mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

Ensure Helm chart networkpolicy is valid by default (#2827)

Browse source 
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

Co-authored-by: shuting <shutting06@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
treydock 2021-12-15 08:43:05 -05:00 committed by shuting
parent d96da73460
commit f2d37aa467
3 changed files with 27 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
charts/kyverno/ci/test-networkpolicy.yaml Normal file
View file

@ -0,0 +1,3 @@
---
networkPolicy:
enabled: true

28
charts/kyverno/templates/networkpolicy.yaml
View file

@ -12,30 +12,44 @@ spec:
app: kyverno
policyTypes:
- Ingress
{{- if or .Values.networkPolicy.namespaceExpressions .Values.networkPolicy.namespaceLabels .Values.networkPolicy.podExpressions .Values.networkPolicy.podLabels }}
ingress:
- from:
{{- with .Values.networkPolicy }}
{{- if or .Values.networkPolicy.namespaceExpressions .Values.networkPolicy.namespaceLabels }}
- namespaceSelector:
{{- with .Values.networkPolicy.namespaceExpressions }}
matchExpressions:
{{- toYaml .namespaceExpressions | nindent 10 }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.networkPolicy.namespaceLabels }}
matchLabels:
{{- range $key, $value := .namespaceLabels }}
{{- range $key, $value := . }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.networkPolicy.podExpressions .Values.networkPolicy.podLabels }}
podSelector:
{{- with .Values.networkPolicy.podExpressions }}
matchExpressions:
{{- toYaml .podExpressions | nindent 10 }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.networkPolicy.podLabels }}
matchLabels:
{{- range $key, $value := .podLabels }}
{{- range $key, $value := . }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
ports:
- protocol: TCP
port: 9443 # webhook access
# Allow prometheus scrapes for metrics
{{- if .Values.metricsService.create }}
- ports:
- port: {{ .Values.metricsService.port }}
- protocol: TCP
port: {{ .Values.metricsService.port }}
{{- end }}
{{- else }}
ingress: {}
{{- end }}
{{- end }}

4
charts/kyverno/values.yaml
View file

@ -247,7 +247,7 @@ installCRDs: true
# policies in a default-deny setup.
networkPolicy:
enabled: false
namespaceExpressions: [{}]
namespaceExpressions: []
namespaceLabels: {}
podExpressions: [{}]
podExpressions: []
podLabels: {}