From bbcfbcafdca424c28b631202a05df790644c8351 Mon Sep 17 00:00:00 2001 From: Niklas Roeske Date: Wed, 4 Dec 2024 14:23:16 +0100 Subject: [PATCH 1/8] #40 add NetworkPolicy to deny all ingress traffic --- k8s/helm/templates/network-policy-deny-all.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 k8s/helm/templates/network-policy-deny-all.yaml diff --git a/k8s/helm/templates/network-policy-deny-all.yaml b/k8s/helm/templates/network-policy-deny-all.yaml new file mode 100644 index 0000000..44f760f --- /dev/null +++ b/k8s/helm/templates/network-policy-deny-all.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: backup-operator-deny-ingress + namespace: {{ .Release.Namespace }} + labels: + {{- include "k8s-backup-operator.labels" . | nindent 4 }} +spec: + podSelector: + - matchLabels: + app: backup-operator + policyTypes: + - Ingress From 220a85ca89ce0c153200083a6608193300969350 Mon Sep 17 00:00:00 2001 From: Niklas Roeske Date: Wed, 4 Dec 2024 14:23:37 +0100 Subject: [PATCH 2/8] #40 update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b608bd4..b12b989 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +### Added +- [#40] Add NetworkPolicy to deny all ingress traffic ## [v1.2.0] - 2024-11-29 ### Changed From a3b54d832884c70ac02873b8cd3067f6b1d57407 Mon Sep 17 00:00:00 2001 From: Niklas Roeske Date: Thu, 5 Dec 2024 10:16:25 +0100 Subject: [PATCH 3/8] #40 add networkPolicies to values yaml to enable it --- k8s/helm/templates/network-policy-deny-all.yaml | 7 ++++--- k8s/helm/values.yaml | 4 +++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/k8s/helm/templates/network-policy-deny-all.yaml b/k8s/helm/templates/network-policy-deny-all.yaml index 44f760f..d0b2dab 100644 --- a/k8s/helm/templates/network-policy-deny-all.yaml +++ b/k8s/helm/templates/network-policy-deny-all.yaml @@ -1,4 +1,4 @@ ---- +{{- if .Values.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -8,7 +8,8 @@ metadata: {{- include "k8s-backup-operator.labels" . | nindent 4 }} spec: podSelector: - - matchLabels: - app: backup-operator + matchLabels: + app: backup-operator policyTypes: - Ingress +{{- end }} \ No newline at end of file diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml index 875c5d4..7be87ab 100644 --- a/k8s/helm/values.yaml +++ b/k8s/helm/values.yaml @@ -23,7 +23,7 @@ manager: image: registry: docker.io repository: cloudogu/k8s-backup-operator - tag: 1.2.0 + tag: 1.2.3 imagePullPolicy: IfNotPresent resources: limits: @@ -33,3 +33,5 @@ manager: cpu: 10m memory: 64Mi replicas: 1 +networkPolicies: + enabled: true From 0a091c451cff5380237027100f1f875963e03eea Mon Sep 17 00:00:00 2001 From: nroeske <163984834+nroeske@users.noreply.github.com> Date: Thu, 5 Dec 2024 13:06:46 +0100 Subject: [PATCH 4/8] #40 Change podSelector label to k8s-backup-operator Co-authored-by: Jeremias Weber --- k8s/helm/templates/network-policy-deny-all.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/helm/templates/network-policy-deny-all.yaml b/k8s/helm/templates/network-policy-deny-all.yaml index d0b2dab..016d8ad 100644 --- a/k8s/helm/templates/network-policy-deny-all.yaml +++ b/k8s/helm/templates/network-policy-deny-all.yaml @@ -9,7 +9,7 @@ metadata: spec: podSelector: matchLabels: - app: backup-operator + app.kubernetes.io/name: k8s-backup-operator policyTypes: - Ingress {{- end }} \ No newline at end of file From d7a16fc4a77deb22cf8931435b35267a076813fe Mon Sep 17 00:00:00 2001 From: nroeske <163984834+nroeske@users.noreply.github.com> Date: Thu, 5 Dec 2024 13:07:41 +0100 Subject: [PATCH 5/8] Update k8s/helm/values.yaml Co-authored-by: Jeremias Weber --- k8s/helm/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml index 7be87ab..1471f17 100644 --- a/k8s/helm/values.yaml +++ b/k8s/helm/values.yaml @@ -23,7 +23,7 @@ manager: image: registry: docker.io repository: cloudogu/k8s-backup-operator - tag: 1.2.3 + tag: 1.2.0 imagePullPolicy: IfNotPresent resources: limits: From 546e0c75f1b5890ea8eab5a8fc69ca47dfdaa33c Mon Sep 17 00:00:00 2001 From: Niklas Roeske Date: Thu, 5 Dec 2024 13:10:03 +0100 Subject: [PATCH 6/8] #40 change structure of values.yaml --- k8s/helm/templates/network-policy-deny-all.yaml | 2 +- k8s/helm/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/k8s/helm/templates/network-policy-deny-all.yaml b/k8s/helm/templates/network-policy-deny-all.yaml index 016d8ad..4cc6426 100644 --- a/k8s/helm/templates/network-policy-deny-all.yaml +++ b/k8s/helm/templates/network-policy-deny-all.yaml @@ -1,4 +1,4 @@ -{{- if .Values.networkPolicies.enabled }} +{{- if .Values.global.networkPolicies.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml index 1471f17..12dd93c 100644 --- a/k8s/helm/values.yaml +++ b/k8s/helm/values.yaml @@ -1,6 +1,8 @@ global: imagePullSecrets: - name: "ces-container-registries" + networkPolicies: + enabled: true retention: strategy: keepAll garbageCollectionCron: "0 * * * *" @@ -33,5 +35,3 @@ manager: cpu: 10m memory: 64Mi replicas: 1 -networkPolicies: - enabled: true From fddc9bfcf9764855cce8eccbaa94947694ef0a46 Mon Sep 17 00:00:00 2001 From: Jeremias Weber Date: Thu, 5 Dec 2024 15:50:13 +0100 Subject: [PATCH 7/8] Bump version --- Dockerfile | 2 +- Makefile | 2 +- k8s/helm/component-patch-tpl.yaml | 2 +- k8s/helm/values.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4111c23..901a718 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN make compile-generic FROM gcr.io/distroless/static:nonroot LABEL maintainer="hello@cloudogu.com" \ NAME="k8s-backup-operator" \ - VERSION="1.2.0" + VERSION="1.3.0" WORKDIR / COPY --from=builder /workspace/target/k8s-backup-operator . diff --git a/Makefile b/Makefile index b8740ab..16da062 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # Set these to the desired values ARTIFACT_ID=k8s-backup-operator -VERSION=1.2.0 +VERSION=1.3.0 IMAGE=cloudogu/${ARTIFACT_ID}:${VERSION} GOTAG?=1.23 LINT_VERSION=v1.61.0 diff --git a/k8s/helm/component-patch-tpl.yaml b/k8s/helm/component-patch-tpl.yaml index 7d3f288..2bd558c 100644 --- a/k8s/helm/component-patch-tpl.yaml +++ b/k8s/helm/component-patch-tpl.yaml @@ -1,7 +1,7 @@ apiVersion: v1 values: images: - backupOperator: cloudogu/k8s-backup-operator:1.2.0 + backupOperator: cloudogu/k8s-backup-operator:1.3.0 kubeRbacProxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 patches: values.yaml: diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml index 12dd93c..52827aa 100644 --- a/k8s/helm/values.yaml +++ b/k8s/helm/values.yaml @@ -25,7 +25,7 @@ manager: image: registry: docker.io repository: cloudogu/k8s-backup-operator - tag: 1.2.0 + tag: 1.3.0 imagePullPolicy: IfNotPresent resources: limits: From fdce32d55770fb0549ea3373946c3783ca4d41f7 Mon Sep 17 00:00:00 2001 From: Jeremias Weber Date: Thu, 5 Dec 2024 15:50:21 +0100 Subject: [PATCH 8/8] Update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b12b989..00dca1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] + +## [v1.3.0] - 2024-12-05 ### Added - [#40] Add NetworkPolicy to deny all ingress traffic