- Fix default metric listener address from 127.0.0.1 to 0.0.0.0.

- Make metrics listener address and port configurable.
- Add support for NetworkPolicy (opt-in)

Author: alex-berger

charts/k8s-object-syncer/README.md

@@ -40,6 +40,9 @@
 | `podMonitor.enabled`                       | Whether to create a `PodMonitor` or not.                                           | `false`                                                    | no        |
 | `podMonitor.interval`                      | `PodMonitor` scrape interval                                                       | `60s`                                                      | no        |
 | `podMonitor.scrapeTimeout`                 | `PodMonitor` scrape timeout                                                        | `10s`                                                      | no        |
+| `metrics.address`                          | IPv4 or IPv6 address to listen for metrics request                                 | `0.0.0.0` (listen on all network interfaces)               | no        |
+| `metrics.port`                             | TCP port to listen for metrics requests                                            | `9000`                                                     | no        |
+| `networkPolicy`                            | NetworkPolicy content (`ingress`, `egress` and `policyTypes`)                      | `null`                                                     | no        |
 
 
 ## Installation
@@ -115,4 +118,31 @@ targetNamespaces: ["*"]
 allowedResources:
 - apiGroups: ["*"]
   resources: ["*"]
+```
+
+---
+
+Set NetworkPolicy.
+
+```yaml
+networkPolicy:
+  ingress:
+    # Allow all ingress to metrics port
+    - from:
+        - namespaceSelector: {}
+          podSelector: {}
+      ports:
+        - protocol: TCP
+          port: 9000
+  egress:
+    - ports: # Kubernetes API
+        - protocol: TCP
+          port: 443
+        - port: 53 # DNS
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+  policyTypes:
+    - Ingress
+    - Egress
 ```

charts/k8s-object-syncer/templates/deployment.yaml

@@ -20,7 +20,7 @@ spec:
     metadata:
       annotations:
         prometheus.io/scrape: 'true'
-        prometheus.io/port: '9000'
+        prometheus.io/port: "{{ .Values.metrics.port | default 9000 }}"
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -57,13 +57,21 @@ spec:
             - name: TARGET_NAMESPACES
               value: "{{ .Values.targetNamespaces | join "," }}"
           {{- end }}
+          {{- if .Values.metrics.address }}
+            - name: METRICS_LISTEN_ADDR
+              value: "{{ .Values.metrics.address }}"
+          {{- end }}
+          {{- if .Values.metrics.port }}
+            - name: METRICS_LISTEN_PORT
+              value: "{{ .Values.metrics.port }}"
+          {{- end }}
           {{- with .Values.extraEnv }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: metrics
-              containerPort: 9000
+              containerPort: {{ .Values.metrics.port | default 9000 }}
               protocol: TCP
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

charts/k8s-object-syncer/templates/network-policy.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.networkPolicy }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "k8s-object-syncer.fullname" . }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "k8s-object-syncer.selectorLabels" . | nindent 6 }}
+  {{- toYaml .Values.networkPolicy | nindent 2 }}
+{{- end }}

charts/k8s-object-syncer/values.yaml

@@ -88,7 +88,32 @@ allowedResources:
 
 extraEnv: []
 
+metrics:
+  port: 9000
+  address: "0.0.0.0"
+
 podMonitor:
   enabled: false
   interval: 60s
-  scrapeTimeout: 10s
+  scrapeTimeout: 10s
+
+networkPolicy:
+  # ingress:
+  #   # Allow all ingress to metrics port
+  #   - from:
+  #       - namespaceSelector: {}
+  #         podSelector: {}
+  #     ports:
+  #       - protocol: TCP
+  #         port: 9000
+  # egress:
+  #   - ports: # Kubernetes API
+  #       - protocol: TCP
+  #         port: 443
+  #       - port: 53 # DNS
+  #         protocol: UDP
+  #       - port: 53
+  #         protocol: TCP
+  # policyTypes:
+  #   - Ingress
+  #   - Egress

rustrial-k8s-object-syncer/src/main.rs

@@ -91,8 +91,12 @@ async fn ok<T, E>(_: T) -> Result<(), E> {
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
     env_logger::init();
+    let metrics_addr = env_var("METRICS_LISTEN_ADDR").unwrap_or_else(|| "0.0.0.0".to_string());
+    let metrics_port = env_var("METRICS_LISTEN_PORT").unwrap_or_else(|| "9000".to_string());
+    let metrics_addr = format!("{}:{}", metrics_addr, metrics_port).parse()?;
     let prometheus_metrics_exporter = opentelemetry_prometheus::exporter().init();
-    let prometheus_metrics_exporter = start_prometheus_metrics_server(prometheus_metrics_exporter);
+    let prometheus_metrics_exporter =
+        start_prometheus_metrics_server(metrics_addr, prometheus_metrics_exporter);
     let client = Client::try_default().await?;
     let namespace_watcher = watcher(Api::<Namespace>::all(client.clone()), ListParams::default());
     let writer: Writer<Namespace> = Default::default();

rustrial-k8s-object-syncer/src/prometheus_exporter.rs

@@ -1,4 +1,4 @@
-use std::sync::Arc;
+use std::{net::SocketAddr, sync::Arc};
 
 use hyper::{
     header::CONTENT_TYPE,
@@ -29,9 +29,9 @@ async fn serve_req(
 }
 
 pub(crate) async fn start_prometheus_metrics_server(
+    addr: SocketAddr,
     prometheus_metrics_exporter: PrometheusExporter,
 ) {
-    let addr = ([127, 0, 0, 1], 9000).into();
     debug!("Listening on http://{}", addr);
     let exporter = Arc::new(prometheus_metrics_exporter);
     let handler = make_service_fn(move |_| {