From f33e5ad2b613eb084c45ece2ef52c453c3c04b5e Mon Sep 17 00:00:00 2001 From: Chris Werner Rau Date: Wed, 21 Aug 2024 11:04:27 +0200 Subject: [PATCH] =?UTF-8?q?fix(base-cluster):=20add=20missing=20ciliumNetw?= =?UTF-8?q?orkPolicy=20for=20cinder-csi-plugin=20otherwise=20it=20can't=20?= =?UTF-8?q?talk=20to=20the=20openstack=20api=20=F0=9F=A4=A3=20(#1114)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ciliumNetworkPolicy.yaml | 39 +++++++++++++++++++ .../cinder-csi-plugin.yaml | 1 + 2 files changed, 40 insertions(+) create mode 100644 charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin/ciliumNetworkPolicy.yaml rename charts/t8s-cluster/templates/workload-cluster/{ => cinder-csi-plugin}/cinder-csi-plugin.yaml (97%) diff --git a/charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin/ciliumNetworkPolicy.yaml b/charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin/ciliumNetworkPolicy.yaml new file mode 100644 index 000000000..d4d2dd0ed --- /dev/null +++ b/charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin/ciliumNetworkPolicy.yaml @@ -0,0 +1,39 @@ +{{- if eq (include "t8s-cluster.cni" .) "cilium" -}} + {{- include "t8s-cluster.helm.resourceIntoCluster" (dict "name" "openstack-cinder-csi" "resource" (include "t8s-cluster.networkPolicy.cinder-csi" (dict)) "context" $ "additionalLabels" (dict "app.kubernetes.io/component" "cinder-csi")) | nindent 0 }} +{{- end }} + +{{- define "t8s-cluster.networkPolicy.cinder-csi" -}} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: openstack-cinder-csi + namespace: kube-system + labels: {{- include "common.helm.labels" (dict) | nindent 4 }} +spec: + endpointSelector: + matchLabels: + app: openstack-cinder-csi + ingress: + - fromEntities: + - health + toPorts: + - ports: + - port: "9808" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: "*" + - toEntities: + - world # this is the placeholder for the openstack api, as we don't want to pin specific DNS names + - toEntities: + - kube-apiserver +{{- end -}} diff --git a/charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin.yaml b/charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin/cinder-csi-plugin.yaml similarity index 97% rename from charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin.yaml rename to charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin/cinder-csi-plugin.yaml index be81e12fb..2b1f9e029 100644 --- a/charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin.yaml +++ b/charts/t8s-cluster/templates/workload-cluster/cinder-csi-plugin/cinder-csi-plugin.yaml @@ -4,6 +4,7 @@ metadata: name: {{ printf "%s-csi" .Release.Name }} namespace: {{ .Release.Namespace}} labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: cinder-csi spec: chart: spec: