From d45d26cef43e9fc658496d640e908ca4ceacd617 Mon Sep 17 00:00:00 2001 From: Dries De Peuter Date: Fri, 27 Oct 2023 23:42:41 +0200 Subject: [PATCH] feat: Improve netpol config --- .../well-known/templates/networkpolicy.yaml | 117 +++++------------- charts/well-known/values.yaml | 7 +- 2 files changed, 40 insertions(+), 84 deletions(-) diff --git a/charts/well-known/templates/networkpolicy.yaml b/charts/well-known/templates/networkpolicy.yaml index 16248b9..62d5248 100644 --- a/charts/well-known/templates/networkpolicy.yaml +++ b/charts/well-known/templates/networkpolicy.yaml @@ -1,9 +1,8 @@ {{- if .Values.networkpolicies.enabled -}} ---- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ include "well-known.fullname" . }}-deny-ingress + name: {{ include "well-known.fullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} @@ -12,87 +11,39 @@ spec: matchLabels: {{- include "well-known.selectorLabels" . | nindent 6 }} policyTypes: - - Ingress - ingress: [] ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "well-known.fullname" . }}-allow-ingress-webserver - namespace: {{ .Release.Namespace }} - labels: - {{- include "well-known.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "well-known.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress + - Ingress + - Egress ingress: - - ports: - - port: 8080 - protocol: TCP ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "well-known.fullname" . }}-deny-egress - namespace: {{ .Release.Namespace }} - labels: - {{- include "well-known.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "well-known.selectorLabels" . | nindent 6 }} - policyTypes: - - Egress - egress: [] ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "well-known.fullname" . }}-allow-egress-dns - namespace: {{ .Release.Namespace }} - labels: - {{- include "well-known.labels" . | nindent 4 }} -spec: - policyTypes: - - Egress - podSelector: - matchLabels: - {{- include "well-known.selectorLabels" . | nindent 6 }} + # Accept all traffic on http port + - ports: + - name: http + protocol: TCP egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "well-known.fullname" . }}-allow-egress-apiserver - namespace: {{ .Release.Namespace }} - labels: - {{- include "well-known.labels" . | nindent 4 }} -spec: - policyTypes: - - Egress - podSelector: - matchLabels: - {{- include "well-known.selectorLabels" . | nindent 6 }} - egress: - - to: - - ipBlock: - cidr: {{ .Values.networkpolicies.kubeApiServerCIDR }} - ports: - - port: 443 - protocol: TCP + # Allow all traffic to the kubernetes API + {{- range .Values.networkpolicies.kubeApi }} + - to: + {{- range .addresses }} + - ipBlock: + cidr: {{ . }}/32 + {{- end }} + ports: + {{- range .ports | default (list 443) }} + - port: {{ . }} + protocol: TCP + {{- end }} + {{- end }} + # Allow traffic to kube-dns + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- end -}} \ No newline at end of file diff --git a/charts/well-known/values.yaml b/charts/well-known/values.yaml index f95f2ad..5cd9128 100644 --- a/charts/well-known/values.yaml +++ b/charts/well-known/values.yaml @@ -93,7 +93,12 @@ autoscaling: networkpolicies: enabled: false - kubeApiServerCIDR: "/32" # kubectl get svc -n default kubernetes + kubeApi: [] # kubectl get svc -n default kubernetes -oyaml + # - addresses: + # - 10.0.0.153 + # - 10.0.0.90 + # ports: + # - 443 nodeSelector: {}