Network policy should match the rasa fullname and not just rasa

[nyejon]

Hi, if I specify a different name, like "rasa-production" the network policies no longer apply.

See:

helm-charts/charts/rasa/templates/network-policy/rasa-bot-allow-egress-http-https.yaml

Line 9 in 2875622

app.kubernetes.io/name: rasa

It should be something like: {{ include "rasa-common.names.fullname" . }}

[nyejon]

Same thing applies to rabbit and redis:

helm-charts/charts/rasa/templates/network-policy/rasa-bot-rabbitmq.yaml

Line 35 in 2875622

app.kubernetes.io/name: rabbitmq

We should be able to specify the name of the rabbit and redis pod when we use an external deployment.

[sara-tagger]

Thanks for the issue, @JustinaPetr will get back to you about it soon!

You may find help in the docs and the forum, too 🤗

[nyejon]

You can use the NP from Rasa-X by adding the following label to the podLabels in the values file.

podLabels:
  app.kubernetes.io/component: rasa-production

Then make sure the name of redis and rabbit deployments are "redis" and "rabbitmq" respectively.

[RASADSA]

Hello @nyejon
due to current restructuring internally - all development on the RASA helm charts are on hold.
( and yes paying customers is a different scenario )

We will come back to this ticket when we will refactor the RASA helmcharts.

headsup - NP will most likely disappear from the helmcharts.
Since we cannot support multiple CNI's / Cloud providers.

perfect moment to mention We accept PR's and always did - interesting
https://github.com/RasaHQ/helm-charts#how-to-contribute

[nyejon]

Hi @RASADSA

The network policies are useful, they should be in at least either the Rasa X chart or the Rasa OSS chart.

For many issues, all that needs to be done is standardise the way you name things in your charts.
With these minor changes, it works.

A lot of the issues are small mistakes, but the problem (as a user) has been that there are many small mistakes and it's been difficult to debug.

Thanks,
Jonathan

[RASADSA]

Hello @nyejon

there is enough documentation on that around the k8s projects - fact is that a lot of bigger OSS helmcharts pulled out NP cause its impossible to support all the edge cases of NP with a different CNI.

Neither the fact the most of the CNI's treat NP different.

RASA has not the capabilities to support NP's.

a list of current CNI 's supported by k8s at this moment

Project Calico - a layer 3 virtual network
Weave - a multi-host Docker network
Contiv Networking - policy networking for various use cases
SR-IOV
Cilium - BPF & XDP for containers
Infoblox - enterprise IP address management for containers
Multus - a Multi plugin
Romana - Layer 3 CNI plugin supporting network policy for Kubernetes
CNI-Genie - generic CNI network plugin
Nuage CNI - Nuage Networks SDN plugin for network policy kubernetes support
Silk - a CNI plugin designed for Cloud Foundry
Linen - a CNI plugin designed for overlay networks with Open vSwitch and fit in SDN/OpenFlow network environment
Vhostuser - a Dataplane network plugin - Supports OVS-DPDK & VPP
Amazon ECS CNI Plugins - a collection of CNI Plugins to configure containers with Amazon EC2 elastic network interfaces (ENIs)
Bonding CNI - a Link aggregating plugin to address failover and high availability network
ovn-kubernetes - an container network plugin built on Open vSwitch (OVS) and Open Virtual Networking (OVN) with support for both Linux and Windows
Juniper Contrail / TungstenFabric - Provides overlay SDN solution, delivering multicloud networking, hybrid cloud networking, simultaneous overlay-underlay support, network policy enforcement, network isolation, service chaining and flexible load balancing
Knitter - a CNI plugin supporting multiple networking for Kubernetes
DANM - a CNI-compliant networking solution for TelCo workloads running on Kubernetes
VMware NSX – a CNI plugin that enables automated NSX L2/L3 networking and L4/L7 Load Balancing; network isolation at the pod, node, and cluster level; and zero-trust security policy for your Kubernetes cluster.
cni-route-override - a meta CNI plugin that override route information
Terway - a collection of CNI Plugins based on alibaba cloud VPC/ECS network product
Cisco ACI CNI - for on-prem and cloud container networking with consistent policy and security model.
Kube-OVN - a CNI plugin that bases on OVN/OVS and provides advanced features like subnet, static ip, ACL, QoS, etc.
Project Antrea - an Open vSwitch k8s CNI
OVN4NFV-K8S-Plugin - a OVN based CNI controller plugin to provide cloud native based Service function chaining (SFC), Multiple OVN overlay networking
Azure CNI - a CNI plugin that natively extends Azure Virtual Networks to containers
NetLOX Loxilight - Loxilight CNI is based on TC eBPF. It works either as a pure eBPF mode or in a hybrid-mode with multi-vendor DPU support when DPU units are available
Hybridnet - a CNI plugin designed for hybrid clouds which provides both overlay and underlay networking for containers in one or more clusters. Overlay and underlay containers can run on the same node and have cluster-wide bidirectional network connectivity.