Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / charts / loki / templates / ciliumnetworkpolicy.yaml
blob: fbd2619d807b254a6f9297745eec99118d7c0e94 [file] [log] [blame] [edit]
{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-namespace-only
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector: {}
egress:
- toEndpoints:
- {}
ingress:
- fromEndpoints:
- {}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-egress-dns
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
egress:
- toPorts:
- ports:
- port: dns
protocol: UDP
toEndpoints:
- namespaceSelector: {}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-ingress
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
{{- if .Values.gateway.enabled }}
- gateway
{{- else }}
- read
- write
{{- end }}
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
ingress:
- toPorts:
- ports:
- port: http
protocol: TCP
{{- if .Values.networkPolicy.ingress.namespaceSelector }}
fromEndpoints:
- matchLabels:
{{- toYaml .Values.networkPolicy.ingress.namespaceSelector | nindent 8 }}
{{- if .Values.networkPolicy.ingress.podSelector }}
{{- toYaml .Values.networkPolicy.ingress.podSelector | nindent 8 }}
{{- end }}
{{- end }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-ingress-metrics
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
ingress:
- toPorts:
- ports:
- port: http-metrics
protocol: TCP
{{- if .Values.networkPolicy.metrics.cidrs }}
{{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
toCIDR:
- {{ $cidr }}
{{- end }}
{{- if .Values.networkPolicy.metrics.namespaceSelector }}
fromEndpoints:
- matchLabels:
{{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 8 }}
{{- if .Values.networkPolicy.metrics.podSelector }}
{{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-egress-alertmanager
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.backendSelectorLabels" . | nindent 6 }}
egress:
- toPorts:
- ports:
- port: "{{ .Values.networkPolicy.alertmanager.port }}"
protocol: TCP
{{- if .Values.networkPolicy.alertmanager.namespaceSelector }}
toEndpoints:
- matchLabels:
{{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector | nindent 8 }}
{{- if .Values.networkPolicy.alertmanager.podSelector }}
{{- toYaml .Values.networkPolicy.alertmanager.podSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.externalStorage.ports }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-egress-external-storage
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
egress:
- toPorts:
- ports:
{{- range $port := .Values.networkPolicy.externalStorage.ports }}
- port: "{{ $port }}"
protocol: TCP
{{- end }}
{{- if .Values.networkPolicy.externalStorage.cidrs }}
{{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }}
toCIDR:
- {{ $cidr }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.egressWorld.enabled }}
{{- $global := . }}
{{- $componentsList := list "read" "write" "backend" }}
{{- if .Values.tableManager.enabled }}
{{- $componentsList = append $componentsList "table-manager" }}
{{- end }}
{{- range $component := $componentsList }}
{{- with $global }}
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-{{ $component }}-world-egress
namespace: {{ .Release.Namespace }}
spec:
endpointSelector:
matchLabels:
{{- if eq $component "read" }}
{{- include "loki.readSelectorLabels" . | nindent 6 }}
{{- else if eq $component "write" }}
{{- include "loki.writeSelectorLabels" . | nindent 6 }}
{{- else if eq $component "table-manager" }}
{{- include "loki.tableManagerSelectorLabels" . | nindent 6 }}
{{- else }}
{{- include "loki.backendSelectorLabels" . | nindent 6 }}
{{- end }}
egress:
- toEntities:
- world
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.egressKubeApiserver.enabled }}
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-backend-kubeapiserver-egress
namespace: {{ .Release.Namespace }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.backendSelectorLabels" . | nindent 6 }}
egress:
- toEntities:
- kube-apiserver
{{- end }}
{{- end }}
{{- if and .Values.networkPolicy.discovery.port (eq .Values.networkPolicy.flavor "cilium") }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-egress-discovery
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
egress:
- toPorts:
- ports:
- port: "{{ .Values.networkPolicy.discovery.port }}"
protocol: TCP
{{- if .Values.networkPolicy.discovery.namespaceSelector }}
toEndpoints:
- matchLabels:
{{- toYaml .Values.networkPolicy.discovery.namespaceSelector | nindent 8 }}
{{- if .Values.networkPolicy.discovery.podSelector }}
{{- toYaml .Values.networkPolicy.discovery.podSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}