KFLUXINFRA-2558 - Add network policies to ESO (staging only) (#9370)

oswcab · web-flow · commit a6a91e75ef47 · 2025-12-08T16:54:41.000-05:00
This commit introduces NetworkPolicy resources to enhance the security
posture of the external-secrets-operator component by implementing a
zero-trust network model.

The policies include:
- Default deny-all policy as a security baseline
- Allow egress to Kubernetes API server and DNS for operator functionality
- Allow egress to external secret providers (AWS, Vault, etc.)
- Allow webhook ingress from the API server and ArgoCD for CRD validation
- Allow metrics scraping from monitoring namespaces
- Allow health check probes from kubelet
- Allow intra-namespace communication between ESO components

These policies were already tested in a OpenShift cluster but are currently
deployed only to staging environments for additional validation before
rolling out to production.

Implements:
KFLUXINFRA-2558
KFLUXINFRA-2559
diff --git a/components/external-secrets-operator/staging/kustomization.yaml b/components/external-secrets-operator/staging/kustomization.yaml
@@ -2,3 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
+  - networkpolicy-default-deny.yaml
+  - networkpolicy-allow-egress.yaml
+  - networkpolicy-allow-ingress.yaml
+  - networkpolicy-allow-same-ns.yaml
diff --git a/components/external-secrets-operator/staging/networkpolicy-allow-egress.yaml b/components/external-secrets-operator/staging/networkpolicy-allow-egress.yaml
@@ -0,0 +1,96 @@
+# Network Policy: DNS Egress
+#
+# Purpose: Allow the external-secrets pods to communicate with DNS (for name resolution)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: external-secrets-operator
+spec:
+  # Selects ALL ESO Pods: main-controller, webhook, and cert-controller
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Egress
+  egress:
+  # Allow DNS queries to both the DNS pods and the DNS service (ClusterIP)
+  # The DNS service is typically at 172.30.0.10 in the service network
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+    - ipBlock:
+        cidr: 172.30.0.10/32
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53
+---
+# Network Policy: Main Controller Egress
+#
+# Purpose: Allow the main external-secrets controller to communicate with:
+#   - Kubernetes API server (for watching CRDs, updating satus)
+#   - External secret providers (AWS, GCP, Vault, etc.)
+#   - OpenShift internal services
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-main-controller-egress
+  namespace: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+      app.kubernetes.io/name: external-secrets
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+---
+# Network Policy: Cert Controller and Webhook Egress
+#
+# Purpose: Allow the cert-controller and webhook to communicate with
+# Kubernetes API server:
+#   - cert-controller: for managing webhook certificates
+#   - webhook: for CRD validation and cert management
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-cert-controller-webhook-egress
+  namespace: external-secrets-operator
+spec:
+  podSelector:
+    matchExpressions:
+    - key: app.kubernetes.io/name
+      operator: In
+      values:
+      - external-secrets-cert-controller
+      - external-secrets-webhook
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Egress
+  egress:
+  # Allow egress to Kubernetes API server
+  # As kube-apiserver uses host network, support multiple cluster
+  # configurations with different network CIDRs
+  - to:
+    # kubernetes default service
+    - ipBlock:
+        cidr: 172.30.0.1/32
+    # Aggregated node network for internal clusters (10.28.x.x - 10.29.x.x)
+    - ipBlock:
+        cidr: 10.28.0.0/15
+    # Aggregated node network for public clusters (10.200 - 10.210)
+    - ipBlock:
+        cidr: 10.192.0.0/11
+    ports:
+      - protocol: TCP
+        port: 443
+      - protocol: TCP
+        port: 6443
+
diff --git a/components/external-secrets-operator/staging/networkpolicy-allow-ingress.yaml b/components/external-secrets-operator/staging/networkpolicy-allow-ingress.yaml
@@ -0,0 +1,93 @@
+---
+# Network Policy: Webhook Ingress
+#
+# Purpose: Allow incoming traffic to the validating webhook on port 10250 from:
+#   - Kubernetes API server (required for CRD validation)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-webhook-ingress
+  namespace: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+      app.kubernetes.io/name: external-secrets-webhook
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    # Allow webhook traffic from Kubernetes API server
+    # The kube-apiserver uses host network (node IPs) but the call
+    # is NATed and comes from a pod IP assigned to interface ovn-k8s-mp0
+    # - 192.168.0.0/16 (pod CIDR in most clusters)
+    # - 10.128.0.0/14 (pod CIDR in stg-rh01, prd-rh01 and prd-p01 clusters)
+    - ipBlock:
+        cidr: 10.128.0.0/14
+    - ipBlock:
+        cidr: 192.168.0.0/16
+    ports:
+    - protocol: TCP
+      port: 10250 # Webhook port
+---
+# Network Policy: Metrics Ingress
+#
+# Purpose: Allow Prometheus/monitoring systems to scrape metrics from all ESO components
+# Port: 8080 (metrics endpoint)
+#
+# Allows traffic from:
+#   - appstudio-workload-monitoring namespace
+#   - openshift-monitoring namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-metrics-ingress
+  namespace: external-secrets-operator
+spec:
+  # Selects ALL ESO Pods (Controller, Webhook, Cert Controller)
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    # Allow Prometheus to scrape metrics
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: appstudio-workload-monitoring
+    # Also allow from openshift-monitoring if it exists
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+    ports:
+    - protocol: TCP
+      port: 8080  # Metrics port
+---
+# Network Policy: Health Checks
+#
+# Purpose: Allow liveness/readiness probes on all ESO components
+# Port: 8081 (health check endpoint)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-health-checks-ingress
+  namespace: external-secrets-operator
+spec:
+  # Selects ALL ESO Pods (Controller, Webhook, Cert Controller)
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Ingress
+  ingress:
+  # Allow health checks on port 8081
+  - from:
+    - ipBlock:
+        cidr: 10.128.0.0/14
+    - ipBlock:
+        cidr: 192.168.0.0/16
+    ports:
+    - protocol: TCP
+      port: 8081
+
diff --git a/components/external-secrets-operator/staging/networkpolicy-allow-same-ns.yaml b/components/external-secrets-operator/staging/networkpolicy-allow-same-ns.yaml
@@ -0,0 +1,44 @@
+---
+# Network Policy: Intra-namespace Communication
+#
+# Purpose: Allow all ESO components to communicate with each other
+# within the same namespace, including localhost communication
+#
+# Applies to: Main controller, webhook, and cert-controller
+# Note: This provides a fallback for any internal coordination between ESO components
+# that is not explicitly covered by more specific policies
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-same-namespace
+  namespace: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/instance: external-secrets-operator
+  # Allow pods to communicate with themselves (localhost)
+  # This is needed for health checks and internal probe endpoints
+  - from:
+    - podSelector: {}
+    ports:
+    - protocol: TCP
+      port: 8081  # Health check port
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/instance: external-secrets-operator
+  # Allow pods to reach their own localhost
+  - to:
+    - podSelector: {}
+    ports:
+    - protocol: TCP
+      port: 8081  # Health check port
diff --git a/components/external-secrets-operator/staging/networkpolicy-default-deny.yaml b/components/external-secrets-operator/staging/networkpolicy-default-deny.yaml
@@ -0,0 +1,22 @@
+---
+# Network Policy: Default Deny All
+#
+# Purpose: Implements a "deny all / permit by exception" security model
+#
+# Behavior:
+#   - Blocks ALL ingress traffic by default
+#   - Blocks ALL egress traffic by default
+#   - Other NetworkPolicies selectively allow specific traffic patterns
+#
+# Security: Aligns with ESO threat model recommendations
+# Reference: https://external-secrets.io/latest/guides/threat-model/
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: external-secrets-operator
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
