From 069915f9c39fb4cc04b1e5eb587eea3f2cabb368 Mon Sep 17 00:00:00 2001
From: Micah Nagel <micah.nagel@parsons.com>
Date: Mon, 21 Jun 2021 10:33:56 -0600
Subject: [PATCH 1/2] refactor

---
 CHANGELOG.md                                  |  6 ++++++
 chart/Chart.yaml                              |  2 +-
 .../networkpolicies/allow-dns-egress.yaml     | 18 ++++++++++++++++++
 .../allow-external-postgres.yaml              | 19 +++++++++++++++++++
 .../networkpolicies/allow-test-egress.yaml    | 11 +++++++++--
 .../bigbang/networkpolicies/deny-default.yaml | 10 ----------
 chart/values.yaml                             |  1 +
 7 files changed, 54 insertions(+), 13 deletions(-)
 create mode 100644 chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d32c328..d1e9a2f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [0.1.6-bb.5] - 2021-06-21
+### Fixed
+- NetworkPolicy blocking an init container, added policy to allow postgres egress for the init container
+- Redo of test egress
+- Move around DNS policy
+
 ## [0.1.6-bb.4] - 2021-06-07
 ### Added
 - Ability to pass volumes / volumeMounts to MM pods
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 0a2698c..68c86b6 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: mattermost
 type: application
-version: "0.1.6-bb.4"
+version: "0.1.6-bb.5"
 appVersion: "5.34.2"
 description: "Deployment of mattermost"
 keywords:
diff --git a/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml
new file mode 100644
index 0000000..419d446
--- /dev/null
+++ b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  # Allow access to DNS
+  egress:
+  - to:
+    - namespaceSelector: {}
+    ports:
+    - port: 53
+      protocol: UDP
+{{- end }}
diff --git a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
index bf11232..1e43c65 100644
--- a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
@@ -17,4 +17,23 @@ spec:
         # ONLY Block requests to AWS metadata IP
         except:
         - 169.254.169.254/32
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-external-postgres-egress-upgrade
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost-update-check
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
 {{- end }}
diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
index 853d928..974182b 100644
--- a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
@@ -11,9 +11,16 @@ spec:
   podSelector:
     matchLabels:
       helm-test: enabled
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to cloud metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
   policyTypes:
   - Egress
-  egress:
-  - {}
 {{- end }}
 {{- end }}
diff --git a/chart/templates/bigbang/networkpolicies/deny-default.yaml b/chart/templates/bigbang/networkpolicies/deny-default.yaml
index 2ee51fa..a0da1d5 100644
--- a/chart/templates/bigbang/networkpolicies/deny-default.yaml
+++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml
@@ -9,14 +9,4 @@ spec:
   policyTypes:
   - Ingress
   - Egress
-  # Deny all ingress
-  ingress: []
-  # Deny egress by default
-  # Allow access to DNS and Kube API
-  egress:
-  - to:
-    - namespaceSelector: {}
-    ports:
-    - port: 53
-      protocol: UDP
 {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 3c5b37c..418fd1e 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -23,6 +23,7 @@ networkPolicies:
   ingressLabels:
     app: istio-ingressgateway
     istio: ingressgateway
+  controlPlaneCidr: 0.0.0.0/0
 
 sso:
   enabled: false
-- 
GitLab


From 3cfa029014db4c39b047c983f526ff66a198e08d Mon Sep 17 00:00:00 2001
From: Micah Nagel <micah.nagel@parsons.com>
Date: Mon, 21 Jun 2021 10:38:35 -0600
Subject: [PATCH 2/2] defautl deny

---
 chart/templates/bigbang/networkpolicies/deny-default.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/chart/templates/bigbang/networkpolicies/deny-default.yaml b/chart/templates/bigbang/networkpolicies/deny-default.yaml
index a0da1d5..df7d38e 100644
--- a/chart/templates/bigbang/networkpolicies/deny-default.yaml
+++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml
@@ -9,4 +9,6 @@ spec:
   policyTypes:
   - Ingress
   - Egress
+  ingress: []
+  egress: []
 {{- end }}
-- 
GitLab