Chart: add egress network policy for controller

[calvix]

Is this a bug fix or adding a new feature?
Bug fix
What is this PR about? / Why do we need it?
In a secure environment with strict network policy mode, all traffic is denied except traffic allowed by the network policies.

In order to be able to run the aws-ebs-csi-driver in such an environment it is necessary to specify the network policy for the controller otherwise it will end with the error:

I1102 15:12:02.790807       1 event.go:298] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"example-pvc", UID:"81413a15-1473-4778-94d4-6a2908249527", APIVersion:"v1", ResourceVersion:"37899", FieldPath:""}): type: 'Warning' reason: 'ProvisioningFailed' failed to provision volume with StorageClass "gp2": rpc error: code = DeadlineExceeded desc = context deadline exceeded

What testing is done?

[k8s-ci-robot]

Welcome @calvix!

It looks like this is your first PR to kubernetes-sigs/aws-ebs-csi-driver 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-ebs-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @calvix. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rdpsin for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[torredil]

/ok-to-test

[rdpsin]

What's the effect of this on non-airgapped environments? Should this be put behind a conditional?

[calvix]

/retest

[calvix]

What's the effect of this on non-airgapped environments? Should this be put behind a conditional?

if the environment is not running any network policy controller it should have no effect

If the environment is running a network policy controller in non-strict mode (all traffic is allowed unless network policy specifies otherwise) it should work the same

As you can see all tests passed so it does not have an influence on the non-airgapped environments

But if you feel this should be conditional and enabled only when a certain value is set than I am fine to adjust the changes.

[rdpsin]

My personal preference would be to put it behind a flag so that it doesn't surprise users updating to a new version of the chart (even though there's no functional change). @torredil @ConnorJC3 @AndrewSirenko are the arbiters, though. :)

[torredil]

Hi @calvix, thank you for your contribution.

Let's consider the case where a cluster administrator has already deployed a network policy for the controller.

By deploying this network policy we could be unintentionally overriding restrictions set by that existing policy because network policies are additive. This would allow for broad egress traffic, which in environments where traffic needs to be controlled for compliance or security reasons would be very undesirable.

+1 to @rdpsin's suggestion. See an example in minio's chart here: https://github.com/minio/minio/blob/754f7a8a395e87a744050476d8b16c16af50a800/helm/minio/values.yaml#L500 where they provide this configuration, disabled by default.

[ConnorJC3]

Sorry about the late review on this, but agree with above. We definitely cannot have this enabled by default, our security-conscious users would be very mad if we suddenly deploy a default-enabled NetworkPolicy that bypasses their configurations.

To be honest, I'm not sure if there's even a strong need for this at all - in environments so security conscious the user has defaulted the NetworkPolicy to egress disabled, would they really want a policy with an unlimited egress policy?

[ConnorJC3]

This shouldn't be hardcoded, it should use Release.Namespace

[ConnorJC3]

This should use aws-ebs-csi-driver.selectorLabels

[ConnorJC3]

/close

Hi, the team talked about this, and we decided that we don't want to move forwards with this change at the moment.

Deploying a default-enabled NetworkPolicy is extremely likely to surprise security-conscious users. Users running clusters with special requirements like strict network policy mode are likely to have a better idea of what policy is appropriate than a blanket policy we apply to all clusters.

[k8s-ci-robot]

@ConnorJC3: Closed this PR.

In response to this:

/close

Hi, the team talked about this, and we decided that we don't want to move forwards with this change at the moment.

Deploying a default-enabled NetworkPolicy is extremely likely to surprise security-conscious users. Users running clusters with special requirements like strict network policy mode are likely to have a better idea of what policy is appropriate than a blanket policy we apply to all clusters.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.