Merge pull request #514 from dragonflydb/network-policy-update

miledxz · web-flow · commit 7607d00be320 · 2026-06-02T08:06:31.000+02:00
fix(security): harden default NetworkPolicy for client and admin ports
diff --git a/charts/dragonfly-operator/templates/deployment.yaml b/charts/dragonfly-operator/templates/deployment.yaml
@@ -67,6 +67,8 @@ spec:
             {{- toYaml .Values.rbacProxy.resources | nindent 12 }}
           {{- end }}
         - name: manager
+          command:
+            - /manager
           args:
             - --leader-elect
             {{- if .Values.dragonflyImage }}
@@ -78,8 +80,11 @@ spec:
             {{- with .Values.manager.extraArgs}}
             {{- toYaml . | nindent 12 }}
             {{- end }}
-          command:
-            - /manager
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
           securityContext:
             {{- toYaml .Values.manager.securityContext | nindent 12 }}
           image: "{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag | default .Chart.AppVersion  }}"
diff --git a/cmd/main.go b/cmd/main.go
@@ -145,12 +145,20 @@ func main() {
 
 	defer eventBroadcaster.Shutdown()
 
+	operatorNamespace := getOperatorNamespace()
+	if operatorNamespace != "" {
+		setupLog.Info(fmt.Sprintf("Operator namespace: %s", operatorNamespace))
+	} else {
+		setupLog.Info("Operator namespace could not be determined; admin port NetworkPolicy will be restricted to same-namespace only")
+	}
+
 	if err = (&controller.DragonflyReconciler{
 		Reconciler: controller.Reconciler{
 			Client:                mgr.GetClient(),
 			Scheme:                mgr.GetScheme(),
 			EventRecorder:         eventRecorder,
 			DefaultDragonflyImage: dragonflyImage,
+			OperatorNamespace:     operatorNamespace,
 		},
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Dragonfly")
@@ -163,6 +171,7 @@ func main() {
 			Scheme:                mgr.GetScheme(),
 			EventRecorder:         eventRecorder,
 			DefaultDragonflyImage: dragonflyImage,
+			OperatorNamespace:     operatorNamespace,
 		},
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Health")
@@ -227,3 +236,21 @@ func addNamespacesToOpts(namespaces string, ops *ctrl.Options) error {
 	}
 	return nil
 }
+
+const saNamespaceFile = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
+
+func getOperatorNamespace() string {
+	return resolveOperatorNamespace(saNamespaceFile)
+}
+
+func resolveOperatorNamespace(saFile string) string {
+	if ns, ok := os.LookupEnv("POD_NAMESPACE"); ok && ns != "" {
+		return ns
+	}
+	if data, err := os.ReadFile(saFile); err == nil {
+		if ns := strings.TrimSpace(string(data)); ns != "" {
+			return ns
+		}
+	}
+	return ""
+}
diff --git a/cmd/main_test.go b/cmd/main_test.go
@@ -0,0 +1,78 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestResolveOperatorNamespace(t *testing.T) {
+	tests := []struct {
+		name     string
+		envValue *string // nil = unset, "" = set but empty
+		fileBody string  // written to a temp file; empty string means no file
+		want     string
+	}{
+		{
+			name:     "env var set",
+			envValue: strPtr("operator-ns"),
+			want:     "operator-ns",
+		},
+		{
+			name:     "env var takes precedence over file",
+			envValue: strPtr("from-env"),
+			fileBody: "from-file",
+			want:     "from-env",
+		},
+		{
+			name:     "falls back to SA file when env unset",
+			fileBody: "sa-namespace\n",
+			want:     "sa-namespace",
+		},
+		{
+			name:     "trims whitespace from SA file",
+			fileBody: "  my-ns \n",
+			want:     "my-ns",
+		},
+		{
+			name:     "empty env var ignored, falls back to file",
+			envValue: strPtr(""),
+			fileBody: "fallback-ns",
+			want:     "fallback-ns",
+		},
+		{
+			name: "returns empty when nothing available",
+			want: "",
+		},
+		{
+			name:     "empty SA file returns empty",
+			fileBody: "   \n",
+			want:     "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Setenv("POD_NAMESPACE", "")
+			os.Unsetenv("POD_NAMESPACE")
+
+			if tt.envValue != nil {
+				t.Setenv("POD_NAMESPACE", *tt.envValue)
+			}
+
+			saFile := filepath.Join(t.TempDir(), "namespace")
+			if tt.fileBody != "" {
+				if err := os.WriteFile(saFile, []byte(tt.fileBody), 0o600); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			got := resolveOperatorNamespace(saFile)
+			if got != tt.want {
+				t.Errorf("resolveOperatorNamespace() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func strPtr(s string) *string { return &s }
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -72,6 +72,11 @@ spec:
         - --leader-elect
         image: controller:latest
         name: manager
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
diff --git a/internal/controller/base_controller.go b/internal/controller/base_controller.go
@@ -32,6 +32,7 @@ type Reconciler struct {
 	Scheme                *runtime.Scheme
 	EventRecorder         record.EventRecorder
 	DefaultDragonflyImage string
+	OperatorNamespace     string
 }
 
 func (r *Reconciler) getDragonflyInstance(ctx context.Context, namespacedName types.NamespacedName, log logr.Logger) (*DragonflyInstance, error) {
@@ -49,5 +50,6 @@ func (r *Reconciler) getDragonflyInstance(ctx context.Context, namespacedName ty
 		scheme:                r.Scheme,
 		eventRecorder:         r.EventRecorder,
 		defaultDragonflyImage: r.DefaultDragonflyImage,
+		operatorNamespace:     r.OperatorNamespace,
 	}, nil
 }
diff --git a/internal/controller/dragonfly_instance.go b/internal/controller/dragonfly_instance.go
@@ -54,6 +54,7 @@ type DragonflyInstance struct {
 	scheme                *runtime.Scheme
 	eventRecorder         record.EventRecorder
 	defaultDragonflyImage string
+	operatorNamespace     string
 	redisClients          map[string]*redis.Client
 }
 
@@ -616,7 +617,7 @@ func (dfi *DragonflyInstance) hasMasterRole(ctx context.Context, redisClient *re
 
 // reconcileResources creates or updates the dragonfly resources
 func (dfi *DragonflyInstance) reconcileResources(ctx context.Context) error {
-	dfResources, err := resources.GenerateDragonflyResources(dfi.df, dfi.defaultDragonflyImage)
+	dfResources, err := resources.GenerateDragonflyResources(dfi.df, dfi.defaultDragonflyImage, dfi.operatorNamespace)
 	if err != nil {
 		return fmt.Errorf("failed to generate dragonfly resources")
 	}
diff --git a/internal/resources/const.go b/internal/resources/const.go
@@ -100,6 +100,10 @@ const (
 	OperatorControlPlaneLabelKey   = "control-plane"
 	OperatorControlPlaneLabelValue = "controller-manager"
 
+	// KubernetesNamespaceLabelKey is the well-known label automatically set on
+	// namespaces by Kubernetes >= 1.21, used to pin NetworkPolicy selectors.
+	KubernetesNamespaceLabelKey = "kubernetes.io/metadata.name"
+
 	// Probe ConfigMap suffixes — appended to df.Name
 	LivenessProbeConfigMapSuffix  = "liveness-probe"
 	ReadinessProbeConfigMapSuffix = "readiness-probe"
diff --git a/internal/resources/image_test.go b/internal/resources/image_test.go
@@ -44,7 +44,7 @@ func TestGenerateDragonflyResources_ImageResolution(t *testing.T) {
 				},
 			}
 
-			objs, err := GenerateDragonflyResources(df, tt.defaultImage)
+			objs, err := GenerateDragonflyResources(df, tt.defaultImage, "")
 			assert.NoError(t, err)
 
 			var sts *appsv1.StatefulSet
diff --git a/internal/resources/resources.go b/internal/resources/resources.go
@@ -105,7 +105,7 @@ func generateProbeConfigMap(df *resourcesv1.Dragonfly, name, key, script string)
 
 // GenerateDragonflyResources returns the resources required for a Dragonfly
 // Instance
-func GenerateDragonflyResources(df *resourcesv1.Dragonfly, defaultDragonflyImage string) ([]client.Object, error) {
+func GenerateDragonflyResources(df *resourcesv1.Dragonfly, defaultDragonflyImage, operatorNamespace string) ([]client.Object, error) {
 	var resources []client.Object
 
 	image := df.Spec.Image
@@ -617,7 +617,7 @@ func GenerateDragonflyResources(df *resourcesv1.Dragonfly, defaultDragonflyImage
 	}
 
 	if isNetworkPolicyEnabled(df) {
-		np := generateNetworkPolicy(df)
+		np := generateNetworkPolicy(df, operatorNamespace)
 		resources = append(resources, &np)
 	}
 
@@ -628,7 +628,7 @@ func isNetworkPolicyEnabled(df *resourcesv1.Dragonfly) bool {
 	return df.Spec.NetworkPolicyEnabled == nil || *df.Spec.NetworkPolicyEnabled
 }
 
-func generateNetworkPolicy(df *resourcesv1.Dragonfly) networkingv1.NetworkPolicy {
+func generateNetworkPolicy(df *resourcesv1.Dragonfly, operatorNamespace string) networkingv1.NetworkPolicy {
 	protocolTCP := corev1.ProtocolTCP
 
 	instanceSelector := map[string]string{
@@ -637,13 +637,33 @@ func generateNetworkPolicy(df *resourcesv1.Dragonfly) networkingv1.NetworkPolicy
 		KubernetesAppNameLabelKey: KubernetesAppName,
 	}
 
+	sameNamespacePeer := networkingv1.NetworkPolicyPeer{
+		PodSelector: &metav1.LabelSelector{},
+	}
+
 	clientPortRule := networkingv1.NetworkPolicyIngressRule{
 		Ports: []networkingv1.NetworkPolicyPort{
 			{
 				Protocol: &protocolTCP,
 				Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: DragonflyPort},
 			},
 		},
+		From: []networkingv1.NetworkPolicyPeer{sameNamespacePeer},
+	}
+
+	operatorPeer := networkingv1.NetworkPolicyPeer{
+		PodSelector: &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				OperatorControlPlaneLabelKey: OperatorControlPlaneLabelValue,
+			},
+		},
+	}
+	if operatorNamespace != "" {
+		operatorPeer.NamespaceSelector = &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				KubernetesNamespaceLabelKey: operatorNamespace,
+			},
+		}
 	}
 
 	adminPortRule := networkingv1.NetworkPolicyIngressRule{
@@ -654,14 +674,7 @@ func generateNetworkPolicy(df *resourcesv1.Dragonfly) networkingv1.NetworkPolicy
 			},
 		},
 		From: []networkingv1.NetworkPolicyPeer{
-			{
-				PodSelector: &metav1.LabelSelector{
-					MatchLabels: map[string]string{
-						OperatorControlPlaneLabelKey: OperatorControlPlaneLabelValue,
-					},
-				},
-				NamespaceSelector: &metav1.LabelSelector{},
-			},
+			operatorPeer,
 			{
 				PodSelector: &metav1.LabelSelector{
 					MatchLabels: instanceSelector,
@@ -680,6 +693,7 @@ func generateNetworkPolicy(df *resourcesv1.Dragonfly) networkingv1.NetworkPolicy
 					Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: df.Spec.MemcachedPort},
 				},
 			},
+			From: []networkingv1.NetworkPolicyPeer{sameNamespacePeer},
 		}
 		ingressRules = append(ingressRules, memcachedPortRule)
 	}
diff --git a/internal/resources/resources_test.go b/internal/resources/resources_test.go

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ type Reconciler struct {`
`32`	`32`	`Scheme *runtime.Scheme`
`33`	`33`	`EventRecorder record.EventRecorder`
`34`	`34`	`DefaultDragonflyImage string`
	`35`	`+ OperatorNamespace string`
`35`	`36`	`}`
`36`	`37`
`37`	`38`	`func (r Reconciler) getDragonflyInstance(ctx context.Context, namespacedName types.NamespacedName, log logr.Logger) (DragonflyInstance, error) {`
`@@ -49,5 +50,6 @@ func (r *Reconciler) getDragonflyInstance(ctx context.Context, namespacedName ty`
`49`	`50`	`scheme: r.Scheme,`
`50`	`51`	`eventRecorder: r.EventRecorder,`
`51`	`52`	`defaultDragonflyImage: r.DefaultDragonflyImage,`
	`53`	`+ operatorNamespace: r.OperatorNamespace,`
`52`	`54`	`}, nil`
`53`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ type DragonflyInstance struct {`
`54`	`54`	`scheme *runtime.Scheme`
`55`	`55`	`eventRecorder record.EventRecorder`
`56`	`56`	`defaultDragonflyImage string`
	`57`	`+ operatorNamespace string`
`57`	`58`	`redisClients map[string]*redis.Client`
`58`	`59`	`}`
`59`	`60`
`@@ -616,7 +617,7 @@ func (dfi DragonflyInstance) hasMasterRole(ctx context.Context, redisClient re`
`616`	`617`
`617`	`618`	`// reconcileResources creates or updates the dragonfly resources`
`618`	`619`	`func (dfi *DragonflyInstance) reconcileResources(ctx context.Context) error {`
`619`		`- dfResources, err := resources.GenerateDragonflyResources(dfi.df, dfi.defaultDragonflyImage)`
	`620`	`+ dfResources, err := resources.GenerateDragonflyResources(dfi.df, dfi.defaultDragonflyImage, dfi.operatorNamespace)`
`620`	`621`	`if err != nil {`
`621`	`622`	`return fmt.Errorf("failed to generate dragonfly resources")`
`622`	`623`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ func TestGenerateDragonflyResources_ImageResolution(t *testing.T) {`
`44`	`44`	`},`
`45`	`45`	`}`
`46`	`46`
`47`		`- objs, err := GenerateDragonflyResources(df, tt.defaultImage)`
	`47`	`+ objs, err := GenerateDragonflyResources(df, tt.defaultImage, "")`
`48`	`48`	`assert.NoError(t, err)`
`49`	`49`
`50`	`50`	`var sts *appsv1.StatefulSet`