Skip to content

Commit cce6165

Browse files
javsalgarBitnami Containers
javsalgar
and
Bitnami Containers
authoredFeb 6, 2024··
[bitnami/minio] feat: 🔒 Enable networkPolicy (#22920)
* [bitnami/minio] feat: 🔒 Enable networkPolicy Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Add allowExternalEgress to avoid breaking istio Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
1 parent 90f6e7f commit cce6165

File tree

4 files changed

+147
-63
lines changed

4 files changed

+147
-63
lines changed
 

‎bitnami/minio/Chart.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,4 @@ maintainers:
3434
name: minio
3535
sources:
3636
- https://github.com/bitnami/charts/tree/main/bitnami/minio
37-
version: 13.3.4
37+
version: 13.4.0

‎bitnami/minio/README.md

+51-47
Original file line numberDiff line numberDiff line change
@@ -218,53 +218,57 @@ The command removes all the Kubernetes components associated with the chart and
218218

219219
### Traffic exposure parameters
220220

221-
| Name | Description | Value |
222-
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
223-
| `service.type` | MinIO&reg; service type | `ClusterIP` |
224-
| `service.ports.api` | MinIO&reg; API service port | `9000` |
225-
| `service.ports.console` | MinIO&reg; Console service port | `9001` |
226-
| `service.nodePorts.api` | Specify the MinIO&reg API nodePort value for the LoadBalancer and NodePort service types | `""` |
227-
| `service.nodePorts.console` | Specify the MinIO&reg Console nodePort value for the LoadBalancer and NodePort service types | `""` |
228-
| `service.clusterIP` | Service Cluster IP | `""` |
229-
| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` (optional, cloud specific) | `""` |
230-
| `service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
231-
| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
232-
| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` |
233-
| `service.annotations` | Annotations for MinIO&reg; service | `{}` |
234-
| `service.headless.annotations` | Annotations for the headless service. | `{}` |
235-
| `ingress.enabled` | Enable ingress controller resource for MinIO Console | `false` |
236-
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
237-
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
238-
| `ingress.hostname` | Default host for the ingress resource | `minio.local` |
239-
| `ingress.path` | The Path to MinIO&reg;. You may need to set this to '/*' in order to use this with ALB ingress controllers. | `/` |
240-
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
241-
| `ingress.servicePort` | Service port to be used | `minio-console` |
242-
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
243-
| `ingress.tls` | Enable TLS configuration for the hostname defined at `ingress.hostname` parameter | `false` |
244-
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
245-
| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` |
246-
| `ingress.extraPaths` | Any additional paths that may need to be added to the ingress under the main host | `[]` |
247-
| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` |
248-
| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` |
249-
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
250-
| `apiIngress.enabled` | Enable ingress controller resource for MinIO API | `false` |
251-
| `apiIngress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
252-
| `apiIngress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
253-
| `apiIngress.hostname` | Default host for the ingress resource | `minio.local` |
254-
| `apiIngress.path` | The Path to MinIO&reg;. You may need to set this to '/*' in order to use this with ALB ingress controllers. | `/` |
255-
| `apiIngress.pathType` | Ingress path type | `ImplementationSpecific` |
256-
| `apiIngress.servicePort` | Service port to be used | `minio-api` |
257-
| `apiIngress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
258-
| `apiIngress.tls` | Enable TLS configuration for the hostname defined at `apiIngress.hostname` parameter | `false` |
259-
| `apiIngress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
260-
| `apiIngress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` |
261-
| `apiIngress.extraPaths` | Any additional paths that may need to be added to the ingress under the main host | `[]` |
262-
| `apiIngress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` |
263-
| `apiIngress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` |
264-
| `apiIngress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
265-
| `networkPolicy.enabled` | Enable the default NetworkPolicy policy | `false` |
266-
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
267-
| `networkPolicy.extraFromClauses` | Allows to add extra 'from' clauses to the NetworkPolicy | `[]` |
221+
| Name | Description | Value |
222+
| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
223+
| `service.type` | MinIO&reg; service type | `ClusterIP` |
224+
| `service.ports.api` | MinIO&reg; API service port | `9000` |
225+
| `service.ports.console` | MinIO&reg; Console service port | `9001` |
226+
| `service.nodePorts.api` | Specify the MinIO&reg API nodePort value for the LoadBalancer and NodePort service types | `""` |
227+
| `service.nodePorts.console` | Specify the MinIO&reg Console nodePort value for the LoadBalancer and NodePort service types | `""` |
228+
| `service.clusterIP` | Service Cluster IP | `""` |
229+
| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` (optional, cloud specific) | `""` |
230+
| `service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
231+
| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
232+
| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` |
233+
| `service.annotations` | Annotations for MinIO&reg; service | `{}` |
234+
| `service.headless.annotations` | Annotations for the headless service. | `{}` |
235+
| `ingress.enabled` | Enable ingress controller resource for MinIO Console | `false` |
236+
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
237+
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
238+
| `ingress.hostname` | Default host for the ingress resource | `minio.local` |
239+
| `ingress.path` | The Path to MinIO&reg;. You may need to set this to '/*' in order to use this with ALB ingress controllers. | `/` |
240+
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
241+
| `ingress.servicePort` | Service port to be used | `minio-console` |
242+
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
243+
| `ingress.tls` | Enable TLS configuration for the hostname defined at `ingress.hostname` parameter | `false` |
244+
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
245+
| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` |
246+
| `ingress.extraPaths` | Any additional paths that may need to be added to the ingress under the main host | `[]` |
247+
| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` |
248+
| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` |
249+
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
250+
| `apiIngress.enabled` | Enable ingress controller resource for MinIO API | `false` |
251+
| `apiIngress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
252+
| `apiIngress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
253+
| `apiIngress.hostname` | Default host for the ingress resource | `minio.local` |
254+
| `apiIngress.path` | The Path to MinIO&reg;. You may need to set this to '/*' in order to use this with ALB ingress controllers. | `/` |
255+
| `apiIngress.pathType` | Ingress path type | `ImplementationSpecific` |
256+
| `apiIngress.servicePort` | Service port to be used | `minio-api` |
257+
| `apiIngress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
258+
| `apiIngress.tls` | Enable TLS configuration for the hostname defined at `apiIngress.hostname` parameter | `false` |
259+
| `apiIngress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
260+
| `apiIngress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` |
261+
| `apiIngress.extraPaths` | Any additional paths that may need to be added to the ingress under the main host | `[]` |
262+
| `apiIngress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` |
263+
| `apiIngress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` |
264+
| `apiIngress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
265+
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
266+
| `networkPolicy.allowExternal` | The Policy model to apply | `true` |
267+
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
268+
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
269+
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
270+
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
271+
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
268272

269273
### Persistence parameters
270274

‎bitnami/minio/templates/networkpolicy.yaml

+46-2
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,31 @@ spec:
1717
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
1818
podSelector:
1919
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
20+
policyTypes:
21+
- Ingress
22+
- Egress
23+
{{- if .Values.networkPolicy.allowExternalEgress }}
24+
egress:
25+
- {}
26+
{{- else }}
27+
egress:
28+
# Allow dns resolution
29+
- ports:
30+
- port: 53
31+
protocol: UDP
32+
# Allow outbound connections to other cluster pods
33+
- ports:
34+
- port: {{ .Values.containerPorts.api }}
35+
- port: {{ .Values.containerPorts.console }}
36+
- port: {{ .Values.service.ports.api }}
37+
- port: {{ .Values.service.ports.console }}
38+
to:
39+
- podSelector:
40+
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
41+
{{- if .Values.networkPolicy.extraEgress }}
42+
{{- include "common.tplvalues.render" ( dict "value" .Values.dataCoord.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
43+
{{- end }}
44+
{{- end }}
2045
ingress:
2146
# Allow inbound connections
2247
- ports:
@@ -29,8 +54,27 @@ spec:
2954
{{ include "common.names.fullname" . }}-client: "true"
3055
- podSelector:
3156
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
32-
{{- if .Values.networkPolicy.extraFromClauses }}
33-
{{- toYaml .Values.networkPolicy.extraFromClauses | nindent 8 }}
57+
{{- if or .Values.networkPolicy.ingressNSMatchLabels .Values.networkPolicy.ingressNSPodMatchLabels }}
58+
- namespaceSelector:
59+
matchLabels:
60+
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
61+
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
62+
{{ $key | quote }}: {{ $value | quote }}
63+
{{- end }}
64+
{{ else }}
65+
{}
66+
{{- end }}
67+
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
68+
podSelector:
69+
matchLabels:
70+
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
71+
{{ $key | quote }}: {{ $value | quote }}
72+
{{- end }}
73+
{{- end }}
74+
{{- end }}
75+
{{- $extraIngress := coalesce .Values.networkPolicy.extraIngress .Values.networkPolicy.extraFromClauses }}
76+
{{- if $extraIngress }}
77+
{{- toYaml $extraIngress | nindent 8 }}
3478
{{- end }}
3579
{{- end }}
3680
{{- end }}

‎bitnami/minio/values.yaml

+49-13
Original file line numberDiff line numberDiff line change
@@ -935,24 +935,60 @@ apiIngress:
935935
## name: http
936936
##
937937
extraRules: []
938-
## NetworkPolicy parameters
938+
## Network Policy configuration
939+
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
939940
##
940941
networkPolicy:
941-
## @param networkPolicy.enabled Enable the default NetworkPolicy policy
942+
## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
942943
##
943-
enabled: false
944-
## @param networkPolicy.allowExternal Don't require client label for connections
945-
## When set to false, only pods with the correct client label will have network access to the port MinIO&reg; is
946-
## listening on. When true, MinIO&reg; will accept connections from any source (with the correct destination port).
944+
enabled: true
945+
## @param networkPolicy.allowExternal The Policy model to apply
946+
## When set to false, only pods with the correct client label will have network access to the ports Keycloak is
947+
## listening on. When true, Keycloak will accept connections from any source (with the correct destination port).
947948
##
948949
allowExternal: true
949-
## @param networkPolicy.extraFromClauses Allows to add extra 'from' clauses to the NetworkPolicy
950-
extraFromClauses: []
951-
## Example
952-
## extraFromClauses:
953-
## - podSelector:
954-
## matchLabels:
955-
## a: b
950+
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
951+
##
952+
allowExternalEgress: true
953+
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
954+
## e.g:
955+
## extraIngress:
956+
## - ports:
957+
## - port: 1234
958+
## from:
959+
## - podSelector:
960+
## - matchLabels:
961+
## - role: frontend
962+
## - podSelector:
963+
## - matchExpressions:
964+
## - key: role
965+
## operator: In
966+
## values:
967+
## - frontend
968+
##
969+
extraIngress: []
970+
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
971+
## e.g:
972+
## extraEgress:
973+
## - ports:
974+
## - port: 1234
975+
## to:
976+
## - podSelector:
977+
## - matchLabels:
978+
## - role: frontend
979+
## - podSelector:
980+
## - matchExpressions:
981+
## - key: role
982+
## operator: In
983+
## values:
984+
## - frontend
985+
##
986+
extraEgress: []
987+
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
988+
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
989+
##
990+
ingressNSMatchLabels: {}
991+
ingressNSPodMatchLabels: {}
956992

957993
## @section Persistence parameters
958994

0 commit comments

Comments
 (0)
Please sign in to comment.