Merge "Update egress HTK method"
This commit is contained in:
commit
108f89b208
@ -13,6 +13,6 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
{{- if .Values.manifests.network_policy -}}
|
{{- if .Values.manifests.network_policy -}}
|
||||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" -}}
|
{{- $netpol_opts := dict "envAll" . "key" "rgw" "labels" (dict "application" "ceph" "component" "rgw") -}}
|
||||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
@ -157,9 +157,11 @@ pod:
|
|||||||
cpu: "2000m"
|
cpu: "2000m"
|
||||||
|
|
||||||
network_policy:
|
network_policy:
|
||||||
ceph:
|
rgw:
|
||||||
ingress:
|
ingress:
|
||||||
- {}
|
- {}
|
||||||
|
egress:
|
||||||
|
- {}
|
||||||
|
|
||||||
ceph_client:
|
ceph_client:
|
||||||
configmap: ceph-etc
|
configmap: ceph-etc
|
||||||
@ -532,6 +534,22 @@ endpoints:
|
|||||||
port:
|
port:
|
||||||
mon:
|
mon:
|
||||||
default: 6789
|
default: 6789
|
||||||
|
kube_dns:
|
||||||
|
namespace: kube-system
|
||||||
|
name: kubernetes-dns
|
||||||
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns_tcp:
|
||||||
|
default: 53
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
configmap_ceph_templates: true
|
configmap_ceph_templates: true
|
||||||
|
20
ceph-rgw/values_overrides/netpol.yaml
Normal file
20
ceph-rgw/values_overrides/netpol.yaml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
manifests:
|
||||||
|
network_policy: true
|
||||||
|
network_policy:
|
||||||
|
rgw:
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: 172.17.0.1/16
|
||||||
|
- to:
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 80
|
||||||
|
- protocol: TCP
|
||||||
|
port: 443
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
@ -16,6 +16,23 @@ limitations under the License.
|
|||||||
abstract: |
|
abstract: |
|
||||||
Creates a network policy manifest for services.
|
Creates a network policy manifest for services.
|
||||||
values: |
|
values: |
|
||||||
|
endpoints:
|
||||||
|
kube_dns:
|
||||||
|
namespace: kube-system
|
||||||
|
name: kubernetes-dns
|
||||||
|
hosts:
|
||||||
|
default: kube-dns
|
||||||
|
host_fqdn_override:
|
||||||
|
default: null
|
||||||
|
path:
|
||||||
|
default: null
|
||||||
|
scheme: http
|
||||||
|
port:
|
||||||
|
dns_tcp:
|
||||||
|
default: 53
|
||||||
|
dns:
|
||||||
|
default: 53
|
||||||
|
protocol: UDP
|
||||||
network_policy:
|
network_policy:
|
||||||
myLabel:
|
myLabel:
|
||||||
podSelector:
|
podSelector:
|
||||||
@ -30,19 +47,21 @@ values: |
|
|||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 80
|
port: 80
|
||||||
egress:
|
egress:
|
||||||
- ports:
|
- to:
|
||||||
- port: 53
|
|
||||||
protocol: UDP
|
|
||||||
to:
|
|
||||||
- namespaceSelector:
|
- namespaceSelector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
name: kube-system
|
name: default
|
||||||
podSelector:
|
- namespaceSelector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
application: kubernetes
|
name: kube-public
|
||||||
component: coredns
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 53
|
||||||
|
- protocol: UDP
|
||||||
|
port: 53
|
||||||
usage: |
|
usage: |
|
||||||
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||||
|
{{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
|
||||||
return: |
|
return: |
|
||||||
---
|
---
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
@ -67,21 +86,60 @@ return: |
|
|||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 80
|
port: 80
|
||||||
egress:
|
egress:
|
||||||
- ports:
|
- to:
|
||||||
- port: 53
|
- podSelector:
|
||||||
protocol: UDP
|
matchLabels:
|
||||||
to:
|
name: default
|
||||||
- namespaceSelector: {}
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
name: kube-public
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 53
|
||||||
|
- protocol: UDP
|
||||||
|
port: 53
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: RELEASE-NAME
|
||||||
|
namespace: NAMESPACE
|
||||||
|
spec:
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
podSelector:
|
podSelector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
application: kubernetes
|
application: myApp
|
||||||
component: coredns
|
component: myComp
|
||||||
|
ingress:
|
||||||
|
- from:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: keystone
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 80
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
name: default
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
name: kube-public
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 53
|
||||||
|
- protocol: UDP
|
||||||
|
port: 53
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
|
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
|
||||||
{{- $envAll := index . "envAll" -}}
|
{{- $envAll := index . "envAll" -}}
|
||||||
{{- $name := index . "name" -}}
|
{{- $name := index . "name" -}}
|
||||||
{{- $label := index . "label" -}}
|
{{- $labels := index . "labels" | default nil -}}
|
||||||
|
{{- $label := index . "key" | default (index . "label") -}}
|
||||||
---
|
---
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
kind: NetworkPolicy
|
||||||
@ -92,27 +150,33 @@ spec:
|
|||||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||||
policyTypes:
|
policyTypes:
|
||||||
{{- $is_egress := false -}}
|
{{- $is_egress := false -}}
|
||||||
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }}
|
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
|
||||||
{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") }}
|
{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
|
||||||
{{ $is_egress = true }}
|
{{- $is_egress = true -}}
|
||||||
{{- end }}
|
{{- end -}}
|
||||||
{{- end }}
|
{{- end -}}
|
||||||
{{ if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
|
{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
|
||||||
- Egress
|
- Egress
|
||||||
{{- end }}
|
{{ end -}}
|
||||||
{{- $is_ingress := false -}}
|
{{- $is_ingress := false -}}
|
||||||
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }}
|
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
|
||||||
{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") }}
|
{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
|
||||||
{{- $is_ingress = true -}}
|
{{- $is_ingress = true -}}
|
||||||
{{- end }}
|
{{- end -}}
|
||||||
{{- end }}
|
{{- end -}}
|
||||||
{{ if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
|
{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
|
||||||
- Ingress
|
- Ingress
|
||||||
{{- end }}
|
{{ end -}}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
podSelector:
|
podSelector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
|
{{- if empty $labels }}
|
||||||
{{ $name }}: {{ $label }}
|
{{ $name }}: {{ $label }}
|
||||||
|
{{- else }}
|
||||||
|
{{ range $k, $v := $labels }}
|
||||||
|
{{ $k }}: {{ $v }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||||
{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
|
{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
|
||||||
{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
|
{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
|
||||||
@ -121,8 +185,47 @@ spec:
|
|||||||
{{ end }}
|
{{ end }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||||
{{- if index $envAll.Values.network_policy $label "egress" }}
|
|
||||||
egress:
|
egress:
|
||||||
|
{{- range $key, $value := $envAll.Values.endpoints }}
|
||||||
|
{{- if kindIs "map" $value }}
|
||||||
|
{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
|
||||||
|
- to:
|
||||||
|
{{- if index $value "namespace" }}
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
name: {{ index $value "namespace" }}
|
||||||
|
{{- else if index $value "hosts" }}
|
||||||
|
{{- $defaultValue := index $value "hosts" "internal" }}
|
||||||
|
{{- if hasKey (index $value "hosts") "internal" }}
|
||||||
|
{{- $a := split "-" $defaultValue }}
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
|
||||||
|
{{- else }}
|
||||||
|
{{- $defaultValue := index $value "hosts" "default" }}
|
||||||
|
{{- $a := split "-" $defaultValue }}
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if index $value "port" }}
|
||||||
|
ports:
|
||||||
|
{{- range $k, $v := index $value "port" }}
|
||||||
|
{{- if $k }}
|
||||||
|
{{- range $pk, $pv := $v }}
|
||||||
|
{{- if and $pv (ne $pk "protocol") }}
|
||||||
|
- port: {{ $pv }}
|
||||||
|
protocol: {{ $v.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if index $envAll.Values.network_policy $label "egress" }}
|
||||||
{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
|
{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1,2 +1,11 @@
|
|||||||
manifests:
|
manifests:
|
||||||
network_policy: true
|
network_policy: true
|
||||||
|
network_policy:
|
||||||
|
mariadb:
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
@ -1,2 +1,11 @@
|
|||||||
manifests:
|
manifests:
|
||||||
network_policy: true
|
network_policy: true
|
||||||
|
network_policy:
|
||||||
|
memcached:
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
@ -82,3 +82,27 @@ manifests:
|
|||||||
prometheus:
|
prometheus:
|
||||||
network_policy_exporter: true
|
network_policy_exporter: true
|
||||||
network_policy: true
|
network_policy: true
|
||||||
|
network_policy:
|
||||||
|
rabbitmq:
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: rabbitmq
|
||||||
|
ports:
|
||||||
|
# Erlang port mapper daemon (epmd)
|
||||||
|
- protocol: TCP
|
||||||
|
port: 4369
|
||||||
|
# Rabbit clustering port AMQP + 20000
|
||||||
|
- protocol: TCP
|
||||||
|
port: 25672
|
||||||
|
# NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
|
||||||
|
# permit traffic in this range to pass between clustered nodes.
|
||||||
|
# - protocol: TCP
|
||||||
|
# port: 35197
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: $API_ADDR/32
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: $API_PORT
|
||||||
|
Loading…
x
Reference in New Issue
Block a user