Test serverless with strict central network policies #1533

kwiatekus · 2025-03-21T14:05:51Z

Description

Reviewer should read this first

Changes proposed in this pull request:

apply extra fixture with strict network policies in integration tests
label operators with networking.kyma-project.io/to-apiserver: allowed
label webhook (legacy) with networking.kyma-project.io/from-seed: allowed

Related issue(s)
#1530

kwiatekus · 2025-03-24T13:08:39Z

TODO: enable policy for jobs to push into serverless-docker-registry.kyma-system.svc.cluster.local:5000

Tests show that function build job fails with

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "serverless-docker-registry.kyma-system.svc.cluster.local:5000/default-fn:eb2f4eeb161602519b3f5510c262c3372f6c8bcedabbcc40dcc72c92532fda77": creating push check transport for serverless-docker-registry.kyma-system.svc.cluster.local:5000 failed: Get "https://serverless-docker-registry.kyma-system.svc.cluster.local:5000/v2/": dial tcp 10.43.172.190:5000: connect: connection refused; Get "http://serverless-docker-registry.kyma-system.svc.cluster.local:5000/v2/": dial tcp 10.43.172.190:5000: connect: connection refused

kwiatekus · 2025-03-27T09:11:04Z

Serverless needs an egress policy targeting the serverless controller enabling all egress traffic, so that serverless can fetch from git repositories.

…ch from git repos

.github/actions/with-fixture/action.yaml

config/buildless-serverless/templates/egress-network-policy.yaml

config/serverless/templates/egress-network-policy.yaml

config/serverless/templates/ingress-network-policy.yaml

tests/with-fixture/strict-network-policies/ns.yaml

tests/with-fixture/strict-network-policies/policies.yaml

Co-authored-by: Filip Strozik <[email protected]>

kwiatekus requested a review from a team as a code owner March 21, 2025 14:05

kwiatekus mentioned this pull request Mar 21, 2025

Explicitly define network policies required for serverless module to work on cluster with strict global policies #1530

Closed

2 tasks

kwiatekus force-pushed the network-policies branch from b456c70 to 227c312 Compare March 27, 2025 08:11

kwiatekus added 13 commits April 3, 2025 08:15

Test serverless with strict central network policies

27b827e

enable policies via make (tmp)

4fee273

enable policies via make (tmp)

cc4bad6

enable policies via make (tmp)

51706c1

enable policies via make (tmp)

354ed33

enable policy for accessing docker registry by function build jobs

1d7778b

make sure operator caninstall networkpolicy

0547b09

add network policy towards gitserver in gitops tests

aefb4a2

add egress network policy for serverless controller to be able to fet…

1ae9659

…ch from git repos

add network policy towards gitserver in gitops tests

066e51a

cleanup test network policy

65f9069

apply labels and required network policies

5ea71e8

ensure network policies for eventing mock

ac3abb7

kwiatekus force-pushed the network-policies branch from 4301422 to ac3abb7 Compare April 3, 2025 06:15

kwiatekus added 2 commits April 3, 2025 09:01

ensure network policy and labels for buildldess srvls

aaffe82

use strict network policies as integration test fixtures

a5d1963

pPrecel self-assigned this Apr 3, 2025