UNCLASSIFIED - NO CUI

Skip to content

#103 : Support delivery of additional network policies through the values yaml

Andrew Kesterson requested to merge 103_additional_network_policies into main

General MR

Summary

Adds support to Authservice for custom network policies via values yaml.

This depends on big-bang/bigbang!4184 (merged) for a documentation reference

Relevant logs/screenshots

Given the following overrides:

addons:
  authservice:
    enabled: true
    sourceType: "git"
    git:
      repo: https://repo1.dso.mil/big-bang/product/packages/authservice.git
      path: chart
      branch: 103_additional_network_policies
      tag: null
    values:
      networkPolicies:
        enabled: true
        additionalPolicies:
        - name: this-is-a-authservice-job-test
          spec:
            podSelector: {}
            policyTypes:
            - Egress
            egress:
            - to:
              - ipBlock:
                  cidr: 172.20.0.0/12
        - name: this-is-a-zwei-authservice-job-test-test
          spec:
            podSelector: {}
            policyTypes:
            - Ingress
            ingress:
            - from:
              - ipBlock:
                  cidr: 172.20.0.0/12

We get additional custom network policies:

Every 2.0s: kubectl get NetworkPolicies -n authservice                                                                                                                                            BPH-MAC21.local: Wed Apr 24 16:26:40 2024

NAME                                       POD-SELECTOR                         AGE
this-is-a-authservice-job-test             <none>                               4m26s
this-is-a-zwei-authservice-job-test-test   <none>                               4m26s
allow-to-prometheus                        app.kubernetes.io/name=haproxy       7m34s
allow-to-istiod                            <none>                               7m34s
allow-from-istio-ingressgateway            app.kubernetes.io/name=haproxy       7m34s
allow-in-ns                                <none>                               7m34s
allow-scraping                             <none>                               7m34s
allow-tempo-egress                         <none>                               7m34s
allow-from-custom-selector                 app.kubernetes.io/name=authservice   7m34s
allow-to-alertmanager                      app.kubernetes.io/name=haproxy       7m34s
egress-kube-dns                            <none>                               7m34s
egress-to-sso                              app.kubernetes.io/name=authservice   7m34s
default-deny-all                           <none>                               7

Linked Issue

#103 (closed)

Upgrade Notices

N/A

Edited by Andrew Kesterson

Merge request reports

Loading