From 9061d08a5e41a94fd92e60d860bfa7464d2a3cb5 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Fri, 10 Sep 2021 15:10:37 -0500 Subject: [PATCH] fix(netpol): allows toggling the lockdown This patch set allows disabling egress and ingress separately. Signed-off-by: Tin Lam Change-Id: I18250a009d62a05983e00db7b7309dd065b94069 --- lockdown/Chart.yaml | 2 +- lockdown/templates/network_policy.yaml | 14 ++++++++++++-- lockdown/values.yaml | 7 +++++++ releasenotes/notes/lockdown.yaml | 1 + 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/lockdown/Chart.yaml b/lockdown/Chart.yaml index 5cdd113f0..2acbbd931 100644 --- a/lockdown/Chart.yaml +++ b/lockdown/Chart.yaml @@ -16,6 +16,6 @@ appVersion: "1.0" description: | A helm chart used to lockdown all ingress and egress for a namespace name: lockdown -version: 0.1.0 +version: 0.1.1 home: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ... diff --git a/lockdown/templates/network_policy.yaml b/lockdown/templates/network_policy.yaml index ed10d5439..145d696aa 100644 --- a/lockdown/templates/network_policy.yaml +++ b/lockdown/templates/network_policy.yaml @@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} +{{- if or .Values.conf.ingress.disallowed .Values.conf.egress.disallowed }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -18,8 +19,17 @@ metadata: namespace: {{ .Release.Namespace }} spec: policyTypes: - - Egress +{{- if .Values.conf.ingress.disallowed }} - Ingress +{{- end }} +{{- if .Values.conf.egress.disallowed }} + - Egress +{{- end }} podSelector: {} - egress: [] +{{- if .Values.conf.ingress.disallowed }} ingress: [] +{{- end }} +{{- if .Values.conf.egress.disallowed }} + egress: [] +{{- end }} +{{- end }} diff --git a/lockdown/values.yaml b/lockdown/values.yaml index 47163452f..88fa296c7 100644 --- a/lockdown/values.yaml +++ b/lockdown/values.yaml @@ -1,3 +1,4 @@ +--- # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -13,3 +14,9 @@ # Default values for lockdown chart. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +conf: + ingress: + disallowed: true + egress: + disallowed: true +... diff --git a/releasenotes/notes/lockdown.yaml b/releasenotes/notes/lockdown.yaml index 8d10308ef..5820534fc 100644 --- a/releasenotes/notes/lockdown.yaml +++ b/releasenotes/notes/lockdown.yaml @@ -1,4 +1,5 @@ --- lockdown: - 0.1.0 Initial Chart + - 0.1.1 Allows toggling ...