Skip to content

Commit

Permalink
[fix] add exception for the platform in network policy (loft-sh#2007)
Browse files Browse the repository at this point in the history
* [fix] add exception for the platform in network policy

* removed netPol tests because kind doesn't enforce them
  • Loading branch information
facchettos committed Aug 2, 2024
1 parent d4b9b4a commit 9e7b8a1
Show file tree
Hide file tree
Showing 5 changed files with 11 additions and 3 deletions.
2 changes: 1 addition & 1 deletion chart/templates/networkpolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ spec:
podSelector:
matchLabels:
k8s-app: kube-dns
{{- if .Values.policies.networkPolicy.platformEnabled }}
{{- if .Values.policies.networkPolicy.outgoingConnections.platform }}
- podSelector:
matchLabels:
app: loft
Expand Down
4 changes: 4 additions & 0 deletions chart/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -1949,6 +1949,10 @@
"ipBlock": {
"$ref": "#/$defs/IPBlock",
"description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed\nto the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs\nthat should not be included within this rule."
},
"platform": {
"type": "boolean",
"description": "Platform enables egress access towards loft platform"
}
},
"additionalProperties": false,
Expand Down
3 changes: 2 additions & 1 deletion chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -734,11 +734,12 @@ policies:
networkPolicy:
# Enabled defines if the network policy should be deployed by vCluster.
enabled: false
platformEnabled: false
labels: {}
annotations: {}
fallbackDns: 8.8.8.8
outgoingConnections:
# Platform enables egress access towards loft platform
platform: true
# IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
# to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
# that should not be included within this rule.
Expand Down
3 changes: 3 additions & 0 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -1400,6 +1400,9 @@ type OutgoingConnections struct {
// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
// that should not be included within this rule.
IPBlock IPBlock `json:"ipBlock,omitempty"`

// Platform enables egress access towards loft platform
Platform bool `json:"platform,omitempty"`
}

type IPBlock struct {
Expand Down
2 changes: 1 addition & 1 deletion config/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -443,11 +443,11 @@ policies:

networkPolicy:
enabled: false
platformEnabled: false
labels: {}
annotations: {}
fallbackDns: 8.8.8.8
outgoingConnections:
platform: true
ipBlock:
cidr: 0.0.0.0/0
except:
Expand Down

0 comments on commit 9e7b8a1

Please sign in to comment.