From c0d817a8b61a6aa343d6dff3cda71e5c146ab9d6 Mon Sep 17 00:00:00 2001 From: windowsrefund Date: Thu, 21 Mar 2024 15:56:10 -0400 Subject: [PATCH 1/2] add networkpolicy support --- charts/testkube/templates/networkpolicy.yaml | 162 +++++++++++++++++++ charts/testkube/values.yaml | 3 + 2 files changed, 165 insertions(+) create mode 100644 charts/testkube/templates/networkpolicy.yaml diff --git a/charts/testkube/templates/networkpolicy.yaml b/charts/testkube/templates/networkpolicy.yaml new file mode 100644 index 000000000..1cd39699d --- /dev/null +++ b/charts/testkube/templates/networkpolicy.yaml @@ -0,0 +1,162 @@ +{{- if .Values.networkPolicy.enabled -}} +# this policy will be assigned to any pod in the namespace +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: testkube-all + namespace: testkube +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: api-server + app.kubernetes.io/instance: testkube + ports: + - protocol: TCP + port: {{ index .Values "testkube-api" "service" "port" }} + - to: + - podSelector: + matchLabels: + app: testkube-minio-testkube + ports: + - protocol: TCP + port: {{ index .Values "testkube-api" "storage" "endpoint_port" }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: testkube-operator + namespace: testkube +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9443 +--- +# API must accept connections from everything +# (e.g. kube-proxy, pods in this namespace, external ingress controller) +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: testkube-api-server + namespace: testkube +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: api-server + app.kubernetes.io/instance: testkube + policyTypes: + - Egress + - Ingress + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: nats + app.kubernetes.io/instance: testkube + ports: + - protocol: TCP + port: 4222 + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: mongodb + app.kubernetes.io/instance: testkube + ports: + - protocol: TCP + port: {{ .Values.mongodb.service.port }} + ingress: + - ports: + - protocol: TCP + port: {{ index .Values "testkube-api" "service" "port" }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: testkube-minio + namespace: testkube +spec: + podSelector: + matchLabels: + app: testkube-minio-testkube + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: {{ index .Values "testkube-api" "storage" "endpoint_port" }} +--- +{{- if .Values.mongodb.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: testkube-mongodb + namespace: testkube +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: mongodb + app.kubernetes.io/instance: testkube + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: testkube + ports: + - protocol: TCP + port: {{ .Values.mongodb.service.port }} +--- +{{- end -}} +{{- if .Values.nats.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: testkube-nats + namespace: testkube +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: nats + app.kubernetes.io/instance: testkube + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: testkube + ports: + - protocol: TCP + port: 4222 +--- +{{- end -}} +{{- if index .Values "testkube-dashboard" "enabled" -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: testkube-dashboard + namespace: testkube +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: dashboard + app.kubernetes.io/instance: testkube + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: {{ index .Values "testkube-dashboard" "service" "port" }} +{{- end -}} +{{- end -}} diff --git a/charts/testkube/values.yaml b/charts/testkube/values.yaml index dde46b113..d441b4903 100644 --- a/charts/testkube/values.yaml +++ b/charts/testkube/values.yaml @@ -1084,3 +1084,6 @@ testkube-operator: operator: Equal value: arm64 effect: NoSchedule + +networkPolicy: + enabled: false From a799f9114fff5819196627ddbff02b8ab7b0986f Mon Sep 17 00:00:00 2001 From: windowsrefund Date: Fri, 22 Mar 2024 12:59:32 -0400 Subject: [PATCH 2/2] remove key check for nats --- charts/testkube/templates/networkpolicy.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/testkube/templates/networkpolicy.yaml b/charts/testkube/templates/networkpolicy.yaml index 1cd39699d..93d2e92e5 100644 --- a/charts/testkube/templates/networkpolicy.yaml +++ b/charts/testkube/templates/networkpolicy.yaml @@ -118,7 +118,6 @@ spec: port: {{ .Values.mongodb.service.port }} --- {{- end -}} -{{- if .Values.nats.enabled -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -140,7 +139,6 @@ spec: - protocol: TCP port: 4222 --- -{{- end -}} {{- if index .Values "testkube-dashboard" "enabled" -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy