DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Chart: Rework network policies. (#10238)

Browse source
This commit is contained in:
Marco Ebert 2023-09-24 17:02:57 +02:00 committed by GitHub
parent c3194dd388
commit 0b0ce031ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 87 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
charts/ingress-nginx/README.md
View file

@ -249,7 +249,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
| controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks | | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
| controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | | | controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | |
@ -374,6 +373,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| controller.name | string | `"controller"` | | | controller.name | string | `"controller"` | |
| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.enabled | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | |
@ -472,6 +472,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.minAvailable | int | `1` | | | defaultBackend.minAvailable | int | `1` | |
| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| defaultBackend.name | string | `"defaultbackend"` | | | defaultBackend.name | string | `"defaultbackend"` | |
| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |

10
charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
View file

@ -1,4 +1,4 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }} {{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
metadata: metadata:
@ -16,11 +16,11 @@ metadata:
spec: spec:
podSelector: podSelector:
matchLabels: matchLabels:
{{- include "ingress-nginx.labels" . | nindent 6 }} {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: admission-webhook app.kubernetes.io/component: admission-webhook
policyTypes: policyTypes:
- Ingress - Ingress
- Egress - Egress
egress: egress:
- {} - {}
{{- end }} {{- end }}

45
charts/ingress-nginx/templates/controller-networkpolicy.yaml Normal file
View file

@ -0,0 +1,45 @@
{{- if .Values.controller.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
policyTypes:
- Ingress
- Egress
ingress:
- ports:
{{- range $key, $value := .Values.controller.containerPort }}
- protocol: TCP
port: {{ $value }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- protocol: TCP
port: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- protocol: TCP
port: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
- protocol: TCP
port: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
- protocol: UDP
port: {{ $key }}
{{- end }}
egress:
- {}
{{- end }}

19
charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml
View file

@ -1,19 +0,0 @@
{{- if .Values.controller.admissionWebhooks.enabled }}
{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow
namespace: {{ .Release.Namespace }}
spec:
ingress:
- {}
podSelector:
matchLabels:
app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
policyTypes:
- Ingress
{{- end }}
{{- end }}

25
charts/ingress-nginx/templates/default-backend-networkpolicy.yaml Normal file
View file

@ -0,0 +1,25 @@
{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: default-backend
policyTypes:
- Ingress
- Egress
ingress:
- ports:
- protocol: TCP
port: {{ .Values.defaultBackend.port }}
{{- end }}

11
charts/ingress-nginx/values.yaml
View file

@ -96,6 +96,10 @@ controller:
http: 80 http: 80
# -- 'hostPort' https port # -- 'hostPort' https port
https: 443 https: 443
# NetworkPolicy for controller component.
networkPolicy:
# -- Enable 'networkPolicy' or not
enabled: false
# -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
electionID: "" electionID: ""
## This section refers to the creation of the IngressClass resource ## This section refers to the creation of the IngressClass resource
@ -606,7 +610,6 @@ controller:
labels: {} labels: {}
# -- Use an existing PSP instead of creating one # -- Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
networkPolicyEnabled: false
service: service:
annotations: {} annotations: {}
# clusterIP: "" # clusterIP: ""
@ -872,6 +875,12 @@ defaultBackend:
maxReplicas: 2 maxReplicas: 2
targetCPUUtilizationPercentage: 50 targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50
# NetworkPolicy for default backend component.
networkPolicy:
# -- Enable 'networkPolicy' or not
enabled: false
service: service:
annotations: {} annotations: {}
# clusterIP: "" # clusterIP: ""