Add networkpolicies under /contrib/networkpolicies (kubeflow#2121)

* Create .gitkeep

* Add files via upload

* Create OWNERS

* Create README.md

* Delete default-deny-not-istio-system.yaml

* Create default-allow-same-namespace.yaml

* Create centraldashboard.yaml

* Create jupyter-web-app.yaml

* Create katib-ui.yaml

* Create kfserving-models-web-app.yaml

* Create ml-pipeline-ui.yaml

* Update ml-pipeline.yaml

* Create volumes-web-app.yaml

* Update kustomization.yaml

* Update OWNERS

contrib/networkpolicies/.gitkeep

@@ -0,0 +1 @@
+

contrib/networkpolicies/OWNERS

@@ -0,0 +1,5 @@
+approvers:
+  - juliusvonkohout
+reviewers:
+  - juliusvonkohout
+  - kimwnasptd

contrib/networkpolicies/README.md

@@ -0,0 +1,8 @@
+### 1. Why would a user apply the extra policies?
+It is a second line of defence after Istio autorization policies and it protects pods and services that are not protected by Istio
+
+### 2. Effects they will have in the cluster
+Please consult the name of and comments in each networkpolicy for further information.
+
+### 3. We should achieve the same with AuthorizationPolicies
+But there are components, e.g. Katib that are not secured by istio

contrib/networkpolicies/cache-server.yaml

@@ -0,0 +1,21 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: cache-server
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - cache-server # mutating webhook
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 8443
+  policyTypes:
+    - Ingress
+

contrib/networkpolicies/centraldashboard.yaml

@@ -0,0 +1,23 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: centraldashboard
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - centraldashboard
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - istio-system
+        - podSelector: {}
+  policyTypes:
+    - Ingress

contrib/networkpolicies/default-allow-same-namespace.yaml

@@ -0,0 +1,12 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-allow-same-namespace
+  namespace: kubeflow
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+        - podSelector: {}
+  policyTypes:
+    - Ingress

contrib/networkpolicies/jupyter-web-app.yaml

@@ -0,0 +1,23 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: jupyter-web-app
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - jupyter-web-app
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - istio-system
+        - podSelector: {}
+  policyTypes:
+    - Ingress

contrib/networkpolicies/katib-controller.yaml

@@ -0,0 +1,23 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: katib-controller
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: katib.kubeflow.org/component
+        operator: In
+        values:
+          - controller # katib mutating webhook to add metrics logger
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports: # webhook
+        - protocol: TCP
+          port: 8443
+#    - ports: # metrics
+#        - protocol: TCP
+#          port: 8080
+  policyTypes:
+    - Ingress

contrib/networkpolicies/katib-db-manager.yaml

@@ -0,0 +1,23 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: katib-db-manager
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: katib.kubeflow.org/component
+        operator: In
+        values:
+          - db-manager # the metrics loggers write directly to this database
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/part-of
+                operator: In
+                values:
+                  - kubeflow-profile
+        - podSelector: {} # allow all pods from the same namespace
+  policyTypes:
+    - Ingress

contrib/networkpolicies/katib-ui.yaml

@@ -0,0 +1,22 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: katib-ui
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: katib.kubeflow.org/component
+        operator: In
+        values:
+          - ui
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - istio-system
+  policyTypes:
+    - Ingress

contrib/networkpolicies/kfserving-models-web-app.yaml

@@ -0,0 +1,22 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: kfserving-models-web-app
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+          - kfserving-models-web-app
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - istio-system
+  policyTypes:
+    - Ingress

contrib/networkpolicies/kfserving.yaml

@@ -0,0 +1,21 @@
+
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: kfserving
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: control-plane
+        operator: In
+        values:
+          - kfserving-controller-manager # mutating webhook
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 9443
+  policyTypes:
+    - Ingress

contrib/networkpolicies/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kubeflow
+resources:
+  - cache-server.yaml
+  - centraldashboard.yaml
+  - default-allow-same-namespace.yaml
+  - jupyter-web-app.yaml
+  - katib-controller.yaml
+  - katib-db-manager.yaml
+  - katib-ui.yaml
+  - kfserving-models-web-app.yaml
+  - kfserving.yaml
+  - metadata-grpc-server.yaml
+  - minio.yaml
+  - ml-pipeline-ui.yaml 
+  - ml-pipeline.yaml
+  - poddefaults.yaml
+  - seldon.yaml
+  - volumes-web-app.yaml

contrib/networkpolicies/metadata-grpc-server.yaml

@@ -0,0 +1,24 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: metadata-grpc-server
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: component
+        operator: In
+        values:
+          - metadata-grpc-server # metadata server
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/part-of
+                operator: In
+                values:
+                  - kubeflow-profile
+        - podSelector: {} # allow all pods from the same namespace
+  policyTypes:
+    - Ingress
+

contrib/networkpolicies/minio.yaml

@@ -0,0 +1,23 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: minio
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - minio        # artifact storage
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/part-of
+                operator: In
+                values:
+                  - kubeflow-profile
+        - podSelector: {} # allow all pods from the same namespace
+  policyTypes:
+    - Ingress

contrib/networkpolicies/ml-pipeline-ui.yaml

@@ -0,0 +1,22 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: ml-pipeline-ui
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - ml-pipeline-ui
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - istio-system
+  policyTypes:
+    - Ingress

contrib/networkpolicies/ml-pipeline.yaml

@@ -0,0 +1,28 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: ml-pipeline
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - ml-pipeline # just the apiserver
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/part-of
+                operator: In
+                values:
+                  - kubeflow-profile
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - istio-system
+  policyTypes:
+    - Ingress

contrib/networkpolicies/poddefaults.yaml

@@ -0,0 +1,20 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: poddefaults
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - poddefaults  # mutating webhook 
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 4443
+  policyTypes:
+    - Ingress

contrib/networkpolicies/seldon.yaml

@@ -0,0 +1,21 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: seldon
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: control-plane
+        operator: In
+        values:
+          - seldon-controller-manager # validating webhook
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 4443
+  policyTypes:
+    - Ingress
+