Skip to content

Commit d332a13

Browse files
andrewazoresmergify[bot]
andrewazores
authored and
mergify[bot]
committed
feat(network): enable internal ingress network policy (#208)
(cherry picked from commit c7fb4f2)
1 parent a94285a commit d332a13

File tree

5 files changed

+276
-20
lines changed

5 files changed

+276
-20
lines changed

charts/cryostat/README.md

Lines changed: 21 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -201,24 +201,25 @@ helm install cryostat ./charts/cryostat
201201

202202
### Other Parameters
203203

204-
| Name | Description | Value |
205-
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
206-
| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` |
207-
| `nameOverride` | Overrides the name of this Chart | `""` |
208-
| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` |
209-
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
210-
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
211-
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
212-
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
213-
| `podAnnotations` | Annotations to be applied to the Cryostat Pod | `{}` |
214-
| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` |
215-
| `nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
216-
| `tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` |
217-
| `affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
218-
| `pvc.enabled` | Specify whether to use persistentVolumeClaim or EmptyDir storage | `false` |
219-
| `pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` |
220-
| `pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` |
221-
| `pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` |
222-
| `pvc.selector` | Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `{}` |
223-
| `pvc.storageClassName` | The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `undefined` |
204+
| Name | Description | Value |
205+
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
206+
| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` |
207+
| `nameOverride` | Overrides the name of this Chart | `""` |
208+
| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` |
209+
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
210+
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
211+
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
212+
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
213+
| `podAnnotations` | Annotations to be applied to the Cryostat Pod | `{}` |
214+
| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` |
215+
| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. | `true` |
216+
| `nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
217+
| `tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` |
218+
| `affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
219+
| `pvc.enabled` | Specify whether to use persistentVolumeClaim or EmptyDir storage | `false` |
220+
| `pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` |
221+
| `pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` |
222+
| `pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` |
223+
| `pvc.selector` | Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `{}` |
224+
| `pvc.storageClassName` | The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `undefined` |
224225

charts/cryostat/templates/networkpolicy_ingress.yaml

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
{{- if ((.Values.networkPolicy.ingress).enabled) }}
2+
apiVersion: networking.k8s.io/v1
3+
kind: NetworkPolicy
4+
metadata:
5+
name: {{ .Release.Name }}-cryostat-internal-ingress
6+
spec:
7+
podSelector:
8+
matchLabels:
9+
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
10+
app.kubernetes.io/component: cryostat
11+
ingress:
12+
- from:
13+
- namespaceSelector: {}
14+
ports:
15+
- protocol: TCP
16+
port: 4180
17+
- protocol: TCP
18+
port: 8443
19+
---
20+
apiVersion: networking.k8s.io/v1
21+
kind: NetworkPolicy
22+
metadata:
23+
name: {{ .Release.Name }}-reports-internal-ingress
24+
spec:
25+
podSelector:
26+
matchLabels:
27+
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
28+
app.kubernetes.io/component: reports
29+
ingress:
30+
- from:
31+
- podSelector:
32+
matchLabels:
33+
{{- include "cryostat.selectorLabels" $ | nindent 12 }}
34+
app.kubernetes.io/component: cryostat
35+
namespaceSelector:
36+
matchLabels:
37+
kubernetes.io/metadata.name: {{ .Release.Namespace }}
38+
ports:
39+
- protocol: TCP
40+
port: 4180
41+
- protocol: TCP
42+
port: 8443
43+
---
44+
apiVersion: networking.k8s.io/v1
45+
kind: NetworkPolicy
46+
metadata:
47+
name: {{ .Release.Name }}-db-internal-ingress
48+
spec:
49+
podSelector:
50+
matchLabels:
51+
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
52+
app.kubernetes.io/component: db
53+
ingress:
54+
- from:
55+
- podSelector:
56+
matchLabels:
57+
{{- include "cryostat.selectorLabels" $ | nindent 12 }}
58+
app.kubernetes.io/component: cryostat
59+
namespaceSelector:
60+
matchLabels:
61+
kubernetes.io/metadata.name: {{ .Release.Namespace }}
62+
ports:
63+
- protocol: TCP
64+
port: 5432
65+
---
66+
apiVersion: networking.k8s.io/v1
67+
kind: NetworkPolicy
68+
metadata:
69+
name: {{ .Release.Name }}-storage-internal-ingress
70+
spec:
71+
podSelector:
72+
matchLabels:
73+
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
74+
app.kubernetes.io/component: storage
75+
ingress:
76+
- from:
77+
- podSelector:
78+
matchLabels:
79+
{{- include "cryostat.selectorLabels" $ | nindent 12 }}
80+
app.kubernetes.io/component: cryostat
81+
namespaceSelector:
82+
matchLabels:
83+
kubernetes.io/metadata.name: {{ .Release.Namespace }}
84+
ports:
85+
- protocol: TCP
86+
port: 8333
87+
{{- end }}

0 commit comments

Comments
 (0)