{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} {{- $mutating_webhook_port := default 8080 .Values.injectKanisterSidecar.webhookServer.port -}} {{- if .Values.networkPolicy.create }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: {} policyTypes: - Ingress --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-k10-services namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: release: {{ .Release.Name }} ingress: - from: - podSelector: matchLabels: access-k10-services: allowed ports: - protocol: TCP port: {{ .Values.service.internalPort }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: cross-services-allow namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: release: {{ .Release.Name }} ingress: - from: - podSelector: matchLabels: release: {{ .Release.Name }} ports: - protocol: TCP port: {{ .Values.service.internalPort }} --- {{/* TODO: Consider a flag to turn this off. */}} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-gateway-to-mc-external namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: component: controllermanager release: {{ .Release.Name }} ingress: - from: - podSelector: matchLabels: service: gateway release: {{ .Release.Name }} ports: - protocol: TCP port: {{ include "k10.mcExternalPort" nil }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: logging-allow-internal namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: release: {{ .Release.Name }} run: logging-svc ingress: - from: - podSelector: matchLabels: release: {{ .Release.Name }} ports: # Logging input port - protocol: TCP port: 24224 - protocol: TCP port: 24225 --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-external namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: service: gateway release: {{ .Release.Name }} ingress: - from: [] ports: - protocol: TCP port: {{ .Values.gateway.service.internalPort | default 8000 }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-all-api namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: run: aggregatedapis-svc release: {{ .Release.Name }} ingress: - from: ports: - protocol: TCP port: {{ .Values.service.aggregatedApiPort }} {{- if .Values.gateway.exposeAdminPort }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-gateway-admin namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: release: {{ .Release.Name }} service: gateway ingress: - from: - podSelector: matchLabels: app: prometheus component: server release: {{ .Release.Name }} ports: - protocol: TCP port: {{ $admin_port }} {{- end -}} {{- if .Values.kanisterPodMetricSidecar.enabled }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-metrics-kanister-pods namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: release: {{ .Release.Name }} run: metering-svc ingress: - from: - podSelector: matchLabels: createdBy: kanister ports: - protocol: TCP port: {{ .Values.service.internalPort }} {{- end -}} {{- if .Values.injectKanisterSidecar.enabled }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-mutating-webhook namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: release: {{ .Release.Name }} run: controllermanager-svc ingress: - from: ports: - protocol: TCP port: {{ $mutating_webhook_port }} {{- end -}} {{- if eq (include "check.dexAuth" .) "true" }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: gateway-dex-allow namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: release: {{ .Release.Name }} run: auth-svc ingress: - from: - podSelector: matchLabels: service: gateway release: {{ .Release.Name }} ports: - protocol: TCP port: 8080 --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: auth-dex-allow namespace: {{ .Release.Namespace }} labels: {{ include "helm.labels" . | indent 4 }} spec: podSelector: matchLabels: release: {{ .Release.Name }} run: auth-svc ingress: - from: - podSelector: matchLabels: run: auth-svc release: {{ .Release.Name }} ports: - protocol: TCP port: 8080 {{- end -}} {{- $mainCtx := . }} {{- $colocatedList := include "get.enabledColocatedSvcList" . | fromYaml }} {{- range $primary, $secondaryList := $colocatedList }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: {{ $primary }}-svc-allow-secondary-services namespace: {{ $mainCtx.Release.Namespace }} labels: {{ include "helm.labels" $mainCtx | indent 4 }} spec: podSelector: matchLabels: release: {{ $mainCtx.Release.Name }} run: {{ $primary }}-svc ingress: - from: - podSelector: matchLabels: release: {{ $mainCtx.Release.Name }} ports: {{- range $skip, $secondary := $secondaryList }} {{- $colocConfig := index (include "get.enabledColocatedServices" $mainCtx | fromYaml) $secondary }} - protocol: TCP port: {{ $colocConfig.port }} {{- end -}} {{- end -}} {{- end -}}