Merge "Revert "Add Egress Helm-toolkit function & enforce the nework policy at OSH-INFRA""
This commit is contained in:
commit
6d354f0f7b
@ -1,21 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph-rgw" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" }}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
@ -478,18 +478,6 @@ endpoints:
|
||||
mon:
|
||||
default: 6789
|
||||
|
||||
network_policy:
|
||||
ceph-rgw:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
ceph:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
|
||||
|
||||
manifests:
|
||||
configmap_ceph_templates: true
|
||||
@ -499,7 +487,6 @@ manifests:
|
||||
configmap_etc: true
|
||||
deployment_rgw: true
|
||||
ingress_rgw: true
|
||||
network_policy: false
|
||||
job_ceph_rgw_storage_init: true
|
||||
job_image_repo_sync: true
|
||||
job_ks_endpoints: true
|
||||
|
@ -592,21 +592,6 @@ endpoints:
|
||||
api:
|
||||
default: 8088
|
||||
public: 80
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
monitoring:
|
||||
prometheus:
|
||||
@ -627,13 +612,6 @@ network:
|
||||
enabled: false
|
||||
port: 30920
|
||||
|
||||
network_policy:
|
||||
elasticsearch:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
|
||||
storage:
|
||||
enabled: true
|
||||
pvc:
|
||||
@ -651,7 +629,6 @@ manifests:
|
||||
deployment_client: true
|
||||
deployment_master: true
|
||||
ingress: true
|
||||
network_policy: false
|
||||
job_image_repo_sync: true
|
||||
job_snapshot_repository: true
|
||||
job_s3_user: true
|
||||
|
@ -482,43 +482,6 @@ endpoints:
|
||||
port:
|
||||
metrics:
|
||||
default: 9309
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
fluentbit:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
fluentd:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
fluent:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
fluent-logging:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
|
||||
monitoring:
|
||||
prometheus:
|
||||
|
@ -232,26 +232,6 @@ endpoints:
|
||||
port:
|
||||
ldap:
|
||||
default: 389
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
grafana:
|
||||
egress:
|
||||
- {}
|
||||
|
||||
dependencies:
|
||||
dynamic:
|
||||
|
@ -11,28 +11,12 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a network policy manifest for services.
|
||||
values: |
|
||||
endpoints:
|
||||
kube_dns:
|
||||
namespace: kube-system
|
||||
name: kubernetes-dns
|
||||
hosts:
|
||||
default: kube-dns
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: null
|
||||
scheme: http
|
||||
port:
|
||||
dns_tcp:
|
||||
default: 53
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
network_policy:
|
||||
network_policy:
|
||||
myLabel:
|
||||
ingress:
|
||||
- from:
|
||||
@ -42,14 +26,6 @@ network_policy:
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: default
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-public
|
||||
usage: |
|
||||
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
return: |
|
||||
@ -75,25 +51,7 @@ return: |
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: kube-dns
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-system
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 53
|
||||
- protocol: UDP
|
||||
port: 53
|
||||
- to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-public
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: default
|
||||
- {}
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
|
||||
@ -118,47 +76,8 @@ spec:
|
||||
matchLabels:
|
||||
{{ $name }}: {{ $label }}
|
||||
egress:
|
||||
{{- range $key, $value := $envAll.Values.endpoints }}
|
||||
{{- if kindIs "map" $value }}
|
||||
- to:
|
||||
{{- if index $value "namespace" }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: {{ index $value "namespace" }}
|
||||
{{- else if index $value "hosts" }}
|
||||
{{- $defaultValue := index $value "hosts" "internal" }}
|
||||
{{- if hasKey (index $value "hosts") "internal" }}
|
||||
{{- $a := split "-" $defaultValue }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
|
||||
{{- else }}
|
||||
{{- $defaultValue := index $value "hosts" "default" }}
|
||||
{{- $a := split "-" $defaultValue }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- if index $value "port" }}
|
||||
{{- range $k, $v := index $value "port" }}
|
||||
{{- if $k }}
|
||||
{{- range $pk, $pv := $v }}
|
||||
{{- if (ne $pk "protocol") }}
|
||||
- port: {{ $pv }}
|
||||
protocol: {{ $v.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- {}
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if index $envAll.Values.network_policy $label "egress" }}
|
||||
{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if index $envAll.Values.network_policy $label "ingress" }}
|
||||
ingress:
|
||||
{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
|
||||
|
@ -198,28 +198,11 @@ endpoints:
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
ingress:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
|
||||
conf:
|
||||
controller:
|
||||
|
@ -294,26 +294,7 @@ endpoints:
|
||||
port:
|
||||
ldap:
|
||||
default: 389
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
kibana:
|
||||
egress:
|
||||
- {}
|
||||
network:
|
||||
kibana:
|
||||
ingress:
|
||||
|
@ -146,28 +146,11 @@ endpoints:
|
||||
port:
|
||||
ldap:
|
||||
default: 389
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
ldap:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
|
||||
data:
|
||||
sample: |
|
||||
|
@ -57,26 +57,11 @@ endpoints:
|
||||
port:
|
||||
registry:
|
||||
node: 5000
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
libvirt:
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
|
||||
ceph_client:
|
||||
configmap: ceph-etc
|
||||
|
@ -275,21 +275,6 @@ endpoints:
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
mariadb:
|
||||
|
@ -98,21 +98,6 @@ endpoints:
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
memcached:
|
||||
|
@ -168,21 +168,6 @@ endpoints:
|
||||
default: 9283
|
||||
scheme:
|
||||
default: http
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network:
|
||||
nagios:
|
||||
|
@ -90,19 +90,6 @@ endpoints:
|
||||
port:
|
||||
registry:
|
||||
node: 5000
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
openvswitch:
|
||||
|
@ -198,32 +198,10 @@ endpoints:
|
||||
port:
|
||||
metrics:
|
||||
default: 9187
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
postgresql:
|
||||
ingress:
|
||||
- {}
|
||||
|
||||
|
||||
manifests:
|
||||
configmap_bin: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
secret_admin: true
|
||||
service: true
|
||||
statefulset: true
|
||||
|
@ -167,21 +167,6 @@ endpoints:
|
||||
port:
|
||||
ldap:
|
||||
default: 389
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
dependencies:
|
||||
dynamic:
|
||||
|
@ -265,21 +265,6 @@ endpoints:
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
#NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
|
||||
# They are using to enable the Egress K8s network policy.
|
||||
k8s:
|
||||
port:
|
||||
api:
|
||||
default: 6443
|
||||
internal: 5000
|
||||
http:
|
||||
default: 80
|
||||
default:
|
||||
namespace: default
|
||||
kube_system:
|
||||
namespace: kube-system
|
||||
kube_public:
|
||||
namespace: kube-public
|
||||
|
||||
network_policy:
|
||||
rabbitmq:
|
||||
|
@ -23,7 +23,6 @@ tee /tmp/ldap.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
ldap:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
|
@ -39,11 +39,6 @@ network_policy:
|
||||
port: 4567
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ingress
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
|
@ -28,11 +28,16 @@ pod:
|
||||
replicas:
|
||||
data: 1
|
||||
master: 2
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
elasticsearch:
|
||||
ingress:
|
||||
- from:
|
||||
EOF
|
||||
|
||||
helm upgrade --install elasticsearch ./elasticsearch \
|
||||
--namespace=osh-infra \
|
||||
--set manifests.network_policy=true \
|
||||
--values=/tmp/elasticsearch.yaml
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
|
@ -19,10 +19,29 @@ set -xe
|
||||
#NOTE: Lint and package chart
|
||||
make fluent-logging
|
||||
|
||||
tee /tmp/fluent-logging.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
fluentbit:
|
||||
ingress:
|
||||
- from:
|
||||
fluentd:
|
||||
ingress:
|
||||
- from:
|
||||
fluent:
|
||||
ingress:
|
||||
- from:
|
||||
fluent-logging:
|
||||
ingress:
|
||||
- from:
|
||||
EOF
|
||||
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install fluent-logging ./fluent-logging \
|
||||
--namespace=osh-infra \
|
||||
--set manifests.network_policy=true \
|
||||
--values=/tmp/fluent-logging.yaml \
|
||||
--set pod.replicas.fluentd=1
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
|
Loading…
x
Reference in New Issue
Block a user