feat: Improve netpol config

stenic · Oct 27, 2023 · d45d26c · d45d26c
1 parent 1f0d9cc
commit d45d26c
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 84 deletions.
diff --git a/charts/well-known/templates/networkpolicy.yaml b/charts/well-known/templates/networkpolicy.yaml
@@ -1,9 +1,8 @@
 {{- if .Values.networkpolicies.enabled -}}
----
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ include "well-known.fullname" . }}-deny-ingress
+  name: {{ include "well-known.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "well-known.labels" . | nindent 4 }}
@@ -12,87 +11,39 @@ spec:
     matchLabels:
 	    {{- include "well-known.selectorLabels" . | nindent 6 }}
   policyTypes:
-  - Ingress
-  ingress: []
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-allow-ingress-webserver
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
-  policyTypes:
-  - Ingress
+    - Ingress
+    - Egress
   ingress:
-  - ports:
-    - port: 8080
-      protocol: TCP
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-deny-egress
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
-  policyTypes:
-  - Egress
-  egress: []
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-allow-egress-dns
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  policyTypes:
-  - Egress
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
-  egress:
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: kube-system
-      podSelector:
-        matchLabels:
-          k8s-app: kube-dns
-    ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "well-known.fullname" . }}-allow-egress-apiserver
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "well-known.labels" . | nindent 4 }}
-spec:
-  policyTypes:
-  - Egress
-  podSelector:
-    matchLabels:
-	    {{- include "well-known.selectorLabels" . | nindent 6 }}
+    # Accept all traffic on http port
+    - ports:
+        - name: http
+          protocol: TCP
   egress:
-  - to:
-    - ipBlock:
-        cidr: {{ .Values.networkpolicies.kubeApiServerCIDR }}
-    ports:
-    - port: 443
-      protocol: TCP
+    # Allow all traffic to the kubernetes API
+    {{- range .Values.networkpolicies.kubeApi }}
+    - to:
+        {{- range .addresses }}
+        - ipBlock:
+            cidr: {{ . }}/32
+        {{- end }}
+      ports:
+        {{- range .ports | default (list 443) }}
+        - port: {{ . }}
+          protocol: TCP
+        {{- end }}
+    {{- end }}
+    # Allow traffic to kube-dns
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+
 {{- end -}}
diff --git a/charts/well-known/values.yaml b/charts/well-known/values.yaml
@@ -93,7 +93,12 @@ autoscaling:
 
 networkpolicies:
   enabled: false
-  kubeApiServerCIDR: "<IP>/32" # kubectl get svc -n default kubernetes
+  kubeApi: [] # kubectl get svc -n default kubernetes -oyaml
+    # - addresses: 
+    #     - 10.0.0.153
+    #     - 10.0.0.90
+    #   ports:
+    #     - 443
 
 nodeSelector: {}