From e8e5072a186fe472be4a17742a4e1c04a7caed14 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Mon, 23 Sep 2019 15:06:37 -0500 Subject: [PATCH] Apply network policy to all services The base network policy framework currently applies only to some OpenStack services' charts but not others. This patch set applies the same base network policies framework to all services. Change-Id: I786c68057f6742a79a33f78db6e3bba8b99cf1b8 Signed-off-by: Tin Lam --- aodh/templates/network_policy.yaml | 18 ++++++++++++++++++ aodh/values.yaml | 8 ++++++++ ceilometer/values.yaml | 2 ++ congress/values.yaml | 2 ++ ironic/values.yaml | 2 ++ magnum/values.yaml | 21 +++------------------ mistral/values.yaml | 21 +++------------------ panko/templates/network_policy.yaml | 18 ++++++++++++++++++ panko/values.yaml | 8 ++++++++ senlin/values.yaml | 2 ++ 10 files changed, 66 insertions(+), 36 deletions(-) create mode 100644 aodh/templates/network_policy.yaml create mode 100644 panko/templates/network_policy.yaml diff --git a/aodh/templates/network_policy.yaml b/aodh/templates/network_policy.yaml new file mode 100644 index 0000000000..e8692ef753 --- /dev/null +++ b/aodh/templates/network_policy.yaml @@ -0,0 +1,18 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $opts := dict "envAll" . "name" "application" "label" "aodh" -}} +{{ $opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/aodh/values.yaml b/aodh/values.yaml index 65147b016a..b1dce22060 100644 --- a/aodh/values.yaml +++ b/aodh/values.yaml @@ -693,6 +693,13 @@ endpoints: metrics: default: 24220 +network_policy: + aodh: + ingress: + - {} + egress: + - {} + manifests: configmap_bin: true configmap_etc: true @@ -711,6 +718,7 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + network_policy: false pdb_api: true pod_aodh_test: true secret_db: true diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index 44dda74d8e..0e0ddfe08d 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -2101,6 +2101,8 @@ network_policy: ceilometer: ingress: - {} + egress: + - {} manifests: configmap_bin: true diff --git a/congress/values.yaml b/congress/values.yaml index d70f569469..66272a6203 100644 --- a/congress/values.yaml +++ b/congress/values.yaml @@ -350,6 +350,8 @@ network_policy: congress: ingress: - {} + egress: + - {} conf: congress: diff --git a/ironic/values.yaml b/ironic/values.yaml index d9c4d840ef..8372d41d81 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -697,6 +697,8 @@ network_policy: ironic: ingress: - {} + egress: + - {} manifests: configmap_bin: true diff --git a/magnum/values.yaml b/magnum/values.yaml index 8031e31ee0..a0979c1a3c 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -622,24 +622,9 @@ pod: network_policy: magnum: ingress: - - from: - - podSelector: - matchLabels: - application: magnum - - podSelector: - matchLabels: - application: horizon - - podSelector: - matchLabels: - application: ingress - - podSelector: - matchLabels: - application: heat - ports: - - protocol: TCP - port: 80 - - protocol: TCP - port: 9511 + - {} + egress: + - {} manifests: configmap_bin: true diff --git a/mistral/values.yaml b/mistral/values.yaml index a12c2af2ea..b2d8aa0f23 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -701,24 +701,9 @@ pod: network_policy: mistral: ingress: - - from: - - podSelector: - matchLabels: - application: mistral - - podSelector: - matchLabels: - application: horizon - - podSelector: - matchLabels: - application: ingress - - podSelector: - matchLabels: - application: heat - ports: - - protocol: TCP - port: 80 - - protocol: TCP - port: 8989 + - {} + egress: + - {} manifests: configmap_bin: true diff --git a/panko/templates/network_policy.yaml b/panko/templates/network_policy.yaml new file mode 100644 index 0000000000..a972bcdbae --- /dev/null +++ b/panko/templates/network_policy.yaml @@ -0,0 +1,18 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $opts := dict "envAll" . "name" "application" "label" "panko" -}} +{{ $opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/panko/values.yaml b/panko/values.yaml index de75c0dc90..57fb519090 100644 --- a/panko/values.yaml +++ b/panko/values.yaml @@ -454,6 +454,13 @@ endpoints: metrics: default: 24220 +network_policy: + panko: + ingress: + - {} + egress: + - {} + pod: security_context: panko: @@ -606,6 +613,7 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + network_policy: false pdb_api: true pod_rally_test: true secret_db: true diff --git a/senlin/values.yaml b/senlin/values.yaml index 586e5d68ae..ead1edb3c5 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -658,6 +658,8 @@ network_policy: senlin: ingress: - {} + egress: + - {} manifests: configmap_bin: true