Ensure Helm chart networkpolicy is valid by default (#2827)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shutting06@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-03-05 07:26:55 +00:00 · 2021-12-15 08:43:05 -05:00 · 2021-12-15 08:43:05 -05:00 · f2d37aa467
commit f2d37aa467
parent d96da73460
3 changed files with 27 additions and 10 deletions
--- a/charts/kyverno/ci/test-networkpolicy.yaml
+++ b/charts/kyverno/ci/test-networkpolicy.yaml
@ -0,0 +1,3 @@
+---
+networkPolicy:
+  enabled: true
--- a/charts/kyverno/templates/networkpolicy.yaml
+++ b/charts/kyverno/templates/networkpolicy.yaml
@ -12,30 +12,44 @@ spec:
      app: kyverno
  policyTypes:
  - Ingress
+  {{- if or .Values.networkPolicy.namespaceExpressions .Values.networkPolicy.namespaceLabels .Values.networkPolicy.podExpressions .Values.networkPolicy.podLabels }}
  ingress:
  - from:
-      {{- with .Values.networkPolicy }}
+    {{- if or .Values.networkPolicy.namespaceExpressions .Values.networkPolicy.namespaceLabels }}
      - namespaceSelector:
+        {{- with .Values.networkPolicy.namespaceExpressions }}
          matchExpressions:
-            {{- toYaml .namespaceExpressions | nindent 10 }}
+            {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.networkPolicy.namespaceLabels }}
          matchLabels:
-            {{- range $key, $value := .namespaceLabels }}
+            {{- range $key, $value := . }}
            {{ $key | quote }}: {{ $value | quote }}
            {{- end }}
+        {{- end }}
+    {{- end }}
+    {{- if or .Values.networkPolicy.podExpressions .Values.networkPolicy.podLabels }}
        podSelector:
+          {{- with .Values.networkPolicy.podExpressions }}
          matchExpressions:
-            {{- toYaml .podExpressions | nindent 10 }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.networkPolicy.podLabels }}
          matchLabels:
-            {{- range $key, $value := .podLabels }}
+            {{- range $key, $value := . }}
            {{ $key | quote }}: {{ $value | quote }}
            {{- end }}
-      {{- end }}
+          {{- end }}
+    {{- end }}
    ports:
    - protocol: TCP
      port: 9443 # webhook access
  # Allow prometheus scrapes for metrics
  {{- if .Values.metricsService.create }}
-  - ports:
-      - port: {{ .Values.metricsService.port }}
+    - protocol: TCP
+      port: {{ .Values.metricsService.port }}
+  {{- end }}
+  {{- else }}
+  ingress: {}
  {{- end }}
 {{- end }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -247,7 +247,7 @@ installCRDs: true
 # policies in a default-deny setup.
 networkPolicy:
  enabled: false
-  namespaceExpressions: [{}]
+  namespaceExpressions: []
  namespaceLabels: {}
-  podExpressions: [{}]
+  podExpressions: []
  podLabels: {}