemoteDevelopment::AgentConfig::Updater::NETWORK_POLICY_EGRESS_DEFAULT } let(:expected_workspace_resources) do YAML.load_stream( @@ -39,7 +40,8 @@ include_inventory: false, include_network_policy: false, include_all_resources: false, - dns_zone: dns_zone + dns_zone: dns_zone, + egress_ip_rules: egress_ip_rules ) ) end diff --git a/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb b/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb index 6db724d6963f3913c5db21300b4b2c579fa59edc..95ce81f0849b3f085b25e97af7e9714b841506f3 100644 --- a/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb +++ b/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb @@ -303,7 +303,8 @@ def create_config_to_apply( include_inventory: true, include_network_policy: true, include_all_resources: false, - dns_zone: 'workspaces.localdev.me' + dns_zone: 'workspaces.localdev.me', + egress_ip_rules: RemoteDevelopment::AgentConfig::Updater::NETWORK_POLICY_EGRESS_DEFAULT ) spec_replicas = started == true ? 1 : 0 host_template_annotation = get_workspace_host_template_annotation(workspace.name, dns_zone) @@ -344,7 +345,8 @@ def create_config_to_apply( workspace_name: workspace.name, workspace_namespace: workspace.namespace, agent_id: agent.id, - host_template_annotation: host_template_annotation + host_template_annotation: host_template_annotation, + egress_ip_rules: egress_ip_rules ) workspace_secrets_inventory = workspace_secrets_inventory( @@ -446,7 +448,8 @@ def create_config_to_apply_prev1( workspace_name: workspace_name, workspace_namespace: workspace_namespace, agent_id: agent_id, - host_template_annotation: host_template_annotation + host_template_annotation: host_template_annotation, + egress_ip_rules: RemoteDevelopment::AgentConfig::Updater::NETWORK_POLICY_EGRESS_DEFAULT ) resources = [] @@ -1094,8 +1097,29 @@ def workspace_network_policy( workspace_name:, workspace_namespace:, agent_id:, - host_template_annotation: + host_template_annotation:, + egress_ip_rules: ) + egress = [ + { + ports: [{ port: 53, protocol: "TCP" }, { port: 53, protocol: "UDP" }], + to: [ + { + namespaceSelector: { + matchLabels: { + "kubernetes.io/metadata.name": "kube-system" + } + } + } + ] + } + ] + egress_ip_rules.each do |egress_rule| + symbolized_egress_rule = egress_rule.deep_symbolize_keys + egress.append( + { to: [{ ipBlock: { cidr: symbolized_egress_rule[:allow], except: symbolized_egress_rule[:except] } }] } + ) + end { apiVersion: "networking.k8s.io/v1", kind: "NetworkPolicy", @@ -1112,39 +1136,7 @@ def workspace_network_policy( namespace: workspace_namespace.to_s }, spec: { - egress: [ - { - to: [ - { - ipBlock: { - cidr: "0.0.0.0/0", - except: %w[10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] - } - } - ] - }, - { - ports: [ - { - port: 53, - protocol: "TCP" - }, - { - port: 53, - protocol: "UDP" - } - ], - to: [ - { - namespaceSelector: { - matchLabels: { - "kubernetes.io/metadata.name": "kube-system" - } - } - } - ] - } - ], + egress: egress, ingress: [ { from: [