refactor: helm chart network policies (#6599)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2023-03-16 15:14:39 +01:00 · 2023-03-16 15:14:39 +01:00 · 1d2b76b371
commit 1d2b76b371
parent 8be4460668
10 changed files with 172 additions and 44 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -161,6 +161,7 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
 - `rbac` has been replaced with `admissionController.rbac`
 - `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
+- `networkPolicy` has been replaced with `admissionController.networkPolicy`

 - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.

@ -217,8 +218,6 @@ The command removes all the Kubernetes components associated with the chart and
 | customLabels | object | `{}` | Additional labels |
 | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
 | resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
-| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
-| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
 | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
 | grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
@ -289,6 +288,8 @@ The command removes all the Kubernetes components associated with the chart and
 | admissionController.metricsService.type | string | `"ClusterIP"` | Service type. |
 | admissionController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
 | admissionController.metricsService.annotations | object | `{}` | Service annotations. |
+| admissionController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| admissionController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | cleanupController.enabled | bool | `true` | Enable cleanup controller. |
 | cleanupController.rbac.create | bool | `true` | Create RBAC resources |
 | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
@ -331,6 +332,8 @@ The command removes all the Kubernetes components associated with the chart and
 | cleanupController.metricsService.type | string | `"ClusterIP"` | Service type. |
 | cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
 | cleanupController.metricsService.annotations | object | `{}` | Service annotations. |
+| cleanupController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| cleanupController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
 | cleanupController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
 | cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace |
@ -382,6 +385,8 @@ The command removes all the Kubernetes components associated with the chart and
 | reportsController.metricsService.type | string | `"ClusterIP"` | Service type. |
 | reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
 | reportsController.metricsService.annotations | object | `{}` | Service annotations. |
+| reportsController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| reportsController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
 | reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
 | reportsController.serviceMonitor.namespace | string | `nil` | Override namespace |
@ -433,6 +438,8 @@ The command removes all the Kubernetes components associated with the chart and
 | backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. |
 | backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
 | backgroundController.metricsService.annotations | object | `{}` | Service annotations. |
+| backgroundController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| backgroundController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
 | backgroundController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
 | backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace |
--- a/charts/kyverno/README.md.gotmpl
+++ b/charts/kyverno/README.md.gotmpl
@ -161,6 +161,7 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
 - `rbac` has been replaced with `admissionController.rbac`
 - `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
+- `networkPolicy` has been replaced with `admissionController.networkPolicy`

 - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.

--- a/charts/kyverno/templates/admission-controller/networkpolicy.yaml
+++ b/charts/kyverno/templates/admission-controller/networkpolicy.yaml
@ -0,0 +1,31 @@
+{{- if .Values.admissionController.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.admissionController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.admissionController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: 9443 # webhook access
+        # Allow prometheus scrapes for metrics
+        {{- if .Values.admissionController.metricsService.create }}
+        - protocol: TCP
+          port: {{ .Values.admissionController.metricsService.port }}
+        {{- end }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
--- a/charts/kyverno/templates/background-controller/deployment.yaml
+++ b/charts/kyverno/templates/background-controller/deployment.yaml
@ -4,9 +4,9 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "kyverno.background-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
  labels:
    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
 spec:
  replicas: {{ template "kyverno.deployment.replicas" .Values.backgroundController.replicas }}
  {{- with .Values.backgroundController.updateStrategy }}
--- a/charts/kyverno/templates/background-controller/networkpolicy.yaml
+++ b/charts/kyverno/templates/background-controller/networkpolicy.yaml
@ -0,0 +1,30 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.networkPolicy.enabled -}}
+{{- if .Values.backgroundController.metricsService.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.backgroundController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.backgroundController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.backgroundController.metricsService.port }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml
+++ b/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml
@ -0,0 +1,33 @@
+{{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.cleanup-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.cleanupController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.cleanupController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: 9443 # webhook access
+        # Allow prometheus scrapes for metrics
+        {{- if .Values.cleanupController.metricsService.create }}
+        - protocol: TCP
+          port: {{ .Values.cleanupController.metricsService.port }}
+        {{- end }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/networkpolicy.yaml
+++ b/charts/kyverno/templates/networkpolicy.yaml
@ -1,33 +0,0 @@
-{{- if .Values.networkPolicy.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
-  name: {{ template "kyverno.fullname" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-spec:
-  podSelector:
-    matchLabels:
-      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
-  policyTypes:
-  - Ingress
-  {{- if .Values.networkPolicy.ingressFrom }}
-  ingress:
-  - from:
-    {{- with .Values.networkPolicy.ingressFrom }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-    ports:
-    - protocol: TCP
-      port: 9443 # webhook access
-  # Allow prometheus scrapes for metrics
-  {{- if .Values.admissionController.metricsService.create }}
-    - protocol: TCP
-      port: {{ .Values.admissionController.metricsService.port }}
-  {{- end }}
-  {{- else }}
-  ingress:
-    - {}
-  {{- end }}
-{{- end }}
--- a/charts/kyverno/templates/reports-controller/deployment.yaml
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@ -4,9 +4,9 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "kyverno.reports-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
  labels:
    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
 spec:
  replicas: {{ template "kyverno.deployment.replicas" .Values.reportsController.replicas }}
  {{- with .Values.reportsController.updateStrategy }}
--- a/charts/kyverno/templates/reports-controller/networkpolicy.yaml
+++ b/charts/kyverno/templates/reports-controller/networkpolicy.yaml
@ -0,0 +1,30 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.networkPolicy.enabled -}}
+{{- if .Values.reportsController.metricsService.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.reportsController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.reportsController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.reportsController.metricsService.port }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -207,13 +207,6 @@ excludeKyvernoNamespace: true
 # Namespaces to exclude from the default resourceFilters
 resourceFiltersExcludeNamespaces: []

-networkPolicy:
-  # -- When true, use a NetworkPolicy to allow ingress to the webhook
-  # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
-  enabled: false
-  # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
-  ingressFrom: []
-
 webhooksCleanup:
  # -- Create a helm pre-delete hook to cleanup webhooks.
  enabled: false
@ -534,6 +527,15 @@ admissionController:
    # -- Service annotations.
    annotations: {}

+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
 # Cleanup controller configuration
 cleanupController:

@ -740,6 +742,15 @@ cleanupController:
    # -- Service annotations.
    annotations: {}

+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
@ -976,6 +987,15 @@ reportsController:
    # -- Service annotations.
    annotations: {}

+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false
@ -1169,6 +1189,15 @@ backgroundController:
    # -- Service annotations.
    annotations: {}

+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
  serviceMonitor:
    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
    enabled: false