Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs: NetworkPolicies #8950

Open
genofire opened this issue Aug 9, 2024 · 4 comments
Open

Docs: NetworkPolicies #8950

genofire opened this issue Aug 9, 2024 · 4 comments
Labels
helm type/docs Improvements or additions to documentation

Comments

@genofire
Copy link

genofire commented Aug 9, 2024
edited
Loading

Is your documentation request related to a feature? If so, which one?

Communication between Pods

Describe the solution that you’d like or the expected outcome

Helm-Chart with Networkpolicies

beside a networkpolicy for reach:

  • the ingress-controller, the nginx pod
  • to reach s3 bucket from:
    • compactor
    • ingester
    • querier
    • store_gateway
    • alertmanager
    • ruler

i start to write some networkpolicies just for ingress:

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mimir-compactor
  namespace: phoenix-monitoring-mimir
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: compactor
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/part-of: memberlist
      ports:
        - port: 7946
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mimir-distributor
  namespace: phoenix-monitoring-mimir
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: distributor
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/part-of: memberlist
      ports:
        - port: 7946
          protocol: TCP
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: nginx
      ports:
        - port: 8080
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mimir-ingester
  namespace: phoenix-monitoring-mimir
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: ingester
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/part-of: memberlist
      ports:
        - port: 7946
          protocol: TCP
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: distributor
      ports:
        - port: 9095
          protocol: TCP
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: querier
      ports:
        - port: 9095
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mimir-querier
  namespace: phoenix-monitoring-mimir
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: querier
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/part-of: memberlist
      ports:
        - port: 7946
          protocol: TCP
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: query-scheduler
      ports:
        - port: 9095
          protocol: TCP
    # if scheduler is disabled:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: query-frontend
      ports:
        - port: 9095
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mimir-query-frontend
  namespace: phoenix-monitoring-mimir
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: query-frontend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: nginx
      ports:
        - port: 8080
          protocol: TCP
    # TODO no idea why - maybe send result
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: querier
      ports:
        - port: 9095
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mimir-query-scheduler
  namespace: phoenix-monitoring-mimir
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: query-scheduler
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: query-frontend
      ports:
        - port: 9095
          protocol: TCP
    # TODO no idea why -  maybe shutdown of querier
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: querier
      ports:
        - port: 9095
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mimir-store-gateway
  namespace: phoenix-monitoring-mimir
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: store-gateway
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/part-of: memberlist
      ports:
        - port: 7946
          protocol: TCP
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: querier
      ports:
        - port: 9095
          protocol: TCP
@genofire genofire added the type/docs Improvements or additions to documentation label Aug 9, 2024
@dimitarvdimitrov
Copy link
Contributor

a quick note: the alertmanager and ruler might also need to reach the s3 bucket

@genofire
Copy link
Author

genofire commented Aug 12, 2024
edited
Loading

@dimitarvdimitrov i added in the list above.

i still has problems with the ingester it becomes full without any error messages that it could not upload to s3 ... so i am not sure if i got every needed rule.

EDIT: After create clean PVCs for all ingesters, it look like it works.

@genofire
Copy link
Author

PS: Does all component needs to make gossip to all other components? My thought is that the Ring just needed inside one component (or i am wrong?)

@dimitarvdimitrov
Copy link
Contributor

all components need to be able to gossip to all others. All components gossip all rings even if they don't use them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
helm type/docs Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@genofire @dimitarvdimitrov @derek-cadzow