From d052381b4e2c289341f4383aaa771f44f4cf6ca8 Mon Sep 17 00:00:00 2001 From: Hemachandra Reddy Date: Thu, 21 Mar 2019 17:33:25 +0000 Subject: [PATCH] Make network policy template a little more generic The changes made will take care of 1. block/allow all ingress 2. block/allow all egress 3. define spec->policyType based on policy type and/or ingress/egress rules present in values.yaml 4. supports more labels to spec->podSeclector 5. copy the rules as is defined under ingress/egress. Change-Id: Id437ee4de8d964b48540638ab8dff3199c3cb5ff --- .../templates/manifests/_network_policy.tpl | 89 ++++++++++++++----- 1 file changed, 69 insertions(+), 20 deletions(-) diff --git a/helm-toolkit/templates/manifests/_network_policy.tpl b/helm-toolkit/templates/manifests/_network_policy.tpl index 3d412892ad..2688128df0 100644 --- a/helm-toolkit/templates/manifests/_network_policy.tpl +++ b/helm-toolkit/templates/manifests/_network_policy.tpl @@ -18,14 +18,29 @@ abstract: | values: | network_policy: myLabel: + podSelector: + matchLabels: + component: api ingress: - - from: - - podSelector: - matchLabels: - application: keystone - ports: - - protocol: TCP - port: 80 + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 + egress: + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: + matchLabels: + name: kube-system + podSelector: + matchLabels: + application: kubernetes + component: coredns usage: | {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }} return: | @@ -42,16 +57,25 @@ return: | podSelector: matchLabels: application: myLabel + component: api ingress: - - from: - - podSelector: - matchLabels: - application: keystone - ports: - - protocol: TCP - port: 80 + - from: + - podSelector: + matchLabels: + application: keystone + ports: + - protocol: TCP + port: 80 egress: - - {} + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + application: kubernetes + component: coredns */}} {{- define "helm-toolkit.manifests.kubernetes_network_policy" -}} @@ -65,18 +89,43 @@ metadata: name: {{ $label }}-netpol namespace: {{ $envAll.Release.Namespace }} spec: - policyTypes: - - Egress {{- if hasKey (index $envAll.Values "network_policy") $label }} -{{- if index $envAll.Values.network_policy $label "ingress" }} - - Ingress + policyTypes: +{{ $is_egress := false }} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} +{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") }} +{{ $is_egress = true }} +{{- end }} +{{- end }} +{{ if or $is_egress (index $envAll.Values.network_policy $label "egress") }} + - Egress +{{- end }} +{{ $is_ingress := false }} +{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }} +{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") }} +{{ $is_ingress = true }} +{{- end }} +{{- end }} +{{ if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }} + - Ingress {{- end }} {{- end }} podSelector: matchLabels: {{ $name }}: {{ $label }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }} +{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }} +{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }} +{{ end }} +{{ end }} +{{ end }} +{{- if hasKey (index $envAll.Values "network_policy") $label }} +{{- if index $envAll.Values.network_policy $label "egress" }} egress: - - {} +{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }} +{{- end }} +{{- end }} {{- if hasKey (index $envAll.Values "network_policy") $label }} {{- if index $envAll.Values.network_policy $label "ingress" }} ingress: