diff --git a/ceph-rgw/templates/network_policy.yaml b/ceph-rgw/templates/network_policy.yaml index 4de0402c3..be11d4166 100644 --- a/ceph-rgw/templates/network_policy.yaml +++ b/ceph-rgw/templates/network_policy.yaml @@ -13,6 +13,6 @@ # limitations under the License. {{- if .Values.manifests.network_policy -}} -{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" -}} +{{- $netpol_opts := dict "envAll" . "key" "rgw" "labels" (dict "application" "ceph" "component" "rgw") -}} {{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{- end -}} diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml index 6492b7aa7..b76359de9 100644 --- a/ceph-rgw/values.yaml +++ b/ceph-rgw/values.yaml @@ -157,9 +157,11 @@ pod: cpu: "2000m" network_policy: - ceph: + rgw: ingress: - {} + egress: + - {} ceph_client: configmap: ceph-etc @@ -532,6 +534,22 @@ endpoints: port: mon: default: 6789 + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP manifests: configmap_ceph_templates: true diff --git a/ceph-rgw/values_overrides/netpol.yaml b/ceph-rgw/values_overrides/netpol.yaml new file mode 100644 index 000000000..4c0973818 --- /dev/null +++ b/ceph-rgw/values_overrides/netpol.yaml @@ -0,0 +1,20 @@ +manifests: + network_policy: true +network_policy: + rgw: + egress: + - to: + - ipBlock: + cidr: 172.17.0.1/16 + - to: + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/helm-toolkit/templates/manifests/_network_policy.tpl b/helm-toolkit/templates/manifests/_network_policy.tpl index 645676586..405197ab7 100644 --- a/helm-toolkit/templates/manifests/_network_policy.tpl +++ b/helm-toolkit/templates/manifests/_network_policy.tpl @@ -16,6 +16,23 @@ limitations under the License. abstract: | Creates a network policy manifest for services. values: | + endpoints: + kube_dns: + namespace: kube-system + name: kubernetes-dns + hosts: + default: kube-dns + host_fqdn_override: + default: null + path: + default: null + scheme: http + port: + dns_tcp: + default: 53 + dns: + default: 53 + protocol: UDP network_policy: myLabel: podSelector: @@ -30,19 +47,21 @@ values: | - protocol: TCP port: 80 egress: - - ports: - - port: 53 - protocol: UDP - to: + - to: - namespaceSelector: matchLabels: - name: kube-system - podSelector: + name: default + - namespaceSelector: matchLabels: - application: kubernetes - component: coredns + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 usage: | {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} + {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}} return: | --- apiVersion: networking.k8s.io/v1 @@ -67,21 +86,60 @@ return: | - protocol: TCP port: 80 egress: - - ports: - - port: 53 - protocol: UDP - to: - - namespaceSelector: {} - podSelector: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 + --- + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: RELEASE-NAME + namespace: NAMESPACE + spec: + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + application: myApp + component: myComp + ingress: + - from: + - podSelector: matchLabels: - application: kubernetes - component: coredns + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - to: + - podSelector: + matchLabels: + name: default + - namespaceSelector: + matchLabels: + name: kube-public + ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 */}} {{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} {{- $envAll := index . "envAll" -}} {{- $name := index . "name" -}} -{{- $label := index . "label" -}} +{{- $labels := index . "labels" | default nil -}} +{{- $label := index . "key" | default (index . "label") -}} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -92,27 +150,33 @@ spec: {{- if hasKey (index $envAll.Values "network_policy") $label }} policyTypes: {{- $is_egress := false -}} -{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} -{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") }} -{{ $is_egress = true }} -{{- end }} -{{- end }} -{{ if or $is_egress (index $envAll.Values.network_policy $label "egress") }} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}} +{{- $is_egress = true -}} +{{- end -}} +{{- end -}} +{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }} - Egress -{{- end }} +{{ end -}} {{- $is_ingress := false -}} -{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} -{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") }} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}} +{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}} {{- $is_ingress = true -}} -{{- end }} -{{- end }} -{{ if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} +{{- end -}} +{{- end -}} +{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} - Ingress -{{- end }} +{{ end -}} {{- end }} podSelector: matchLabels: +{{- if empty $labels }} {{ $name }}: {{ $label }} +{{- else }} +{{ range $k, $v := $labels }} + {{ $k }}: {{ $v }} +{{- end }} +{{- end }} {{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }} {{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }} @@ -121,8 +185,47 @@ spec: {{ end }} {{ end }} {{- if hasKey (index $envAll.Values "network_policy") $label }} -{{- if index $envAll.Values.network_policy $label "egress" }} egress: +{{- range $key, $value := $envAll.Values.endpoints }} +{{- if kindIs "map" $value }} +{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }} + - to: +{{- if index $value "namespace" }} + - namespaceSelector: + matchLabels: + name: {{ index $value "namespace" }} +{{- else if index $value "hosts" }} +{{- $defaultValue := index $value "hosts" "internal" }} +{{- if hasKey (index $value "hosts") "internal" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- else }} +{{- $defaultValue := index $value "hosts" "default" }} +{{- $a := split "-" $defaultValue }} + - podSelector: + matchLabels: + application: {{ printf "%s" (index $a._0) | default $defaultValue }} +{{- end }} +{{- end }} +{{- if index $value "port" }} + ports: +{{- range $k, $v := index $value "port" }} +{{- if $k }} +{{- range $pk, $pv := $v }} +{{- if and $pv (ne $pk "protocol") }} + - port: {{ $pv }} + protocol: {{ $v.protocol | default "TCP" }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- if index $envAll.Values.network_policy $label "egress" }} {{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} {{- end }} {{- end }} diff --git a/mariadb/values_overrides/netpol.yaml b/mariadb/values_overrides/netpol.yaml index 7a8575320..f5ae02ebf 100644 --- a/mariadb/values_overrides/netpol.yaml +++ b/mariadb/values_overrides/netpol.yaml @@ -1,2 +1,11 @@ manifests: network_policy: true +network_policy: + mariadb: + egress: + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/memcached/values_overrides/netpol.yaml b/memcached/values_overrides/netpol.yaml index 7a8575320..204e64cce 100644 --- a/memcached/values_overrides/netpol.yaml +++ b/memcached/values_overrides/netpol.yaml @@ -1,2 +1,11 @@ manifests: network_policy: true +network_policy: + memcached: + egress: + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT diff --git a/rabbitmq/values_overrides/netpol.yaml b/rabbitmq/values_overrides/netpol.yaml index e7341221e..497955842 100644 --- a/rabbitmq/values_overrides/netpol.yaml +++ b/rabbitmq/values_overrides/netpol.yaml @@ -82,3 +82,27 @@ manifests: prometheus: network_policy_exporter: true network_policy: true +network_policy: + rabbitmq: + egress: + - to: + - podSelector: + matchLabels: + application: rabbitmq + ports: + # Erlang port mapper daemon (epmd) + - protocol: TCP + port: 4369 + # Rabbit clustering port AMQP + 20000 + - protocol: TCP + port: 25672 + # NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must + # permit traffic in this range to pass between clustered nodes. + # - protocol: TCP + # port: 35197 + - to: + - ipBlock: + cidr: $API_ADDR/32 + ports: + - protocol: TCP + port: $API_PORT