3121fc24c5
This patch set places logic to generate kubernetes egress network policy rule based on the dependencies specified in values.yaml. This also sets up the necessary default network policy for the OSH gate. Change-Id: I1ac649cc9debb5d1f4ea0a32f506dcda4d8b8536 Signed-off-by: Tin Lam <tin@irrational.io>
109 lines
2.8 KiB
YAML
109 lines
2.8 KiB
YAML
network_policy:
|
|
rabbitmq:
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
application: keystone
|
|
- podSelector:
|
|
matchLabels:
|
|
application: heat
|
|
- podSelector:
|
|
matchLabels:
|
|
application: glance
|
|
- podSelector:
|
|
matchLabels:
|
|
application: cinder
|
|
- podSelector:
|
|
matchLabels:
|
|
application: aodh
|
|
- podSelector:
|
|
matchLabels:
|
|
application: congress
|
|
- podSelector:
|
|
matchLabels:
|
|
application: barbican
|
|
- podSelector:
|
|
matchLabels:
|
|
application: ceilometer
|
|
- podSelector:
|
|
matchLabels:
|
|
application: designate
|
|
- podSelector:
|
|
matchLabels:
|
|
application: ironic
|
|
- podSelector:
|
|
matchLabels:
|
|
application: magnum
|
|
- podSelector:
|
|
matchLabels:
|
|
application: mistral
|
|
- podSelector:
|
|
matchLabels:
|
|
application: nova
|
|
- podSelector:
|
|
matchLabels:
|
|
application: neutron
|
|
- podSelector:
|
|
matchLabels:
|
|
application: senlin
|
|
- podSelector:
|
|
matchLabels:
|
|
application: placement
|
|
- podSelector:
|
|
matchLabels:
|
|
application: rabbitmq
|
|
- podSelector:
|
|
matchLabels:
|
|
application: prometheus_rabbitmq_exporter
|
|
ports:
|
|
# AMQP port
|
|
- protocol: TCP
|
|
port: 5672
|
|
# HTTP API ports
|
|
- protocol: TCP
|
|
port: 15672
|
|
- protocol: TCP
|
|
port: 80
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
application: rabbitmq
|
|
ports:
|
|
# Clustering port AMQP + 20000
|
|
- protocol: TCP
|
|
port: 25672
|
|
# Erlang Port Mapper Daemon (epmd)
|
|
- protocol: TCP
|
|
port: 4369
|
|
|
|
manifests:
|
|
monitoring:
|
|
prometheus:
|
|
network_policy_exporter: true
|
|
network_policy: true
|
|
network_policy:
|
|
rabbitmq:
|
|
egress:
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
application: rabbitmq
|
|
ports:
|
|
# Erlang port mapper daemon (epmd)
|
|
- protocol: TCP
|
|
port: 4369
|
|
# Rabbit clustering port AMQP + 20000
|
|
- protocol: TCP
|
|
port: 25672
|
|
# NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
|
|
# permit traffic in this range to pass between clustered nodes.
|
|
# - protocol: TCP
|
|
# port: 35197
|
|
- to:
|
|
- ipBlock:
|
|
cidr: $API_ADDR/32
|
|
ports:
|
|
- protocol: TCP
|
|
port: $API_PORT
|