281 lines
6.4 KiB
YAML
281 lines
6.4 KiB
YAML
{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}}
|
|
{{- $mutating_webhook_port := default 8080 .Values.injectKanisterSidecar.webhookServer.port -}}
|
|
{{- if .Values.networkPolicy.create }}
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: access-k10-services
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
access-k10-services: allowed
|
|
ports:
|
|
- protocol: TCP
|
|
port: {{ .Values.service.internalPort }}
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: cross-services-allow
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
ports:
|
|
- protocol: TCP
|
|
port: {{ .Values.service.internalPort }}
|
|
---
|
|
{{/* TODO: Consider a flag to turn this off. */}}
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-gateway-to-mc-external
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
component: controllermanager
|
|
release: {{ .Release.Name }}
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
service: gateway
|
|
release: {{ .Release.Name }}
|
|
ports:
|
|
- protocol: TCP
|
|
port: {{ include "k10.mcExternalPort" nil }}
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: logging-allow-internal
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
run: logging-svc
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
ports:
|
|
# Logging input port
|
|
- protocol: TCP
|
|
port: 24224
|
|
- protocol: TCP
|
|
port: 24225
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-external
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
service: gateway
|
|
release: {{ .Release.Name }}
|
|
ingress:
|
|
- from: []
|
|
ports:
|
|
- protocol: TCP
|
|
port: {{ .Values.gateway.service.internalPort | default 8000 }}
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-all-api
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
run: aggregatedapis-svc
|
|
release: {{ .Release.Name }}
|
|
ingress:
|
|
- from:
|
|
ports:
|
|
- protocol: TCP
|
|
port: {{ .Values.service.aggregatedApiPort }}
|
|
{{- if .Values.gateway.exposeAdminPort }}
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-gateway-admin
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
service: gateway
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: prometheus
|
|
component: server
|
|
release: {{ .Release.Name }}
|
|
ports:
|
|
- protocol: TCP
|
|
port: {{ $admin_port }}
|
|
{{- end -}}
|
|
{{- if .Values.kanisterPodMetricSidecar.enabled }}
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-metrics-kanister-pods
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
run: metering-svc
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
createdBy: kanister
|
|
ports:
|
|
- protocol: TCP
|
|
port: {{ .Values.service.internalPort }}
|
|
{{- end -}}
|
|
{{- if .Values.injectKanisterSidecar.enabled }}
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-mutating-webhook
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
run: controllermanager-svc
|
|
ingress:
|
|
- from:
|
|
ports:
|
|
- protocol: TCP
|
|
port: {{ $mutating_webhook_port }}
|
|
{{- end -}}
|
|
{{- if eq (include "check.dexAuth" .) "true" }}
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: gateway-dex-allow
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
run: auth-svc
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
service: gateway
|
|
release: {{ .Release.Name }}
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8080
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: auth-dex-allow
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" . | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ .Release.Name }}
|
|
run: auth-svc
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
run: auth-svc
|
|
release: {{ .Release.Name }}
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8080
|
|
{{- end -}}
|
|
{{- $mainCtx := . }}
|
|
{{- $colocatedList := include "get.enabledColocatedSvcList" . | fromYaml }}
|
|
{{- range $primary, $secondaryList := $colocatedList }}
|
|
---
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: {{ $primary }}-svc-allow-secondary-services
|
|
namespace: {{ $mainCtx.Release.Namespace }}
|
|
labels:
|
|
{{ include "helm.labels" $mainCtx | indent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
release: {{ $mainCtx.Release.Name }}
|
|
run: {{ $primary }}-svc
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
release: {{ $mainCtx.Release.Name }}
|
|
ports:
|
|
{{- range $skip, $secondary := $secondaryList }}
|
|
{{- $colocConfig := index (include "get.enabledColocatedServices" $mainCtx | fromYaml) $secondary }}
|
|
- protocol: TCP
|
|
port: {{ $colocConfig.port }}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- end -}}
|