Skip to content

feat(network): enable internal ingress network policy #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Apr 7, 2025
Merged

feat(network): enable internal ingress network policy #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
018a397
feat(network): enable internal ingress network policy
andrewazores Nov 12, 2024
314ae3c
typo
andrewazores Nov 13, 2024
1886e1c
nested ingress enablement property
andrewazores Nov 13, 2024
52235ca
rephrase
andrewazores Nov 13, 2024
4d6e056
remove tmp file
andrewazores Nov 13, 2024
9af9f81
unit test fixup
andrewazores Nov 21, 2024
e5ea6b8
add ingress rule to allow external traffic
andrewazores Nov 22, 2024
15263a0
fixup! add ingress rule to allow external traffic
andrewazores Nov 22, 2024
735dd80
remove explicit namespace setting
andrewazores Nov 22, 2024
987181f
split policies for each service
andrewazores Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 21 additions & 20 deletions charts/cryostat/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,24 +201,25 @@ helm install cryostat ./charts/cryostat

### Other Parameters

| Name | Description | Value |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` |
| `nameOverride` | Overrides the name of this Chart | `""` |
| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
| `podAnnotations` | Annotations to be applied to the Cryostat Pod | `{}` |
| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` |
| `nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
| `tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` |
| `affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
| `pvc.enabled` | Specify whether to use persistentVolumeClaim or EmptyDir storage | `false` |
| `pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` |
| `pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` |
| `pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` |
| `pvc.selector` | Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `{}` |
| `pvc.storageClassName` | The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `undefined` |
| Name | Description | Value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `imagePullSecrets` | Image pull secrets to be used for the Cryostat deployment | `[]` |
| `nameOverride` | Overrides the name of this Chart | `""` |
| `fullnameOverride` | Overrides the fully qualified application name of `[release name]-[chart name]` | `""` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
| `podAnnotations` | Annotations to be applied to the Cryostat Pod | `{}` |
| `podSecurityContext` | Security Context for the Cryostat Pod. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [PodSecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | `{}` |
| `networkPolicy.ingress.enabled` | whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. | `true` |
| `nodeSelector` | Node Selector for the Cryostat Pod. See: [NodeSelector](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
| `tolerations` | Tolerations for the Cryostat Pod. See: [Tolerations](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `[]` |
| `affinity` | Affinity for the Cryostat Pod. See: [Affinity](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) | `{}` |
| `pvc.enabled` | Specify whether to use persistentVolumeClaim or EmptyDir storage | `false` |
| `pvc.annotations` | Annotations to add to the persistentVolumeClaim | `{}` |
| `pvc.storage` | Storage size to request for the persistentVolumeClaim | `500Mi` |
| `pvc.accessModes` | Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `["ReadWriteOnce"]` |
| `pvc.selector` | Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `{}` |
| `pvc.storageClassName` | The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) | `undefined` |

87 changes: 87 additions & 0 deletions charts/cryostat/templates/networkpolicy_ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
{{- if ((.Values.networkPolicy.ingress).enabled) }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Release.Name }}-cryostat-internal-ingress
spec:
podSelector:
matchLabels:
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: cryostat
ingress:
- from:
- namespaceSelector: {}
ports:
- protocol: TCP
port: 4180
- protocol: TCP
port: 8443
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Release.Name }}-reports-internal-ingress
spec:
podSelector:
matchLabels:
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: reports
ingress:
- from:
- podSelector:
matchLabels:
{{- include "cryostat.selectorLabels" $ | nindent 12 }}
app.kubernetes.io/component: cryostat
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Release.Namespace }}
ports:
- protocol: TCP
port: 4180
- protocol: TCP
port: 8443
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Release.Name }}-db-internal-ingress
spec:
podSelector:
matchLabels:
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: db
ingress:
- from:
- podSelector:
matchLabels:
{{- include "cryostat.selectorLabels" $ | nindent 12 }}
app.kubernetes.io/component: cryostat
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Release.Namespace }}
ports:
- protocol: TCP
port: 5432
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Release.Name }}-storage-internal-ingress
spec:
podSelector:
matchLabels:
{{- include "cryostat.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: storage
ingress:
- from:
- podSelector:
matchLabels:
{{- include "cryostat.selectorLabels" $ | nindent 12 }}
app.kubernetes.io/component: cryostat
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Release.Namespace }}
ports:
- protocol: TCP
port: 8333
{{- end }}
Loading