Add network policy

526ad987 · Joshua Carnes · runyontr · 39326aff · 526ad987 · 526ad987
Commit 526ad987 authored May 25, 2021 by Joshua Carnes Committed by runyontr May 25, 2021
8 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 include:
-  - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
+  - project: "platform-one/big-bang/pipeline-templates/pipeline-templates"
    ref: master
-    file: '/templates/package-tests.yml'
+    file: "/templates/package-tests.yml"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: twistlock
-version: 0.0.4-bb.0
+version: 0.0.4-bb.1
 appVersion: 21.04.412
--- a/chart/templates/network-policy/egress-default-deny-external.yml
+++ b/chart/templates/network-policy/egress-default-deny-external.yml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-external-egress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress: []
+{{- end }}
\ No newline at end of file
--- a/chart/templates/network-policy/ingress-default-deny.yml
+++ b/chart/templates/network-policy/ingress-default-deny.yml
+{{- if .Values.networkPolicies.enabled}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  ingress: []
+  policyTypes:
+    - Ingress
+{{- end }}
\ No newline at end of file
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istio
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              app.kubernetes.io/name: istio-controlplane
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: istio-controlplane
+{{- end }}
--- a/chart/templates/network-policy/ingress-monitoring.yml
+++ b/chart/templates/network-policy/ingress-monitoring.yml
+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-scraping
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {} # all namespaces for now
+      ports:
+        - port: PROMETHEUS_PORT
+          protocol: TCP
+  podSelector: {} # all pods
+  policyTypes:
+    - Ingress
+{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -16,9 +16,12 @@ istio:
    hosts:
      - twistlock.{{ .Values.hostname }}
+networkPolicies:
+  enabled: false
 # imagePullSecrets defines the secrets to use when pulling the operator container image.
 imagePullSecrets: []
 console:
  image:
    repository: registry1.dso.mil/ironbank/twistlock/console/console
@@ -28,7 +31,8 @@ console:
    size: 100Gi
    accessMode: ReadWriteOnce
-affinity: {}
+affinity:
+  {}
  # podAntiAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     - topologyKey: "kubernetes.io/hostname"
@@ -44,10 +48,12 @@ affinity: {}
  #         values:
  #         - "twistlock"
-nodeSelector: {}
+nodeSelector:
+  {}
  # node-type: twistlock"
-tolerations: []
+tolerations:
+  []
  # - key: "key1"
  #   operator: "Equal"
  #   value: "value1"

--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -2,7 +2,7 @@ istio:
  enabled: true
 imagePullSecrets:
- name: private-registry-mil
+  - name: private-registry-mil
 console:
  persistence: