feat: Improve netpol config

2023-10-27 23:42:41 +02:00 · 2023-10-27 23:42:41 +02:00 · d45d26cef4
commit d45d26cef4
parent 1f0d9ccff7
2 changed files with 40 additions and 84 deletions
--- a/charts/well-known/templates/networkpolicy.yaml
+++ b/charts/well-known/templates/networkpolicy.yaml
@ -1,9 +1,8 @@
 {{- if .Values.networkpolicies.enabled -}}
---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ include "well-known.fullname" . }}-deny-ingress
+  name: {{ include "well-known.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
@ -12,87 +11,39 @@ spec:
    matchLabels:
 	    {{- include "well-known.selectorLabels" . | nindent 6 }}
  policyTypes:
-  - Ingress
-  ingress: []
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-allow-ingress-webserver
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
-  policyTypes:
-  - Ingress
+    - Ingress
+    - Egress
  ingress:
-  - ports:
-    - port: 8080
-      protocol: TCP
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-deny-egress
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
-  policyTypes:
-  - Egress
-  egress: []
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-allow-egress-dns
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  policyTypes:
-  - Egress
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
+    # Accept all traffic on http port
+    - ports:
+        - name: http
+          protocol: TCP
  egress:
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: kube-system
-      podSelector:
-        matchLabels:
-          k8s-app: kube-dns
-    ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-allow-egress-apiserver
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  policyTypes:
-  - Egress
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
-  egress:
-  - to:
-    - ipBlock:
-        cidr: {{ .Values.networkpolicies.kubeApiServerCIDR }}
-    ports:
-    - port: 443
-      protocol: TCP
+    # Allow all traffic to the kubernetes API
+    {{- range .Values.networkpolicies.kubeApi }}
+    - to:
+        {{- range .addresses }}
+        - ipBlock:
+            cidr: {{ . }}/32
+        {{- end }}
+      ports:
+        {{- range .ports | default (list 443) }}
+        - port: {{ . }}
+          protocol: TCP
+        {{- end }}
+    {{- end }}
+    # Allow traffic to kube-dns
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+
 {{- end -}}
--- a/charts/well-known/values.yaml
+++ b/charts/well-known/values.yaml
@ -93,7 +93,12 @@ autoscaling:

 networkpolicies:
  enabled: false
-  kubeApiServerCIDR: "<IP>/32" # kubectl get svc -n default kubernetes
+  kubeApi: [] # kubectl get svc -n default kubernetes -oyaml
+    # - addresses: 
+    #     - 10.0.0.153
+    #     - 10.0.0.90
+    #   ports:
+    #     - 443

 nodeSelector: {}