Make network policy template a little more generic
The changes made will take care of 1. block/allow all ingress 2. block/allow all egress 3. define spec->policyType based on policy type and/or ingress/egress rules present in values.yaml 4. supports more labels to spec->podSeclector 5. copy the rules as is defined under ingress/egress. Change-Id: Id437ee4de8d964b48540638ab8dff3199c3cb5ff
This commit is contained in:
parent
b8ac702c07
commit
d052381b4e
@ -18,14 +18,29 @@ abstract: |
|
||||
values: |
|
||||
network_policy:
|
||||
myLabel:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: api
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-system
|
||||
podSelector:
|
||||
matchLabels:
|
||||
application: kubernetes
|
||||
component: coredns
|
||||
usage: |
|
||||
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
return: |
|
||||
@ -42,16 +57,25 @@ return: |
|
||||
podSelector:
|
||||
matchLabels:
|
||||
application: myLabel
|
||||
component: api
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- {}
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
to:
|
||||
- namespaceSelector: {}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
application: kubernetes
|
||||
component: coredns
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
|
||||
@ -65,18 +89,43 @@ metadata:
|
||||
name: {{ $label }}-netpol
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
spec:
|
||||
policyTypes:
|
||||
- Egress
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if index $envAll.Values.network_policy $label "ingress" }}
|
||||
- Ingress
|
||||
policyTypes:
|
||||
{{ $is_egress := false }}
|
||||
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }}
|
||||
{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") }}
|
||||
{{ $is_egress = true }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
|
||||
- Egress
|
||||
{{- end }}
|
||||
{{ $is_ingress := false }}
|
||||
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" }}
|
||||
{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") }}
|
||||
{{ $is_ingress = true }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
|
||||
- Ingress
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{ $name }}: {{ $label }}
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
|
||||
{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
|
||||
{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if index $envAll.Values.network_policy $label "egress" }}
|
||||
egress:
|
||||
- {}
|
||||
{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if index $envAll.Values.network_policy $label "ingress" }}
|
||||
ingress:
|
||||
|
Loading…
x
Reference in New Issue
Block a user