diff --git a/CHANGELOG.md b/CHANGELOG.md index d32c3284e93823a43441e14c58333135ff08ef5f..d1e9a2f3488077b2b1de42950d1a3e30c1ba8f53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.1.6-bb.5] - 2021-06-21 +### Fixed +- NetworkPolicy blocking an init container, added policy to allow postgres egress for the init container +- Redo of test egress +- Move around DNS policy + ## [0.1.6-bb.4] - 2021-06-07 ### Added - Ability to pass volumes / volumeMounts to MM pods diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 0a2698c3d28f26ae25a78ae16ecc0bcc06c94e0b..68c86b66e6defa85d56269316eb5e000ded4ed89 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: mattermost type: application -version: "0.1.6-bb.4" +version: "0.1.6-bb.5" appVersion: "5.34.2" description: "Deployment of mattermost" keywords: diff --git a/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..419d4461ef31442b4170ece15de6f8ea8faaccf9 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-dns-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + # Allow access to DNS + egress: + - to: + - namespaceSelector: {} + ports: + - port: 53 + protocol: UDP +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml index bf112324976294213be04f8ccba2a62448e53b21..1e43c65604fda38959d6490d9b97251fc0569317 100644 --- a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml @@ -17,4 +17,23 @@ spec: # ONLY Block requests to AWS metadata IP except: - 169.254.169.254/32 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-external-postgres-egress-upgrade + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost-update-check + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 {{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml index 853d928ccaa7b15aa055c58ba8a27c2a3e352572..974182bd8bdb3e389e1b0e94f75ac732d8dd3847 100644 --- a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml @@ -11,9 +11,16 @@ spec: podSelector: matchLabels: helm-test: enabled + egress: + - to: + - ipBlock: + cidr: {{ .Values.networkPolicies.controlPlaneCidr }} + {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }} + # ONLY Block requests to cloud metadata IP + except: + - 169.254.169.254/32 + {{- end }} policyTypes: - Egress - egress: - - {} {{- end }} {{- end }} diff --git a/chart/templates/bigbang/networkpolicies/deny-default.yaml b/chart/templates/bigbang/networkpolicies/deny-default.yaml index 2ee51fa07deac36d29a33d5bae8e63d53f3731cc..df7d38ea61b70bcf4399fdddaf2907532929246a 100644 --- a/chart/templates/bigbang/networkpolicies/deny-default.yaml +++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml @@ -9,14 +9,6 @@ spec: policyTypes: - Ingress - Egress - # Deny all ingress ingress: [] - # Deny egress by default - # Allow access to DNS and Kube API - egress: - - to: - - namespaceSelector: {} - ports: - - port: 53 - protocol: UDP + egress: [] {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 3c5b37c4ff727110f91cd313b07bd112ed21e4c3..418fd1ede2f88899fc3bbc60c6e73d4b9e31baca 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -23,6 +23,7 @@ networkPolicies: ingressLabels: app: istio-ingressgateway istio: ingressgateway + controlPlaneCidr: 0.0.0.0/0 sso: enabled: false