Blame - charts/loki/templates/ciliumnetworkpolicy.yaml - atmosphere

blob: fbd2619d807b254a6f9297745eec99118d7c0e94 [file] [log] [blame]

Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	1	{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
				2	---
				3	apiVersion: cilium.io/v2
				4	kind: CiliumNetworkPolicy
				5	metadata:
				6	name: {{ include "loki.name" . }}-namespace-only
				7	namespace: {{ $.Release.Namespace }}
				8	labels:
				9	{{- include "loki.labels" . \| nindent 4 }}
				10	spec:
				11	endpointSelector: {}
				12	egress:
				13	- toEndpoints:
				14	- {}
				15	ingress:
				16	- fromEndpoints:
				17	- {}
				18
				19	---
				20	apiVersion: cilium.io/v2
				21	kind: CiliumNetworkPolicy
				22	metadata:
				23	name: {{ include "loki.name" . }}-egress-dns
				24	namespace: {{ $.Release.Namespace }}
				25	labels:
				26	{{- include "loki.labels" . \| nindent 4 }}
				27	spec:
				28	endpointSelector:
				29	matchLabels:
				30	{{- include "loki.selectorLabels" . \| nindent 6 }}
				31	egress:
				32	- toPorts:
				33	- ports:
				34	- port: dns
				35	protocol: UDP
				36	toEndpoints:
				37	- namespaceSelector: {}
				38
				39	---
				40	apiVersion: cilium.io/v2
				41	kind: CiliumNetworkPolicy
				42	metadata:
				43	name: {{ include "loki.name" . }}-ingress
				44	namespace: {{ $.Release.Namespace }}
				45	labels:
				46	{{- include "loki.labels" . \| nindent 4 }}
				47	spec:
				48	endpointSelector:
				49	matchExpressions:
				50	- key: app.kubernetes.io/component
				51	operator: In
				52	values:
				53	{{- if .Values.gateway.enabled }}
				54	- gateway
				55	{{- else }}
				56	- read
				57	- write
				58	{{- end }}
				59	matchLabels:
				60	{{- include "loki.selectorLabels" . \| nindent 6 }}
				61	ingress:
				62	- toPorts:
				63	- ports:
				64	- port: http
				65	protocol: TCP
				66	{{- if .Values.networkPolicy.ingress.namespaceSelector }}
				67	fromEndpoints:
				68	- matchLabels:
				69	{{- toYaml .Values.networkPolicy.ingress.namespaceSelector \| nindent 8 }}
				70	{{- if .Values.networkPolicy.ingress.podSelector }}
				71	{{- toYaml .Values.networkPolicy.ingress.podSelector \| nindent 8 }}
				72	{{- end }}
				73	{{- end }}
				74
				75	---
				76	apiVersion: cilium.io/v2
				77	kind: CiliumNetworkPolicy
				78	metadata:
				79	name: {{ include "loki.name" . }}-ingress-metrics
				80	namespace: {{ $.Release.Namespace }}
				81	labels:
				82	{{- include "loki.labels" . \| nindent 4 }}
				83	spec:
				84	endpointSelector:
				85	matchLabels:
				86	{{- include "loki.selectorLabels" . \| nindent 6 }}
				87	ingress:
				88	- toPorts:
				89	- ports:
				90	- port: http-metrics
				91	protocol: TCP
				92	{{- if .Values.networkPolicy.metrics.cidrs }}
				93	{{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
				94	toCIDR:
				95	- {{ $cidr }}
				96	{{- end }}
				97	{{- if .Values.networkPolicy.metrics.namespaceSelector }}
				98	fromEndpoints:
				99	- matchLabels:
				100	{{- toYaml .Values.networkPolicy.metrics.namespaceSelector \| nindent 8 }}
				101	{{- if .Values.networkPolicy.metrics.podSelector }}
				102	{{- toYaml .Values.networkPolicy.metrics.podSelector \| nindent 8 }}
				103	{{- end }}
				104	{{- end }}
				105	{{- end }}
				106
				107	---
				108	apiVersion: cilium.io/v2
				109	kind: CiliumNetworkPolicy
				110	metadata:
				111	name: {{ include "loki.name" . }}-egress-alertmanager
				112	namespace: {{ $.Release.Namespace }}
				113	labels:
				114	{{- include "loki.labels" . \| nindent 4 }}
				115	spec:
				116	endpointSelector:
				117	matchLabels:
				118	{{- include "loki.backendSelectorLabels" . \| nindent 6 }}
				119	egress:
				120	- toPorts:
				121	- ports:
				122	- port: "{{ .Values.networkPolicy.alertmanager.port }}"
				123	protocol: TCP
				124	{{- if .Values.networkPolicy.alertmanager.namespaceSelector }}
				125	toEndpoints:
				126	- matchLabels:
				127	{{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector \| nindent 8 }}
				128	{{- if .Values.networkPolicy.alertmanager.podSelector }}
				129	{{- toYaml .Values.networkPolicy.alertmanager.podSelector \| nindent 8 }}
				130	{{- end }}
				131	{{- end }}
				132
				133	{{- if .Values.networkPolicy.externalStorage.ports }}
				134	---
				135	apiVersion: cilium.io/v2
				136	kind: CiliumNetworkPolicy
				137	metadata:
				138	name: {{ include "loki.name" . }}-egress-external-storage
				139	namespace: {{ $.Release.Namespace }}
				140	labels:
				141	{{- include "loki.labels" . \| nindent 4 }}
				142	spec:
				143	endpointSelector:
				144	matchLabels:
				145	{{- include "loki.selectorLabels" . \| nindent 6 }}
				146	egress:
				147	- toPorts:
				148	- ports:
				149	{{- range $port := .Values.networkPolicy.externalStorage.ports }}
				150	- port: "{{ $port }}"
				151	protocol: TCP
				152	{{- end }}
				153	{{- if .Values.networkPolicy.externalStorage.cidrs }}
				154	{{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }}
				155	toCIDR:
				156	- {{ $cidr }}
				157	{{- end }}
				158	{{- end }}
				159	{{- end }}
				160
				161	{{- if .Values.networkPolicy.egressWorld.enabled }}
				162	{{- $global := . }}
				163	{{- $componentsList := list "read" "write" "backend" }}
				164	{{- if .Values.tableManager.enabled }}
				165	{{- $componentsList = append $componentsList "table-manager" }}
				166	{{- end }}
				167	{{- range $component := $componentsList }}
				168	{{- with $global }}
				169	---
				170	apiVersion: "cilium.io/v2"
				171	kind: CiliumNetworkPolicy
				172	metadata:
				173	name: {{ include "loki.name" . }}-{{ $component }}-world-egress
				174	namespace: {{ .Release.Namespace }}
				175	spec:
				176	endpointSelector:
				177	matchLabels:
				178	{{- if eq $component "read" }}
				179	{{- include "loki.readSelectorLabels" . \| nindent 6 }}
				180	{{- else if eq $component "write" }}
				181	{{- include "loki.writeSelectorLabels" . \| nindent 6 }}
				182	{{- else if eq $component "table-manager" }}
				183	{{- include "loki.tableManagerSelectorLabels" . \| nindent 6 }}
				184	{{- else }}
				185	{{- include "loki.backendSelectorLabels" . \| nindent 6 }}
				186	{{- end }}
				187	egress:
				188	- toEntities:
				189	- world
				190	{{- end }}
				191	{{- end }}
				192	{{- end }}
				193
				194	{{- if .Values.networkPolicy.egressKubeApiserver.enabled }}
				195	---
				196	apiVersion: "cilium.io/v2"
				197	kind: CiliumNetworkPolicy
				198	metadata:
				199	name: {{ include "loki.name" . }}-backend-kubeapiserver-egress
				200	namespace: {{ .Release.Namespace }}
				201	spec:
				202	endpointSelector:
				203	matchLabels:
				204	{{- include "loki.backendSelectorLabels" . \| nindent 6 }}
				205	egress:
				206	- toEntities:
				207	- kube-apiserver
				208	{{- end }}
				209
				210	{{- end }}
				211
				212	{{- if and .Values.networkPolicy.discovery.port (eq .Values.networkPolicy.flavor "cilium") }}
				213	---
				214	apiVersion: cilium.io/v2
				215	kind: CiliumNetworkPolicy
				216	metadata:
				217	name: {{ include "loki.name" . }}-egress-discovery
				218	namespace: {{ $.Release.Namespace }}
				219	labels:
				220	{{- include "loki.labels" . \| nindent 4 }}
				221	spec:
				222	endpointSelector:
				223	matchLabels:
				224	{{- include "loki.selectorLabels" . \| nindent 6 }}
				225	egress:
				226	- toPorts:
				227	- ports:
				228	- port: "{{ .Values.networkPolicy.discovery.port }}"
				229	protocol: TCP
				230	{{- if .Values.networkPolicy.discovery.namespaceSelector }}
				231	toEndpoints:
				232	- matchLabels:
				233	{{- toYaml .Values.networkPolicy.discovery.namespaceSelector \| nindent 8 }}
				234	{{- if .Values.networkPolicy.discovery.podSelector }}
				235	{{- toYaml .Values.networkPolicy.discovery.podSelector \| nindent 8 }}
				236	{{- end }}
				237	{{- end }}
				238	{{- end }}