diff --git a/CHANGELOG.md b/CHANGELOG.md index d02f4d7f9d5701c41138c91a35129a92d516aac7..af2294720f6475e971f0134a657cc948120329a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.1.12-bb.0] - 2021-06-03 +### Added +- Network Policy templates. Allow cluster ingress, egress to kube-dns, istiod, ingress from istio-ingressgateway, and ingress from jager pods & eck-operator pods. + ## [0.1.11-bb.0] - 2021-05-17 ### Changed - Updating Kibana and Elasticsearch versions to 7.10 diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 33798ccbdd1c6a2dc1b318487d4784fffc43b8eb..6eac252373874af6cf467cfe4bbcaa49ff8d63e6 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: logging -version: 0.1.11-bb.0 +version: 0.1.12-bb.0 appVersion: 7.10.0 dependencies: - name: bb-test-lib diff --git a/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f5d9665ad0e538af77285bcbcce25bcfbb090b14 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-istiod-egress.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istiod-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: istiod + ports: + - port: 15012 +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml new file mode 100644 index 0000000000000000000000000000000000000000..302f51a375e8b814683aa38590377dd147c58ebc --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml @@ -0,0 +1,14 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + egress: [] + ingress: [] +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/dns-allow.yaml b/chart/templates/bigbang/networkpolicies/dns-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f0054ad48b6e15ce3b1332e19b2b3cc84d63fc3a --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/dns-allow.yaml @@ -0,0 +1,17 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: dns-egress + namespace: {{ .Release.Namespace }} +spec: + egress: + - to: + - namespaceSelector: {} + ports: + - port: 53 + protocol: UDP + podSelector: {} + policyTypes: + - Egress +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/es-allow.yaml b/chart/templates/bigbang/networkpolicies/es-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b5c4452a8cc359be10595317d94ac912b760ebc4 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/es-allow.yaml @@ -0,0 +1,45 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: es-communication-jaeger + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: jaeger + podSelector: + matchLabels: + app.kubernetes.io/name: jaeger + ports: + - port: 9200 + protocol: TCP + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: es-communication-eck-operator + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: elastic-operator + ports: + - port: 9200 + protocol: TCP + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + policyTypes: + - Ingress +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml b/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2364497729eaaaac960fc6a37fdaf16a55442ab9 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/helm-test-egress.yaml @@ -0,0 +1,21 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $cypress := $bbtests.cypress | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- $artifacts := (hasKey $cypress "artifacts") -}} +{{- if and $enabled $artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-helm-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - {} +{{- end }} +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml new file mode 100644 index 0000000000000000000000000000000000000000..734e50d968a15f9d6cb9aece4c2ff189ccb60142 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-istio-ingressgateway + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: 5601 + protocol: TCP + podSelector: + matchLabels: + common.k8s.elastic.co/type: kibana +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/namespace-allow.yaml b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..97a841cca7ca41fbbfe94e4f1415e4230d70f49b --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index a2d3aae7a19461d229d6f2874b323dbd7a9e07d3..ffd7e24bf2307cbb028987feea2da09a041862f4 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -257,3 +257,9 @@ sso: # Role mappings for SSO groups must be set up and SSO enabled before doing this kibanaBasicAuth: enabled: true + +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway \ No newline at end of file diff --git a/tests/test-values.yml b/tests/test-values.yml index 59a9bc29c1aa7b5a519c23c4f8381570630672ca..94fcb2a31d4c4fcf03cc0f61a13020d07ea40a1e 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -27,7 +27,11 @@ elasticsearch: istio: enabled: true +networkPolicies: + enabled: true + bbtests: + enabled: true cypress: artifacts: true envs: