diff --git a/src/server/services/file-browser-service.ts b/src/server/services/file-browser-service.ts index cf20794..889f1b2 100644 --- a/src/server/services/file-browser-service.ts +++ b/src/server/services/file-browser-service.ts @@ -11,6 +11,7 @@ import podService from "./pod.service"; import bcrypt from "bcrypt"; import hostnameDnsProviderService from "./hostname-dns-provider.service"; import pvcService from "./pvc.service"; +import networkPolicyService from "./network-policy.service"; class FileBrowserService { @@ -55,6 +56,9 @@ class FileBrowserService { console.log(`Creating ingress for filebrowser for volume ${volumeId}`); await this.createOrUpdateIngress(kubeAppName, namespace, appId, projectId, traefikHostname); + console.log(`Creating network policy for filebrowser for volume ${volumeId}`); + await networkPolicyService.reconcileFileBrowserNetworkPolicy(kubeAppName, projectId); + const fileBrowserPods = await podService.getPodsForApp(projectId, kubeAppName); for (const pod of fileBrowserPods) { await podService.waitUntilPodIsRunningFailedOrSucceded(projectId, pod.podName); @@ -92,6 +96,8 @@ class FileBrowserService { if (existingIngress) { await k3s.network.deleteNamespacedIngress(KubeObjectNameUtils.getIngressName(kubeAppName), projectId); } + + await networkPolicyService.deleteFileBrowserNetworkPolicy(kubeAppName, projectId); } private async createOrUpdateIngress(kubeAppName: string, namespace: string, appId: string, projectId: string, traefikHostname: string) { diff --git a/src/server/services/network-policy.service.ts b/src/server/services/network-policy.service.ts index 65bf68b..556292e 100644 --- a/src/server/services/network-policy.service.ts +++ b/src/server/services/network-policy.service.ts @@ -357,6 +357,66 @@ class NetworkPolicyService { await k3s.network.deleteNamespacedNetworkPolicy(policyName, projectId); } + async reconcileFileBrowserNetworkPolicy(fileBrowserAppName: string, projectId: string) { + const policyName = KubeObjectNameUtils.toNetworkPolicyName(fileBrowserAppName); + const namespace = projectId; + + const policy: V1NetworkPolicy = { + apiVersion: "networking.k8s.io/v1", + kind: "NetworkPolicy", + metadata: { + name: policyName, + namespace: namespace, + labels: { + app: fileBrowserAppName, + 'file-browser': 'true' + }, + annotations: { + [Constants.QS_ANNOTATION_PROJECT_ID]: projectId, + } + }, + spec: { + podSelector: { + matchLabels: { + app: fileBrowserAppName + } + }, + policyTypes: ["Ingress", "Egress"], + ingress: [ + { + // Allow from Traefik (internet traffic) + from: [ + { + namespaceSelector: { + matchLabels: { + 'kubernetes.io/metadata.name': 'kube-system' + } + }, + podSelector: { + matchLabels: { + 'app.kubernetes.io/name': 'traefik' + } + } + } + ] + } + ], + egress: [] // Deny all outgoing traffic + } + }; + console.log('Creating FileBrowser Network Policy:', JSON.stringify(policy, null, 2)); + await this.applyNetworkPolicy(namespace, policyName, policy); + } + + async deleteFileBrowserNetworkPolicy(fileBrowserAppName: string, projectId: string) { + const policyName = KubeObjectNameUtils.toNetworkPolicyName(fileBrowserAppName); + const existingNetworkPolicy = await this.getExistingNetworkPolicy(projectId, policyName); + if (!existingNetworkPolicy) { + return; + } + await k3s.network.deleteNamespacedNetworkPolicy(policyName, projectId); + } + async deleteAllNetworkPolicies() { const namespaces = await k3s.core.listNamespace(); let deletedCount = 0;