Merge "Update egress HTK method"

This commit is contained in:
Zuul 2019-11-22 00:08:50 +00:00 committed by Gerrit Code Review
commit 108f89b208
7 changed files with 216 additions and 33 deletions

View File

@ -13,6 +13,6 @@
# limitations under the License. # limitations under the License.
{{- if .Values.manifests.network_policy -}} {{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" -}} {{- $netpol_opts := dict "envAll" . "key" "rgw" "labels" (dict "application" "ceph" "component" "rgw") -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}} {{- end -}}

View File

@ -157,9 +157,11 @@ pod:
cpu: "2000m" cpu: "2000m"
network_policy: network_policy:
ceph: rgw:
ingress: ingress:
- {} - {}
egress:
- {}
ceph_client: ceph_client:
configmap: ceph-etc configmap: ceph-etc
@ -532,6 +534,22 @@ endpoints:
port: port:
mon: mon:
default: 6789 default: 6789
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
manifests: manifests:
configmap_ceph_templates: true configmap_ceph_templates: true

View File

@ -0,0 +1,20 @@
manifests:
network_policy: true
network_policy:
rgw:
egress:
- to:
- ipBlock:
cidr: 172.17.0.1/16
- to:
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -16,6 +16,23 @@ limitations under the License.
abstract: | abstract: |
Creates a network policy manifest for services. Creates a network policy manifest for services.
values: | values: |
endpoints:
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy: network_policy:
myLabel: myLabel:
podSelector: podSelector:
@ -30,19 +47,21 @@ values: |
- protocol: TCP - protocol: TCP
port: 80 port: 80
egress: egress:
- ports: - to:
- port: 53
protocol: UDP
to:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
name: kube-system name: default
podSelector: - namespaceSelector:
matchLabels: matchLabels:
application: kubernetes name: kube-public
component: coredns ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
usage: | usage: |
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
return: | return: |
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
@ -67,21 +86,60 @@ return: |
- protocol: TCP - protocol: TCP
port: 80 port: 80
egress: egress:
- ports: - to:
- port: 53 - podSelector:
protocol: UDP matchLabels:
to: name: default
- namespaceSelector: {} - namespaceSelector:
matchLabels:
name: kube-public
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: RELEASE-NAME
namespace: NAMESPACE
spec:
policyTypes:
- Ingress
- Egress
podSelector: podSelector:
matchLabels: matchLabels:
application: kubernetes application: myApp
component: coredns component: myComp
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
name: default
- namespaceSelector:
matchLabels:
name: kube-public
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
*/}} */}}
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} {{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
{{- $envAll := index . "envAll" -}} {{- $envAll := index . "envAll" -}}
{{- $name := index . "name" -}} {{- $name := index . "name" -}}
{{- $label := index . "label" -}} {{- $labels := index . "labels" | default nil -}}
{{- $label := index . "key" | default (index . "label") -}}
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
@ -92,27 +150,33 @@ spec:
{{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if hasKey (index $envAll.Values "network_policy") $label }}
policyTypes: policyTypes:
{{- $is_egress := false -}} {{- $is_egress := false -}}
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} {{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") }} {{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
{{ $is_egress = true }} {{- $is_egress = true -}}
{{- end }} {{- end -}}
{{- end }} {{- end -}}
{{ if or $is_egress (index $envAll.Values.network_policy $label "egress") }} {{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
- Egress - Egress
{{- end }} {{ end -}}
{{- $is_ingress := false -}} {{- $is_ingress := false -}}
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} {{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") }} {{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
{{- $is_ingress = true -}} {{- $is_ingress = true -}}
{{- end }} {{- end -}}
{{- end }} {{- end -}}
{{ if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} {{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
- Ingress - Ingress
{{- end }} {{ end -}}
{{- end }} {{- end }}
podSelector: podSelector:
matchLabels: matchLabels:
{{- if empty $labels }}
{{ $name }}: {{ $label }} {{ $name }}: {{ $label }}
{{- else }}
{{ range $k, $v := $labels }}
{{ $k }}: {{ $v }}
{{- end }}
{{- end }}
{{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if hasKey (index $envAll.Values "network_policy") $label }}
{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }} {{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }} {{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
@ -121,8 +185,47 @@ spec:
{{ end }} {{ end }}
{{ end }} {{ end }}
{{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if hasKey (index $envAll.Values "network_policy") $label }}
{{- if index $envAll.Values.network_policy $label "egress" }}
egress: egress:
{{- range $key, $value := $envAll.Values.endpoints }}
{{- if kindIs "map" $value }}
{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
- to:
{{- if index $value "namespace" }}
- namespaceSelector:
matchLabels:
name: {{ index $value "namespace" }}
{{- else if index $value "hosts" }}
{{- $defaultValue := index $value "hosts" "internal" }}
{{- if hasKey (index $value "hosts") "internal" }}
{{- $a := split "-" $defaultValue }}
- podSelector:
matchLabels:
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
{{- else }}
{{- $defaultValue := index $value "hosts" "default" }}
{{- $a := split "-" $defaultValue }}
- podSelector:
matchLabels:
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
{{- end }}
{{- end }}
{{- if index $value "port" }}
ports:
{{- range $k, $v := index $value "port" }}
{{- if $k }}
{{- range $pk, $pv := $v }}
{{- if and $pv (ne $pk "protocol") }}
- port: {{ $pv }}
protocol: {{ $v.protocol | default "TCP" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if index $envAll.Values.network_policy $label "egress" }}
{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} {{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View File

@ -1,2 +1,11 @@
manifests: manifests:
network_policy: true network_policy: true
network_policy:
mariadb:
egress:
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -1,2 +1,11 @@
manifests: manifests:
network_policy: true network_policy: true
network_policy:
memcached:
egress:
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT

View File

@ -82,3 +82,27 @@ manifests:
prometheus: prometheus:
network_policy_exporter: true network_policy_exporter: true
network_policy: true network_policy: true
network_policy:
rabbitmq:
egress:
- to:
- podSelector:
matchLabels:
application: rabbitmq
ports:
# Erlang port mapper daemon (epmd)
- protocol: TCP
port: 4369
# Rabbit clustering port AMQP + 20000
- protocol: TCP
port: 25672
# NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
# permit traffic in this range to pass between clustered nodes.
# - protocol: TCP
# port: 35197
- to:
- ipBlock:
cidr: $API_ADDR/32
ports:
- protocol: TCP
port: $API_PORT