diff --git a/ceph-rgw/templates/network_policy.yaml b/ceph-rgw/templates/network_policy.yaml
new file mode 100644
index 000000000..bfc0b4def
--- /dev/null
+++ b/ceph-rgw/templates/network_policy.yaml
@@ -0,0 +1,21 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph-rgw" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml
index 3e32fb1b5..fe459ff43 100644
--- a/ceph-rgw/values.yaml
+++ b/ceph-rgw/values.yaml
@@ -474,6 +474,18 @@ endpoints:
mon:
default: 6789
+network_policy:
+ ceph-rgw:
+ ingress:
+ - {}
+ egress:
+ - {}
+ ceph:
+ ingress:
+ - {}
+ egress:
+ - {}
+
manifests:
configmap_ceph_templates: true
@@ -483,6 +495,7 @@ manifests:
configmap_etc: true
deployment_rgw: true
ingress_rgw: true
+ network_policy: false
job_ceph_rgw_storage_init: true
job_image_repo_sync: true
job_ks_endpoints: true
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index 6a36e6adc..7e61523e9 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -586,6 +586,21 @@ endpoints:
api:
default: 8088
public: 80
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
monitoring:
prometheus:
@@ -606,6 +621,13 @@ network:
enabled: false
port: 30920
+network_policy:
+ elasticsearch:
+ ingress:
+ - {}
+ egress:
+ - {}
+
storage:
enabled: true
pvc:
@@ -623,6 +645,7 @@ manifests:
deployment_client: true
deployment_master: true
ingress: true
+ network_policy: false
job_image_repo_sync: true
job_snapshot_repository: true
job_s3_user: true
diff --git a/fluent-logging/values.yaml b/fluent-logging/values.yaml
index 7b8212a70..7c43e4f64 100644
--- a/fluent-logging/values.yaml
+++ b/fluent-logging/values.yaml
@@ -481,6 +481,43 @@ endpoints:
port:
metrics:
default: 9309
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
+
+network_policy:
+ fluentbit:
+ ingress:
+ - {}
+ egress:
+ - {}
+ fluentd:
+ ingress:
+ - {}
+ egress:
+ - {}
+ fluent:
+ ingress:
+ - {}
+ egress:
+ - {}
+ fluent-logging:
+ ingress:
+ - {}
+ egress:
+ - {}
monitoring:
prometheus:
diff --git a/grafana/values.yaml b/grafana/values.yaml
index 47775ca7e..8f837074b 100644
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -232,6 +232,26 @@ endpoints:
port:
ldap:
default: 389
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
+
+network_policy:
+ grafana:
+ egress:
+ - {}
dependencies:
dynamic:
diff --git a/helm-toolkit/templates/manifests/_network_policy.tpl b/helm-toolkit/templates/manifests/_network_policy.tpl
index 3d412892a..75e2608c6 100644
--- a/helm-toolkit/templates/manifests/_network_policy.tpl
+++ b/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -11,12 +11,28 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
-
{{/*
abstract: |
Creates a network policy manifest for services.
values: |
- network_policy:
+endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+network_policy:
myLabel:
ingress:
- from:
@@ -26,6 +42,14 @@ values: |
ports:
- protocol: TCP
port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
usage: |
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
return: |
@@ -51,7 +75,25 @@ return: |
- protocol: TCP
port: 80
egress:
- - {}
+ - to:
+ - podSelector:
+ matchLabels:
+ application: kube-dns
+ - namespaceSelector:
+ matchLabels:
+ name: kube-system
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ - namespaceSelector:
+ matchLabels:
+ name: default
*/}}
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
@@ -76,8 +118,47 @@ spec:
matchLabels:
{{ $name }}: {{ $label }}
egress:
- - {}
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+ ports:
+{{- if index $value "port" }}
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
{{- if index $envAll.Values.network_policy $label "ingress" }}
ingress:
{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
diff --git a/ingress/values.yaml b/ingress/values.yaml
index 6b7df26ab..9d33894d6 100644
--- a/ingress/values.yaml
+++ b/ingress/values.yaml
@@ -198,11 +198,28 @@ endpoints:
dns:
default: 53
protocol: UDP
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
network_policy:
ingress:
ingress:
- {}
+ egress:
+ - {}
conf:
controller:
diff --git a/kibana/values.yaml b/kibana/values.yaml
index 9721ff707..61cc916f7 100644
--- a/kibana/values.yaml
+++ b/kibana/values.yaml
@@ -294,7 +294,26 @@ endpoints:
port:
ldap:
default: 389
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
+network_policy:
+ kibana:
+ egress:
+ - {}
network:
kibana:
ingress:
diff --git a/ldap/values.yaml b/ldap/values.yaml
index 716b31852..2bf3ee80d 100644
--- a/ldap/values.yaml
+++ b/ldap/values.yaml
@@ -146,11 +146,28 @@ endpoints:
port:
ldap:
default: 389
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
network_policy:
ldap:
ingress:
- {}
+ egress:
+ - {}
data:
sample: |
diff --git a/libvirt/values.yaml b/libvirt/values.yaml
index b2551d86a..ac368b101 100644
--- a/libvirt/values.yaml
+++ b/libvirt/values.yaml
@@ -57,11 +57,26 @@ endpoints:
port:
registry:
node: 5000
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
network_policy:
libvirt:
ingress:
- {}
+ egress:
+ - {}
ceph_client:
configmap: ceph-etc
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index 62051ca68..846b4aa01 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -275,6 +275,21 @@ endpoints:
dns:
default: 53
protocol: UDP
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
network_policy:
mariadb:
diff --git a/memcached/values.yaml b/memcached/values.yaml
index 9ca41237b..8f099cb08 100644
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@@ -98,6 +98,21 @@ endpoints:
dns:
default: 53
protocol: UDP
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
network_policy:
memcached:
diff --git a/nagios/values.yaml b/nagios/values.yaml
index a11df1d58..64dca29da 100644
--- a/nagios/values.yaml
+++ b/nagios/values.yaml
@@ -168,6 +168,21 @@ endpoints:
default: 9283
scheme:
default: http
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
network:
nagios:
diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml
index 3804ed6a5..c01c820f7 100644
--- a/openvswitch/values.yaml
+++ b/openvswitch/values.yaml
@@ -90,6 +90,19 @@ endpoints:
port:
registry:
node: 5000
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
network_policy:
openvswitch:
diff --git a/postgresql/values.yaml b/postgresql/values.yaml
index 2a52b0571..0203a6e37 100644
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@@ -198,10 +198,32 @@ endpoints:
port:
metrics:
default: 9187
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
+
+network_policy:
+ postgresql:
+ ingress:
+ - {}
+
manifests:
configmap_bin: true
job_image_repo_sync: true
+ network_policy: false
secret_admin: true
service: true
statefulset: true
diff --git a/prometheus/values.yaml b/prometheus/values.yaml
index 28ed48700..1d4e489a5 100644
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@@ -167,6 +167,21 @@ endpoints:
port:
ldap:
default: 389
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
dependencies:
dynamic:
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index d1cad04c2..872bca1d0 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -265,6 +265,21 @@ endpoints:
dns:
default: 53
protocol: UDP
+ #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+ # They are using to enable the Egress K8s network policy.
+ k8s:
+ port:
+ api:
+ default: 6443
+ internal: 5000
+ http:
+ default: 80
+ default:
+ namespace: default
+ kube_system:
+ namespace: kube-system
+ kube_public:
+ namespace: kube-public
network_policy:
rabbitmq:
diff --git a/tools/deployment/network-policy/040-ldap.sh b/tools/deployment/network-policy/040-ldap.sh
index 259222d5f..66efc6aaf 100755
--- a/tools/deployment/network-policy/040-ldap.sh
+++ b/tools/deployment/network-policy/040-ldap.sh
@@ -23,28 +23,29 @@ tee /tmp/ldap.yaml <<EOF
manifests:
network_policy: true
network_policy:
- ingress:
- - from:
- - podSelector:
- matchLabels:
- application: ldap
- - podSelector:
- matchLabels:
- application: grafana
- - podSelector:
- matchLabels:
- application: nagios
- - podSelector:
- matchLabels:
- application: elasticsearch
- - podSelector:
- matchLabels:
- application: kibana
- ports:
- - protocol: TCP
- port: 389
- - protocol: TCP
- port: 80
+ ldap:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: ldap
+ - podSelector:
+ matchLabels:
+ application: grafana
+ - podSelector:
+ matchLabels:
+ application: nagios
+ - podSelector:
+ matchLabels:
+ application: elasticsearch
+ - podSelector:
+ matchLabels:
+ application: kibana
+ ports:
+ - protocol: TCP
+ port: 389
+ - protocol: TCP
+ port: 80
EOF
#NOTE: Deploy command
diff --git a/tools/deployment/network-policy/045-mariadb.sh b/tools/deployment/network-policy/045-mariadb.sh
index 559120f17..229c57abf 100755
--- a/tools/deployment/network-policy/045-mariadb.sh
+++ b/tools/deployment/network-policy/045-mariadb.sh
@@ -39,6 +39,11 @@ network_policy:
port: 4567
- protocol: TCP
port: 80
+ egress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: ingress
EOF
#NOTE: Deploy command
diff --git a/tools/deployment/network-policy/120-elasticsearch.sh b/tools/deployment/network-policy/120-elasticsearch.sh
index 02a408a04..6a9a05a9d 100755
--- a/tools/deployment/network-policy/120-elasticsearch.sh
+++ b/tools/deployment/network-policy/120-elasticsearch.sh
@@ -28,16 +28,11 @@ pod:
replicas:
data: 1
master: 2
-manifests:
- network_policy: true
-network_policy:
- elasticsearch:
- ingress:
- - from:
EOF
helm upgrade --install elasticsearch ./elasticsearch \
--namespace=osh-infra \
+ --set manifests.network_policy=true \
--values=/tmp/elasticsearch.yaml
#NOTE: Wait for deploy
diff --git a/tools/deployment/network-policy/130-fluent-logging.sh b/tools/deployment/network-policy/130-fluent-logging.sh
index 3adb4e851..03a57db02 100755
--- a/tools/deployment/network-policy/130-fluent-logging.sh
+++ b/tools/deployment/network-policy/130-fluent-logging.sh
@@ -19,29 +19,10 @@ set -xe
#NOTE: Lint and package chart
make fluent-logging
-tee /tmp/fluent-logging.yaml <<EOF
-manifests:
- network_policy: true
-network_policy:
- fluentbit:
- ingress:
- - from:
- fluentd:
- ingress:
- - from:
- fluent:
- ingress:
- - from:
- fluent-logging:
- ingress:
- - from:
-EOF
-
-
#NOTE: Deploy command
helm upgrade --install fluent-logging ./fluent-logging \
--namespace=osh-infra \
- --values=/tmp/fluent-logging.yaml \
+ --set manifests.network_policy=true \
--set pod.replicas.fluentd=1
#NOTE: Wait for deploy