From e8d6ff71294dd53bf3d74fdc09922996fc5174dd Mon Sep 17 00:00:00 2001 From: Charles Culman Date: Thu, 10 Jun 2021 15:40:00 +0000 Subject: [PATCH] Network policies --- CHANGELOG.md | 5 +++ chart/Chart.yaml | 2 +- .../networkpolicies/default-deny-all.yaml | 15 +++++++ .../bigbang/networkpolicies/istio.yaml | 44 +++++++++++++++++++ .../networkpolicies/kube-api-egress.yaml | 19 ++++++++ .../bigbang/networkpolicies/monitoring.yaml | 24 ++++++++++ chart/values.yaml | 7 +++ tests/test-values.yml | 3 +- 8 files changed, 117 insertions(+), 2 deletions(-) create mode 100644 chart/templates/bigbang/networkpolicies/default-deny-all.yaml create mode 100644 chart/templates/bigbang/networkpolicies/istio.yaml create mode 100644 chart/templates/bigbang/networkpolicies/kube-api-egress.yaml create mode 100644 chart/templates/bigbang/networkpolicies/monitoring.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dc68c6..cbb51d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,2 +1,7 @@ # Changelog +## [29.1.0-bb.2] +# Added +* default-deny-all network policy +* istio network policy +* monitoring network policy diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 735e91a..b6173cf 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: nexus-repository-manager -version: 29.1.0-bb.1 +version: 29.1.0-bb.2 appVersion: 3.29.0 description: Sonatype Nexus Repository Manager - Universal Binary repository type: application diff --git a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml new file mode 100644 index 0000000..d8e6d46 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml @@ -0,0 +1,15 @@ +{{ if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: [] +{{- end }} + diff --git a/chart/templates/bigbang/networkpolicies/istio.yaml b/chart/templates/bigbang/networkpolicies/istio.yaml new file mode 100644 index 0000000..5c6c341 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/istio.yaml @@ -0,0 +1,44 @@ +{{ if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-istio-ingressgateway + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: {{ .Values.nexus.nexusPort }} + {{- range .Values.nexus.docker.registries }} + - port: {{ .port }} + {{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-istio-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot + ports: + - port: 15012 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/kube-api-egress.yaml b/chart/templates/bigbang/networkpolicies/kube-api-egress.yaml new file mode 100644 index 0000000..708f312 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/kube-api-egress.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kube-api-dns-egress + namespace: {{ .Release.Namespace }} +spec: + egress: + - to: + - namespaceSelector: {} + ports: + - port: 443 + protocol: TCP + - port: 53 + protocol: UDP + podSelector: + matchLabels: + app.kubernetes.io/name: nexus-repository-manager + policyTypes: + - Egress \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/monitoring.yaml b/chart/templates/bigbang/networkpolicies/monitoring.yaml new file mode 100644 index 0000000..04349ef --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/monitoring.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-scraping + namespace: "{{ .Release.Namespace }}" +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometeus + ports: + - port: {{ .Values.nexus.nexusPort }} + podSelector: + matchLabels: + app.kubernetes.io/name: nexus-repository-manager + policyTypes: + - Ingress +{{- end }} + diff --git a/chart/values.yaml b/chart/values.yaml index aadeaa3..e0a6a9d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -6,6 +6,13 @@ istio: nexus: gateways: - "istio-system/main" + +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + monitoring: enabled: false license_key: "" diff --git a/tests/test-values.yml b/tests/test-values.yml index b09ad18..5b40759 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -4,5 +4,6 @@ istio: nexus: imagePullSecrets: - name: private-registry-mil - +networkPolicies: + enabled: true -- GitLab