Merge branch 'network-policy-2' into 'main'

Network Policy Template Finalization See merge request !24

Merge branch 'network-policy-2' into 'main'
Network Policy Template Finalization See merge request !24
b0eb4d20 · Ryan Garcia · f32694ac · 5e6f9b41 · b0eb4d20 · b0eb4d20
Commit b0eb4d20 authored Jun 08, 2021 by Ryan Garcia
12 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,28 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [0.0.5-bb.0] - 2021-06-02
+
+### Changed
+
+- Network policy resource Templates
+
+## [0.0.4-bb.3] - 2021-06-01
+
+### Added
+
+- Gluon test library dependency
+
+### Changed
+
+- CI Test infrastructure. Migrating to helm tests with script capabilities.
+
+## [0.0.4-bb.2] - 2021-05-26
+
+### Added
+
+- Network policy resource Templates
+
 ## [0.0.4-bb.0] - 2021-05-12

 ### Added

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: twistlock
-version: 0.0.4-bb.3
+version: 0.0.5-bb.0
 appVersion: 21.04.412
 dependencies:
  - name: gluon

--- a/chart/templates/network-policy/egress-default-deny-external.yml
+++ b/chart/templates/network-policy/egress-default-deny-external.yml
--- a/chart/templates/networkpolicies/egress-kube-dns.yaml
+++ b/chart/templates/networkpolicies/egress-kube-dns.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-kube-dns
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  egress:
+    - to:
+      - namespaceSelector: {} # all namespaces
+      ports:
+        - port: 53
+          protocol: UDP
+  podSelector: {} # all pods in Release namespace
+  policyTypes:
+    - Egress
+{{- end }}
--- a/chart/templates/networkpolicies/helm-test-egress.yaml
+++ b/chart/templates/networkpolicies/helm-test-egress.yaml
+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $cypress := $bbtests.cypress | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- $artifacts := (hasKey $cypress "artifacts") -}}
+{{- if and $enabled $artifacts }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-helm-test-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      helm-test: enabled
+  policyTypes:
+  - Egress
+  egress:
+  - {}
+{{- end }}
+{{- end }}
--- a/chart/templates/network-policy/ingress-all-ns.yml
+++ b/chart/templates/network-policy/ingress-all-ns.yml
@@ -2,14 +2,12 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ingress-allow-cluster
+  name: ingress-allow-ns
  namespace: "{{ .Release.Namespace }}"
 spec:
  ingress:
    - from:
-        - namespaceSelector: {} # all namespaces for now
-      ports:
-        - port: 8084 # communications port
+      - podSelector: {} # all pods in namespace
  podSelector: {} # all pods
  policyTypes:
    - Ingress

--- a/chart/templates/network-policy/ingress-default-deny.yml
+++ b/chart/templates/network-policy/ingress-default-deny.yml
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/network-policy/ingress-egress-istio.yml
@@ -2,21 +2,23 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: istio
+  name: istio-ingress
  namespace: "{{ .Release.Namespace }}"
 spec:
-  podSelector: {}
+  podSelector:
+    matchLabels:
+      app: twistlock-console
  policyTypes:
    - Ingress
-    - Egress
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            app.kubernetes.io/name: istio-controlplane
-  egress:
-    - to:
-      - namespaceSelector:
+        podSelector:
          matchLabels:
-            app.kubernetes.io/name: istio-controlplane
+            {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}}
+      ports:
+      - port: 8081 #Default UI console Port
+      - port: 8083 #TLS configured UI console Port
 {{- end }}
--- a/chart/templates/network-policy/ingress-monitoring.yml
+++ b/chart/templates/network-policy/ingress-monitoring.yml
@@ -7,11 +7,17 @@ metadata:
 spec:
  ingress:
    - from:
-        - namespaceSelector: {} # all namespaces for now
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: monitoring
+        podSelector:
+          matchLabels:
+            app: prometheus
      ports:
-        - port: PROMETHEUS_PORT
-          protocol: TCP
-  podSelector: {} # all pods
+      - port: 8081
+  podSelector:
+    matchLabels:
+      name: twistlock-console
  policyTypes:
    - Ingress
 {{- end }}
--- a/chart/templates/networkpolicies/istiod-egress.yml
+++ b/chart/templates/networkpolicies/istiod-egress.yml
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istiod-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          app: istiod
+    ports:
+    - port: 15012
+{{- end }}
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -18,6 +18,9 @@ istio:

 networkPolicies:
  enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway

 # imagePullSecrets defines the secrets to use when pulling the operator container image.
 imagePullSecrets: []

--- a/tests/test-values.yml
+++ b/tests/test-values.yml
 istio:
  enabled: true

+networkPolicies:
+  enabled: true
+
 imagePullSecrets:
  - name: private-registry-mil