From 4be47513e21b35b997a25493bedc7f9088c70053 Mon Sep 17 00:00:00 2001 From: Omer Aplatony Date: Fri, 19 Jul 2024 13:30:52 +0300 Subject: [PATCH] Add egress for network policies Signed-off-by: Omer Aplatony --- charts/argo-cd/Chart.yaml | 6 +++--- charts/argo-cd/README.md | 2 ++ .../networkpolicy.yaml | 16 ++++++++++++++- .../argocd-applicationset/networkpolicy.yaml | 20 +++++++++++++++++-- .../argocd-notifications/networkpolicy.yaml | 18 ++++++++++++++++- .../argocd-repo-server/networkpolicy.yaml | 18 ++++++++++++++++- .../argocd-server/networkpolicy.yaml | 20 +++++++++++++++++-- .../argo-cd/templates/dex/networkpolicy.yaml | 18 ++++++++++++++++- .../templates/redis/networkpolicy.yaml | 18 ++++++++++++++++- charts/argo-cd/values.yaml | 17 ++++++++++++++++ 10 files changed, 141 insertions(+), 12 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index b943f562..2ffaf071 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.11.5 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 7.3.8 +version: 7.4.0 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -26,5 +26,5 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - - kind: fixed - description: Add Redis Sentinel variables to application controller deployment + - kind: Added + description: Add egress for network policies diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 3801650d..15828658 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -683,6 +683,8 @@ NAME: my-release | global.logging.level | string | `"info"` | Set the global logging level. One of: `debug`, `info`, `warn` or `error` | | global.networkPolicy.create | bool | `false` | Create NetworkPolicy objects for all components | | global.networkPolicy.defaultDenyIngress | bool | `false` | Default deny all ingress traffic | +| global.networkPolicy.egress.create | `bool` | `false` | Create egress NetworkPolicy rules for all components. | +| global.networkPolicy.egress.ipBlock | `list` | `[]` | List of egress IP blocks and ports. Each block specifies a CIDR and associated ports. | | global.nodeSelector | object | `{}` | Default node selector for all components | | global.podAnnotations | object | `{}` | Annotations for the all deployed pods | | global.podLabels | object | `{}` | Labels for the all deployed pods | diff --git a/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml index db1ee7c2..a797eb1d 100644 --- a/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} name: {{ template "argo-cd.controller.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} + namespace: {{ include "argo-cd.namespace" . }} spec: ingress: - from: @@ -17,4 +17,18 @@ spec: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} policyTypes: - Ingress + {{- if .Values.global.networkPolicy.egress.create }} + - Egress + egress: + {{- range .Values.global.networkPolicy.egress.ipBlock }} + - to: + - ipBlock: + cidr: {{ .cidr }} + ports: + {{- range .ports }} + - port: {{ .port }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-applicationset/networkpolicy.yaml b/charts/argo-cd/templates/argocd-applicationset/networkpolicy.yaml index 3a295f77..2bd3929a 100644 --- a/charts/argo-cd/templates/argocd-applicationset/networkpolicy.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/networkpolicy.yaml @@ -3,12 +3,12 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ template "argo-cd.applicationSet.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} + namespace: {{ include "argo-cd.namespace" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} spec: ingress: - {{- if .Values.applicationSet.ingress.enabled }} + {{- if .Values.applicationSet.ingress.enabled }} - ports: - port: webhook {{- end }} @@ -23,4 +23,20 @@ spec: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 6 }} policyTypes: - Ingress + {{- if .Values.global.networkPolicy.egress.create }} + - Egress + egress: + {{- if .Values.global.networkPolicy.egress.ipBlock }} + {{- range .Values.global.networkPolicy.egress.ipBlock }} + - to: + - ipBlock: + cidr: {{ .cidr }} + ports: + {{- range .ports }} + - port: {{ .port }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-notifications/networkpolicy.yaml b/charts/argo-cd/templates/argocd-notifications/networkpolicy.yaml index b03c26ca..bb57f7d0 100644 --- a/charts/argo-cd/templates/argocd-notifications/networkpolicy.yaml +++ b/charts/argo-cd/templates/argocd-notifications/networkpolicy.yaml @@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ template "argo-cd.notifications.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} + namespace: {{ include "argo-cd.namespace" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} spec: @@ -17,4 +17,20 @@ spec: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }} policyTypes: - Ingress + {{- if .Values.global.networkPolicy.egress.create }} + - Egress + egress: + {{- if .Values.global.networkPolicy.egress.ipBlock }} + {{- range .Values.global.networkPolicy.egress.ipBlock }} + - to: + - ipBlock: + cidr: {{ .cidr }} + ports: + {{- range .ports }} + - port: {{ .port }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml b/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml index c11ab129..61750358 100644 --- a/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} name: {{ template "argo-cd.repoServer.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} + namespace: {{ include "argo-cd.namespace" . }} spec: ingress: - from: @@ -37,4 +37,20 @@ spec: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }} policyTypes: - Ingress + {{- if .Values.global.networkPolicy.egress.create }} + - Egress + egress: + {{- if .Values.global.networkPolicy.egress.ipBlock }} + {{- range .Values.global.networkPolicy.egress.ipBlock }} + - to: + - ipBlock: + cidr: {{ .cidr | default "0.0.0.0/0" }} + ports: + {{- range .ports }} + - port: {{ .port }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-server/networkpolicy.yaml b/charts/argo-cd/templates/argocd-server/networkpolicy.yaml index 4621e24f..375f2efb 100644 --- a/charts/argo-cd/templates/argocd-server/networkpolicy.yaml +++ b/charts/argo-cd/templates/argocd-server/networkpolicy.yaml @@ -5,13 +5,29 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} name: {{ template "argo-cd.server.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} + namespace: {{ include "argo-cd.namespace" . }} spec: ingress: - - {} + - {} podSelector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} policyTypes: - Ingress + {{- if .Values.global.networkPolicy.egress.create }} + - Egress + egress: + {{- if .Values.global.networkPolicy.egress.ipBlock }} + {{- range .Values.global.networkPolicy.egress.ipBlock }} + - to: + - ipBlock: + cidr: {{ .cidr }} + ports: + {{- range .ports }} + - port: {{ .port }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/dex/networkpolicy.yaml b/charts/argo-cd/templates/dex/networkpolicy.yaml index 6d0c9789..aba99df7 100644 --- a/charts/argo-cd/templates/dex/networkpolicy.yaml +++ b/charts/argo-cd/templates/dex/networkpolicy.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }} name: {{ template "argo-cd.dex.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} + namespace: {{ include "argo-cd.namespace" . }} spec: ingress: - from: @@ -29,4 +29,20 @@ spec: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.dex.name) | nindent 6 }} policyTypes: - Ingress + {{- if .Values.global.networkPolicy.egress.create }} + - Egress + egress: + {{- if .Values.global.networkPolicy.egress.ipBlock }} + {{- range .Values.global.networkPolicy.egress.ipBlock }} + - to: + - ipBlock: + cidr: {{ .cidr | default "0.0.0.0/0" }} + ports: + {{- range .ports }} + - port: {{ .port }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/redis/networkpolicy.yaml b/charts/argo-cd/templates/redis/networkpolicy.yaml index d602a931..cb78e96c 100644 --- a/charts/argo-cd/templates/redis/networkpolicy.yaml +++ b/charts/argo-cd/templates/redis/networkpolicy.yaml @@ -6,7 +6,7 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} name: {{ template "argo-cd.redis.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} + namespace: {{ include "argo-cd.namespace" . }} spec: ingress: - from: @@ -34,4 +34,20 @@ spec: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.redis.name) | nindent 6 }} policyTypes: - Ingress + {{- if .Values.global.networkPolicy.egress.create }} + - Egress + egress: + {{- if .Values.global.networkPolicy.egress.ipBlock }} + {{- range .Values.global.networkPolicy.egress.ipBlock }} + - to: + - ipBlock: + cidr: {{ .cidr | default "0.0.0.0/0" }} + ports: + {{- range .ports }} + - port: {{ .port }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 0d42bf71..4ebd3096 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -111,6 +111,23 @@ global: create: false # -- Default deny all ingress traffic defaultDenyIngress: false + # -- egress rules for all components + egress: + create: false + # ipBlock: + # - cidr: 192.168.1.0/24 + # ports: + # - port: 443 + # protocol: TCP + # - port: 80 + # protocol: TCP + # - cidr: 172.16.0.0/16 + # ports: + # - port: 53 + # protocol: UDP + # - port: 5432 + # protocol: TCP + # -- Default priority class for all components priorityClassName: ""