feat: Improve netpol config

charts/well-known/templates/networkpolicy.yaml

@@ -1,9 +1,8 @@
 {{- if .Values.networkpolicies.enabled -}}
----
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ include "well-known.fullname" . }}-deny-ingress
+  name: {{ include "well-known.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "well-known.labels" . | nindent 4 }}
@@ -12,87 +11,39 @@ spec:
     matchLabels:
 	    {{- include "well-known.selectorLabels" . | nindent 6 }}
   policyTypes:
-  - Ingress
+    - Ingress
-  ingress: []
+    - Egress
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-allow-ingress-webserver
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
-  policyTypes:
-  - Ingress
   ingress:
-  - ports:
+    # Accept all traffic on http port
-    - port: 8080
+    - ports:
-      protocol: TCP
+        - name: http
----
+          protocol: TCP
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-deny-egress
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
-  policyTypes:
-  - Egress
-  egress: []
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-allow-egress-dns
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  policyTypes:
-  - Egress
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
   egress:
-  - to:
+    # Allow all traffic to the kubernetes API
-    - namespaceSelector:
+    {{- range .Values.networkpolicies.kubeApi }}
-        matchLabels:
+    - to:
-          kubernetes.io/metadata.name: kube-system
+        {{- range .addresses }}
-      podSelector:
+        - ipBlock:
-        matchLabels:
+            cidr: {{ . }}/32
-          k8s-app: kube-dns
+        {{- end }}
-    ports:
+      ports:
-    - port: 53
+        {{- range .ports | default (list 443) }}
-      protocol: UDP
+        - port: {{ . }}
-    - port: 53
+          protocol: TCP
-      protocol: TCP
+        {{- end }}
----
+    {{- end }}
-apiVersion: networking.k8s.io/v1
+    # Allow traffic to kube-dns
-kind: NetworkPolicy
+    - to:
-metadata:
+        - namespaceSelector:
-  name: {{ include "well-known.fullname" . }}-allow-egress-apiserver
+            matchLabels:
-  namespace: {{ .Release.Namespace }}
+              kubernetes.io/metadata.name: kube-system
-  labels:
+          podSelector:
-    {{- include "well-known.labels" . | nindent 4 }}
+            matchLabels:
-spec:
+              k8s-app: kube-dns
-  policyTypes:
+      ports:
-  - Egress
+        - port: 53
-  podSelector:
+          protocol: UDP
-    matchLabels:
+        - port: 53
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
+          protocol: TCP
-  egress:
+
-  - to:
-    - ipBlock:
-        cidr: {{ .Values.networkpolicies.kubeApiServerCIDR }}
-    ports:
-    - port: 443
-      protocol: TCP
 {{- end -}}

charts/well-known/values.yaml

@@ -93,7 +93,12 @@ autoscaling:
 
 networkpolicies:
   enabled: false
-  kubeApiServerCIDR: "<IP>/32" # kubectl get svc -n default kubernetes
+  kubeApi: [] # kubectl get svc -n default kubernetes -oyaml
+    # - addresses: 
+    #     - 10.0.0.153
+    #     - 10.0.0.90
+    #   ports:
+    #     - 443
 
 nodeSelector: {}