Merge pull request #1056 from DSD-DBS/feat-add-network-policies

feat: Add network policies
DSD-DBS · Sep 29, 2023 · 34bcaaa · 34bcaaa
2 parents 7995430 + bbc0c4e
commit 34bcaaa
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -86,6 +86,7 @@ helm-deploy:
 		--set general.port=8080 \
 		--set development=$(DEVELOPMENT_MODE) \
 		--set cluster.ingressClassName=traefik \
+		--set cluster.ingressNamespace=kube-system \
 		--set backend.k8sSessionNamespace="$(SESSION_NAMESPACE)" \
 		--set backend.authentication.oauth.redirectURI="http://localhost:$(PORT)/oauth2/callback" \
 		--set backend.authentication.oauth.endpoints.wellKnown="http://$(RELEASE)-oauth-mock:8080/default/.well-known/openid-configuration" \

diff --git a/helm/templates/promtail/promtail.networkpolicy.yaml b/helm/templates/promtail/promtail.networkpolicy.yaml
@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: Apache-2.0
 
 {{ if .Values.loki.enabled }}
-{{ if eq .Values.cluster.kind "OpenShift" }}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
@@ -21,4 +20,3 @@ spec:
   policyTypes:
     - Ingress
 {{ end }}
-{{ end }}
diff --git a/helm/templates/routing/manager.networkpolicy.yaml b/helm/templates/routing/manager.networkpolicy.yaml
@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: Copyright DB Netz AG and the capella-collab-manager contributors
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.cluster.ingressNamespace }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-from-same-namespace
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+        - podSelector: {}
+  policyTypes:
+    - Ingress
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-from-ingress-namespace
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.cluster.ingressNamespace }}
+  policyTypes:
+    - Ingress
+{{ end }}
diff --git a/helm/templates/sessions/sessions.networkpolicy.yaml b/helm/templates/sessions/sessions.networkpolicy.yaml
@@ -1,7 +1,6 @@
 # SPDX-FileCopyrightText: Copyright DB Netz AG and the capella-collab-manager contributors
 # SPDX-License-Identifier: Apache-2.0
 
-{{- if eq .Values.cluster.kind "OpenShift" }}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
@@ -16,4 +15,30 @@ spec:
               kubernetes.io/metadata.name: {{ .Release.Namespace }}
   policyTypes:
     - Ingress
+{{- if .Values.cluster.ingressNamespace }}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny
+  namespace: {{ .Values.backend.k8sSessionNamespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-from-ingress-namespace
+  namespace: {{ .Values.backend.k8sSessionNamespace }}
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.cluster.ingressNamespace }}
+  policyTypes:
+    - Ingress
 {{ end }}
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -189,6 +189,8 @@ mocks:
 cluster:
   kind: Kubernetes # Kubernetes | OpenShift
 
+  ingressNamespace:
+
   podSecurityContext: &podSecurityContext
     runAsUser: 1004370000
     runAsGroup: 1004370000