rancher-partner-charts/charts/kasten/k10/templates/networkpolicy.yaml

237 lines
5.4 KiB
YAML

{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}}
{{- $mutating_webhook_port := default 8080 .Values.injectKanisterSidecar.webhookServer.port -}}
{{- if .Values.networkPolicy.create }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector: {}
policyTypes:
- Ingress
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: access-k10-services
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
ingress:
- from:
- podSelector:
matchLabels:
access-k10-services: allowed
ports:
- protocol: TCP
port: {{ .Values.service.externalPort }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: cross-services-allow
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
ingress:
- from:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
ports:
- protocol: TCP
port: {{ .Values.service.externalPort }}
{{- if ( .Values.features | default dict).multicluster }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-gateway-to-mc-external
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
component: mccontrollermanager
release: {{ .Release.Name }}
ingress:
- from:
- podSelector:
matchLabels:
service: gateway
release: {{ .Release.Name }}
ports:
- protocol: TCP
port: {{ include "k10.mcExternalPort" nil }}
{{- end }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: logging-allow-internal
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
run: logging-svc
ingress:
- from:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
ports:
# Logging input port
- protocol: TCP
port: 24224
- protocol: TCP
port: 24225
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-external
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
service: gateway
release: {{ .Release.Name }}
ingress:
- from: []
ports:
- protocol: TCP
port: 8000
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-all-api
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
run: aggregatedapis-svc
release: {{ .Release.Name }}
ingress:
- from:
ports:
- protocol: TCP
port: {{ .Values.service.aggregatedApiPort }}
{{- if .Values.gateway.exposeAdminPort }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-gateway-admin
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
service: gateway
ingress:
- from:
- podSelector:
matchLabels:
app: prometheus
component: server
release: {{ .Release.Name }}
ports:
- protocol: TCP
port: {{ $admin_port }}
{{- end -}}
{{- if .Values.injectKanisterSidecar.enabled }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-mutating-webhook
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
run: controllermanager-svc
ingress:
- from:
ports:
- protocol: TCP
port: {{ $mutating_webhook_port }}
{{- end -}}
{{- if or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true") }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: gateway-dex-allow
namespace: {{ .Release.Namespace }}
labels:
{{ include "helm.labels" . | indent 4 }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
run: auth-svc
ingress:
- from:
- podSelector:
matchLabels:
service: gateway
release: {{ .Release.Name }}
ports:
- protocol: TCP
port: 8080
{{- end -}}
{{- $mainCtx := . }}
{{- $colocatedList := include "get.enabledColocatedSvcList" . | fromYaml }}
{{- range $primary, $secondaryList := $colocatedList }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ $primary }}-svc-allow-secondary-services
namespace: {{ $mainCtx.Release.Namespace }}
labels:
{{ include "helm.labels" $mainCtx | indent 4 }}
spec:
podSelector:
matchLabels:
release: {{ $mainCtx.Release.Name }}
run: {{ $primary }}-svc
ingress:
- from:
- podSelector:
matchLabels:
release: {{ $mainCtx.Release.Name }}
ports:
{{- range $skip, $secondary := $secondaryList }}
{{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }}
- protocol: TCP
port: {{ $colocConfig.port }}
{{- end -}}
{{- end -}}
{{- end -}}