Skip to content

Implement NetworkPolicy

Created by: beyang

Migrated from https://github.com/sourcegraph/deploy-sourcegraph/issues/213

From @terinjokes:

In our Kubernetes cluster, we're heavy users of Network Policies for both Pod ingress and egress. We'd like to continue this for Sourcegraph, but currently there's none provided as a base.

I can probably brute force Network Policies from error messages, but it might be easier and faster for someone more familiar with the dependencies to properly setup.

From @beyang:

@terinjokes a couple of clarifying questions:

  • Is the goal here to enforce a policy on overall ingress/egress traffic between Sourcegraph and the outside world or to enforce a policy on traffic between pods in the Sourcegraph cluster itself?
  • If the latter, is the need for a Network Policy due to Sourcegraph being deployed into a cluster that also has non-Sourcegraph pods or just due to a general policy (e.g., "all Kubernetes clusters must have NetworkPolicies that constrain internal network traffic to only what's minimally necessary")
  • If due to a general policy, what are the requirements that the set of Network Policies needs to meet. Is there an internal definition you can share?
  • Lastly, how urgent of a need is this for you? Does it block any wider rollout / deployment milestone?

From @terinjokes:

  1. Ideally a policy for both traffic between the pods and the outside word, and pods and other Sourcegraph pods. However, a blanket policy (pods within the namespace are allowed to communicate with other pods in the namespace) might work for the latter, if you don't want to denote the specifics.
  2. It's a general policy for us that all deployments have network policies. This is enforced with a network policy that drops all traffic by default.
  3. We don't have a formal definition right now. The assumption is be reasonable. (Eg: don't simply define a network policy for 0.0.0.0/0)
  4. It's not extremely urgent. I can make my guesses to some policies.