Egress NetworkPolicy from Helm blocks kube-api traffic with Cilium

[DeD1rk]

This is more of a cilium issue than a cert-manager one, but I'm posting it here so others may find it.

When enforcing network policies with Cilium, the allow-egress policy that's created trhough helm if webhook.networkPolicy.enabled=true doesn't work. While that policy should allow pretty much all egress (including TCP/(6)443), to ipBlock 0.0.0.0/0, this doesn't work on Cilium when your kube-apiserver is hosted on cluster nodes, unless you configure this: https://docs.cilium.io/en/stable/security/policy/language/#selecting-nodes-with-cidr-ipblock. See also cilium/cilium#20550.

Cert-manager could also help here by:

• Documenting this somewhere, e.g. in the Helm values documentation.
• Offering a way to only enable the ingress NetworkPolicy.

(Based on cilium v1.18.4 and cert-manager v1.18.2)

[wallrj-cyberark]

Thanks @DeD1rk. Please create a PR with some proposed additional words for the Helm values documentation. Here's the source:

cert-manager/deploy/charts/cert-manager/values.yaml

Lines 975 to 1011 in 6bb9c74

	# Enables default network policies for webhooks.
	networkPolicy:
	# Create network policies for the webhooks.
	enabled: false
	# Ingress rule for the webhook network policy. By default, it allows all
	# inbound traffic.
	# +docs:property
	ingress:
	- from:
	- ipBlock:
	cidr: 0.0.0.0/0
	- ipBlock:
	cidr: "::/0"
	# Egress rule for the webhook network policy. By default, it allows all
	# outbound traffic to ports 80 and 443, as well as DNS ports.
	# +docs:property
	egress:
	- ports:
	- port: 80
	protocol: TCP
	- port: 443
	protocol: TCP
	- port: 53
	protocol: TCP
	- port: 53
	protocol: UDP
	# On OpenShift and OKD, the Kubernetes API server listens on.
	# port 6443.
	- port: 6443
	protocol: TCP
	to:
	- ipBlock:
	cidr: 0.0.0.0/0
	- ipBlock:
	cidr: "::/0"

You can modify the comments and then run make generate-helm-docs generate-helm-schema to update the README template and Helm schema file.

Offering a way to only enable the ingress NetworkPolicy.

See if you can achieve that by setting the egress stanza to null. E.g.,

# values.yaml
webhook:
  networkPolicy:
    enabled: true
    egress: null

Here's what I get, but I haven't tested it:

$ helm template oci://quay.io/jetstack/charts/cert-manager --values values.yaml --show-only templates/networkpolicy-egress.yaml
Pulled: quay.io/jetstack/charts/cert-manager:1.19.1
Digest: sha256:9578566b26b2258bcb9a0be27feeaa7c0adaed635cc0f85b6293e42a80c58cc9
---
# Source: cert-manager/templates/networkpolicy-egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: release-name-cert-manager-webhook-allow-egress
  namespace: default
spec:
  egress:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: "webhook"
  policyTypes:
  - Egress

[DeD1rk]

spec:
  egress:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: "webhook"
  policyTypes:
  - Egress

Would deny all egress. However, the following should work according to https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/:

spec:
  egress:
    - ports: 
     - port: 80 
       protocol: TCP 
     - port: 443 
       protocol: TCP 
     - port: 53 
       protocol: TCP 
     - port: 53 
       protocol: UDP 
     # On OpenShift and OKD, the Kubernetes API server listens on. 
     # port 6443. 
     - port: 6443 
       protocol: TCP 
     to: []  # empty egress.to should mean "traffic not restricted by destination" 
  podSelector:
    matchLabels:
      app.kubernetes.io/name: webhook
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: "webhook"
  policyTypes:
  - Egress

I'll try that out. If it works, perhaps it's best to adopt that in the default values? If it weren't for ciliums weird behavior, it should be equivalent.

[wallrj-cyberark]

@DeD1rk Please read #8370 and tell @jcpunk whether his changes will solve the problem you are describing here.

[DeD1rk]

@wallrj-cyberark Sorry I never got to testing this. But yes, removing the to: does the trick!

[wallrj-cyberark]

📢 The fix or feature is now available for testing

• https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0-alpha.1

Please test and report back.