This repository has been archived by the owner on Jun 27, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Network policies for pgsql clusters (#29)
- Loading branch information
Showing
8 changed files
with
87 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| {{- define "common.network-policy-postgresql-cluster" }} | ||
| {{- $appPodSelector := .AppPodSelector }} | ||
| {{- with .Root }} | ||
| {{- $clusterName := .Release.Name }} | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: {{ $clusterName }}-postgresql-cluster | ||
| labels: | ||
| {{- include "common.resource-labels" . | indent 4 }} | ||
| spec: | ||
| podSelector: | ||
| matchLabels: | ||
| cnpg.io/podRole: instance | ||
| cnpg.io/cluster: {{ $clusterName }} | ||
| policyTypes: | ||
| - Ingress | ||
| - Egress | ||
| egress: | ||
| # Allow cluster instances to talk to Kube API | ||
| {{- include "common.egress-kubeapi" . | indent 4 }} | ||
| ingress: | ||
| - ports: | ||
| - protocol: TCP | ||
| port: 5432 | ||
| from: | ||
| # Accept traffic from postgresql jobs related to the same cluster | ||
| - podSelector: | ||
| matchExpressions: | ||
| - key: cnpg.io/jobRole | ||
| operator: Exists | ||
| - key: cnpg.io/cluster | ||
| operator: In | ||
| values: | ||
| - {{ $clusterName }} | ||
| # Accept traffic from other cluster instances | ||
| - podSelector: | ||
| matchLabels: | ||
| cnpg.io/podRole: instance | ||
| cnpg.io/cluster: {{ $clusterName }} | ||
|
|
||
| {{- if $appPodSelector }} | ||
| # Accept traffic from consuming app | ||
| - podSelector: {{ $appPodSelector | toYaml | nindent 12 }} | ||
| {{- end }} | ||
|
|
||
| # Accept traffic from operator in postgresql-system namespace | ||
| - ports: | ||
| - protocol: TCP | ||
| port: 8000 | ||
| from: | ||
| - namespaceSelector: | ||
| matchLabels: | ||
| kubernetes.io/metadata.name: postgresql-system | ||
| podSelector: | ||
| matchLabels: | ||
| app.kubernetes.io/name: cloudnative-pg | ||
| --- | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: {{ $clusterName }}-postgresql-jobs | ||
| labels: | ||
| {{- include "common.resource-labels" . | indent 4 }} | ||
| spec: | ||
| podSelector: | ||
| matchExpressions: | ||
| - key: cnpg.io/jobRole | ||
| operator: Exists | ||
| - key: cnpg.io/cluster | ||
| operator: In | ||
| values: | ||
| - {{ $clusterName }} | ||
| policyTypes: | ||
| - Egress | ||
| egress: | ||
| # Allow jobs to talk to Kube API | ||
| {{- include "common.egress-kubeapi" . | indent 4 }} | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
39 changes: 0 additions & 39 deletions
39
apps/network-policies/templates/network-policy-postgresql-clusters.yml
This file was deleted.
Oops, something went wrong.
15 changes: 0 additions & 15 deletions
15
apps/network-policies/templates/network-policy-postgresql-jobs.yml
This file was deleted.
Oops, something went wrong.
29 changes: 2 additions & 27 deletions
29
apps/pomerium/templates/custom-network-policy-postgresql-cluster.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,27 +1,2 @@ | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: {{ .Release.Name }}-postgresql | ||
| namespace: {{ $.Release.Namespace }} | ||
| labels: | ||
| {{- include "common.resource-labels" . | indent 4 }} | ||
| spec: | ||
| podSelector: | ||
| matchExpressions: | ||
| - key: cnpg.io/cluster | ||
| operator: In | ||
| values: | ||
| - {{ $.Release.Name }} | ||
| policyTypes: | ||
| - Ingress | ||
| ingress: | ||
| # Accept traffic from pomerium | ||
| - ports: | ||
| - protocol: TCP | ||
| port: 5432 | ||
| from: | ||
| - podSelector: | ||
| matchLabels: | ||
| app.kubernetes.io/name: pomerium | ||
| app.kubernetes.io/instance: {{ .Release.Name }} | ||
|
|
||
| {{- $appPodSelector := (dict "matchLabels" (include "common.pod-labels" . | fromYaml)) }} | ||
| {{ include "common.network-policy-postgresql-cluster" (dict "Root" . "AppPodSelector" $appPodSelector) }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters