Merge pull request #500 from kartverket/alloy-netpol

Added grafana alloy to default_deny and app netpol

controllers/namespace/default_deny_network_policy.go

@@ -113,6 +113,32 @@ func (r *NamespaceReconciler) reconcileDefaultDenyNetworkPolicy(ctx context.Cont
 						},
 					},
 				},
+				// Egress rule for grafana-alloy
+				{
+					To: []networkingv1.NetworkPolicyPeer{
+						{
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{"kubernetes.io/metadata.name": "grafana-alloy"},
+							},
+							PodSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"app.kubernetes.io/instance": "alloy",
+									"app.kubernetes.io/name":     "alloy",
+								},
+							},
+						},
+					},
+					Ports: []networkingv1.NetworkPolicyPort{
+						{
+							Protocol: util.PointTo(corev1.ProtocolTCP),
+							Port:     util.PointTo(intstr.FromInt(4317)),
+						},
+						{
+							Protocol: util.PointTo(corev1.ProtocolTCP),
+							Port:     util.PointTo(intstr.FromInt(4318)),
+						},
+					},
+				},
 			},
 		}
 

pkg/resourcegenerator/networking/network_policy.go

@@ -160,6 +160,27 @@ func getIngressRules(opts NetPolOpts) []networkingv1.NetworkPolicyIngressRule {
 
 	// Allow grafana-agent to scrape
 	if opts.IstioEnabled {
+		promScrapeRuleAlloy := networkingv1.NetworkPolicyIngressRule{
+			From: []networkingv1.NetworkPolicyPeer{
+				{
+					NamespaceSelector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{"kubernetes.io/metadata.name": "grafana-alloy"},
+					},
+					PodSelector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"app.kubernetes.io/instance": "alloy",
+							"app.kubernetes.io/name":     "alloy",
+						},
+					},
+				},
+			},
+			Ports: []networkingv1.NetworkPolicyPort{
+				{
+					Port: util.PointTo(util.IstioMetricsPortName),
+				},
+			},
+		}
+
 		promScrapeRule := networkingv1.NetworkPolicyIngressRule{
 			From: []networkingv1.NetworkPolicyPeer{
 				{
@@ -181,7 +202,10 @@ func getIngressRules(opts NetPolOpts) []networkingv1.NetworkPolicyIngressRule {
 			},
 		}
 
+
+
 		ingressRules = append(ingressRules, promScrapeRule)
+		ingressRules = append(ingressRules, promScrapeRuleAlloy)
 	}
 
 	if opts.AccessPolicy == nil {

tests/application/service-monitor/application-istio-assert.yaml

@@ -102,3 +102,13 @@ spec:
               app.kubernetes.io/name: grafana-agent
       ports:
         - port: istio-metrics
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: grafana-alloy
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: alloy
+              app.kubernetes.io/name: alloy
+      ports:
+        - port: istio-metrics

tests/application/service-monitor/application-simple-assert.yaml

@@ -91,3 +91,13 @@ spec:
               app.kubernetes.io/name: grafana-agent
       ports:
         - port: istio-metrics
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: grafana-alloy
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: alloy
+              app.kubernetes.io/name: alloy
+      ports:
+        - port: istio-metrics

tests/namespace/default-deny/assert.yaml

@@ -51,3 +51,16 @@ spec:
           matchLabels:
             app.kubernetes.io/instance: grafana-agent
             app.kubernetes.io/name: grafana-agent
+  - ports:
+      - port: 4317
+        protocol: TCP
+      - port: 4318
+        protocol: TCP
+    to:  
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: grafana-alloy
+        podSelector:
+          matchLabels:
+            app.kubernetes.io/instance: alloy
+            app.kubernetes.io/name: alloy