Resolve "Add custom network policies"
General MR
Summary
Adds support to Elasticsearch-Kibana for custom network policies via values yaml.
This depends on big-bang/bigbang!4184 (merged) for a documentation reference
Relevant logs/screenshots
Given these overrides
elasticsearchKibana:
enabled: true
git:
tag: null
branch: 143-add-custom-network-policies
license:
trial: true
values:
networkPolicies:
enabled: true
additionalPolicies:
- name: this-is-a-ek-logging-operator-job-test-test
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 172.20.0.0/12
- name: this-is-a-zwei-ek-logging-operator-job-test-test
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 172.20.0.0/12We get these network policies (new ones at the bottom):
$ kubectl get NetworkPolicies -n logging
NAME POD-SELECTOR AGE
allow-to-istio-ingressgateway-elasticsearch common.k8s.elastic.co/type=elasticsearch 34m
allow-sidecar-scraping <none> 34m
allow-metric-scraping app=metrics,release=logging-ek 34m
es-communication-jaeger common.k8s.elastic.co/type=elasticsearch 34m
kb-communication-eck-operator common.k8s.elastic.co/type=kibana 34m
es-communication-eck-operator common.k8s.elastic.co/type=elasticsearch 34m
allow-dns-egress <none> 34m
allow-in-ns <none> 34m
allow-to-istio-ingressgateway-kibana common.k8s.elastic.co/type=kibana 34m
allow-fluentbit-ingress
es-communication-in-namespace common.k8s.elastic.co/type=elasticsearch 34m
default-deny-all <none> 34m
allow-istiod-egress <none> 34m
allow-tempo-egress <none> 34m
this-is-a-zwei-ek-logging-job-test-test <none> 34m
this-is-a-ek-logging-job-test-test <none> 34mWhen testing, don't forget to copy the logging secrets to the fluentbit namespace per the docs re the 2.0 breaking change
Linked Issue
Upgrade Notices
N/A
Edited by Andrew Kesterson