Skip to content

Commit c9676cb

Browse files
javsalgarjavsalgar
authoredFeb 8, 2024
[bitnami/external-dns] feat: 🔒 Enable networkPolicy (#23285)
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
·
zookeeper/13.7.5airflow/16.5.4
1 parent 6bdfcc2 commit c9676cb

File tree

4 files changed

+137
-1
lines changed

4 files changed

+137
-1
lines changed
 

‎bitnami/external-dns/Chart.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,4 @@ maintainers:
2828
name: external-dns
2929
sources:
3030
- https://github.com/bitnami/charts/tree/main/bitnami/external-dns
31-
version: 6.31.6
31+
version: 6.32.0

‎bitnami/external-dns/README.md

+8
Original file line numberDiff line numberDiff line change
@@ -302,6 +302,14 @@ The command removes all the Kubernetes components associated with the chart and
302302
| `service.labels` | Provide any additional labels which may be required. | `{}` |
303303
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
304304
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
305+
| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
306+
| `networkPolicy.allowExternal` | Don't require server label for connections | `true` |
307+
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
308+
| `networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
309+
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
310+
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
311+
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
312+
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
305313
| `serviceAccount.create` | Determine whether a Service Account should be created or it should reuse a exiting one. | `true` |
306314
| `serviceAccount.name` | ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set | `""` |
307315
| `serviceAccount.annotations` | Additional Service Account annotations | `{}` |

‎bitnami/external-dns/templates/networkpolicy.yaml

+70
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
{{- /*
2+
Copyright VMware, Inc.
3+
SPDX-License-Identifier: APACHE-2.0
4+
*/}}
5+
6+
{{- if .Values.networkPolicy.enabled }}
7+
kind: NetworkPolicy
8+
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
9+
metadata:
10+
name: {{ template "common.names.fullname" . }}
11+
namespace: {{ include "common.names.namespace" . | quote }}
12+
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
13+
app.kubernetes.io/component: controller
14+
{{- if .Values.commonAnnotations }}
15+
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
16+
{{- end }}
17+
spec:
18+
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
19+
podSelector:
20+
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
21+
app.kubernetes.io/component: controller
22+
policyTypes:
23+
- Ingress
24+
- Egress
25+
{{- if .Values.networkPolicy.allowExternalEgress }}
26+
egress:
27+
- {}
28+
{{- else }}
29+
egress:
30+
- ports:
31+
- port: 53
32+
protocol: UDP
33+
- port: 53
34+
protocol: TCP
35+
{{- range $port := .Values.networkPolicy.kubeAPIServerPorts }}
36+
- port: {{ $port }}
37+
{{- end }}
38+
{{- if .Values.networkPolicy.extraEgress }}
39+
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
40+
{{- end }}
41+
{{- end }}
42+
ingress:
43+
- ports:
44+
- port: {{ .Values.containerPorts.http }}
45+
{{- if not .Values.networkPolicy.allowExternal }}
46+
from:
47+
- podSelector:
48+
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
49+
- podSelector:
50+
matchLabels:
51+
{{ template "common.names.fullname" . }}-client: "true"
52+
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
53+
- namespaceSelector:
54+
matchLabels:
55+
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
56+
{{ $key | quote }}: {{ $value | quote }}
57+
{{- end }}
58+
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
59+
podSelector:
60+
matchLabels:
61+
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
62+
{{ $key | quote }}: {{ $value | quote }}
63+
{{- end }}
64+
{{- end }}
65+
{{- end }}
66+
{{- end }}
67+
{{- end }}
68+
{{- if .Values.networkPolicy.extraIngress }}
69+
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
70+
{{- end }}

‎bitnami/external-dns/values.yaml

+58
Original file line numberDiff line numberDiff line change
@@ -933,6 +933,64 @@ service:
933933
## timeoutSeconds: 300
934934
##
935935
sessionAffinityConfig: {}
936+
## Network Policies
937+
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
938+
##
939+
networkPolicy:
940+
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
941+
##
942+
enabled: true
943+
## @param networkPolicy.allowExternal Don't require server label for connections
944+
## The Policy model to apply. When set to false, only pods with the correct
945+
## server label will have network access to the ports server is listening
946+
## on. When true, server will accept connections from any source
947+
## (with the correct destination port).
948+
##
949+
allowExternal: true
950+
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
951+
##
952+
allowExternalEgress: true
953+
## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
954+
##
955+
kubeAPIServerPorts: [443, 6443, 8443]
956+
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
957+
## e.g:
958+
## extraIngress:
959+
## - ports:
960+
## - port: 1234
961+
## from:
962+
## - podSelector:
963+
## - matchLabels:
964+
## - role: frontend
965+
## - podSelector:
966+
## - matchExpressions:
967+
## - key: role
968+
## operator: In
969+
## values:
970+
## - frontend
971+
extraIngress: []
972+
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
973+
## e.g:
974+
## extraEgress:
975+
## - ports:
976+
## - port: 1234
977+
## to:
978+
## - podSelector:
979+
## - matchLabels:
980+
## - role: frontend
981+
## - podSelector:
982+
## - matchExpressions:
983+
## - key: role
984+
## operator: In
985+
## values:
986+
## - frontend
987+
##
988+
extraEgress: []
989+
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
990+
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
991+
##
992+
ingressNSMatchLabels: {}
993+
ingressNSPodMatchLabels: {}
936994
## ServiceAccount parameters
937995
## https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
938996
##

0 commit comments

Comments
 (0)
Please sign in to comment.