feat: Improve netpol config

This commit is contained in:
Dries De Peuter 2023-10-27 23:42:41 +02:00
parent 1f0d9ccff7
commit d45d26cef4
No known key found for this signature in database
2 changed files with 40 additions and 84 deletions

View file

@ -1,24 +1,8 @@
{{- if .Values.networkpolicies.enabled -}} {{- if .Values.networkpolicies.enabled -}}
---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
name: {{ include "well-known.fullname" . }}-deny-ingress name: {{ include "well-known.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
ingress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-allow-ingress-webserver
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
@ -28,40 +12,27 @@ spec:
{{- include "well-known.selectorLabels" . | nindent 6 }} {{- include "well-known.selectorLabels" . | nindent 6 }}
policyTypes: policyTypes:
- Ingress - Ingress
- Egress
ingress: ingress:
# Accept all traffic on http port
- ports: - ports:
- port: 8080 - name: http
protocol: TCP protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-deny-egress
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
policyTypes:
- Egress
egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-allow-egress-dns
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
policyTypes:
- Egress
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
egress: egress:
# Allow all traffic to the kubernetes API
{{- range .Values.networkpolicies.kubeApi }}
- to:
{{- range .addresses }}
- ipBlock:
cidr: {{ . }}/32
{{- end }}
ports:
{{- range .ports | default (list 443) }}
- port: {{ . }}
protocol: TCP
{{- end }}
{{- end }}
# Allow traffic to kube-dns
- to: - to:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
@ -74,25 +45,5 @@ spec:
protocol: UDP protocol: UDP
- port: 53 - port: 53
protocol: TCP protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-allow-egress-apiserver
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
policyTypes:
- Egress
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
egress:
- to:
- ipBlock:
cidr: {{ .Values.networkpolicies.kubeApiServerCIDR }}
ports:
- port: 443
protocol: TCP
{{- end -}} {{- end -}}

View file

@ -93,7 +93,12 @@ autoscaling:
networkpolicies: networkpolicies:
enabled: false enabled: false
kubeApiServerCIDR: "<IP>/32" # kubectl get svc -n default kubernetes kubeApi: [] # kubectl get svc -n default kubernetes -oyaml
# - addresses:
# - 10.0.0.153
# - 10.0.0.90
# ports:
# - 443
nodeSelector: {} nodeSelector: {}