Blame - charts/loki/templates/networkpolicy.yaml - atmosphere

blob: 5052e81162b3d9e55bc78d81560251edbcafac48 [file] [log] [blame]

Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	1	{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	2	---
				3	apiVersion: networking.k8s.io/v1
				4	kind: NetworkPolicy
				5	metadata:
				6	name: {{ include "loki.name" . }}-namespace-only
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	7	namespace: {{ $.Release.Namespace }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	8	labels:
				9	{{- include "loki.labels" . \| nindent 4 }}
				10	spec:
				11	policyTypes:
				12	- Ingress
				13	- Egress
				14	podSelector: {}
				15	egress:
				16	- to:
				17	- podSelector: {}
				18	ingress:
				19	- from:
				20	- podSelector: {}
				21
				22	---
				23	apiVersion: networking.k8s.io/v1
				24	kind: NetworkPolicy
				25	metadata:
				26	name: {{ include "loki.name" . }}-egress-dns
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	27	namespace: {{ $.Release.Namespace }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	28	labels:
				29	{{- include "loki.labels" . \| nindent 4 }}
				30	spec:
				31	policyTypes:
				32	- Egress
				33	podSelector:
				34	matchLabels:
				35	{{- include "loki.selectorLabels" . \| nindent 6 }}
				36	egress:
				37	- ports:
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	38	- port: dns
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	39	protocol: UDP
				40	to:
				41	- namespaceSelector: {}
				42
				43	---
				44	apiVersion: networking.k8s.io/v1
				45	kind: NetworkPolicy
				46	metadata:
				47	name: {{ include "loki.name" . }}-ingress
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	48	namespace: {{ $.Release.Namespace }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	49	labels:
				50	{{- include "loki.labels" . \| nindent 4 }}
				51	spec:
				52	policyTypes:
				53	- Ingress
				54	podSelector:
				55	matchExpressions:
				56	- key: app.kubernetes.io/component
				57	operator: In
				58	values:
				59	{{- if .Values.gateway.enabled }}
				60	- gateway
				61	{{- else }}
				62	- read
				63	- write
				64	{{- end }}
				65	matchLabels:
				66	{{- include "loki.selectorLabels" . \| nindent 6 }}
				67	ingress:
				68	- ports:
				69	- port: http
				70	protocol: TCP
				71	{{- if .Values.networkPolicy.ingress.namespaceSelector }}
				72	from:
				73	- namespaceSelector:
				74	{{- toYaml .Values.networkPolicy.ingress.namespaceSelector \| nindent 12 }}
				75	{{- if .Values.networkPolicy.ingress.podSelector }}
				76	podSelector:
				77	{{- toYaml .Values.networkPolicy.ingress.podSelector \| nindent 12 }}
				78	{{- end }}
				79	{{- end }}
				80
				81	---
				82	apiVersion: networking.k8s.io/v1
				83	kind: NetworkPolicy
				84	metadata:
				85	name: {{ include "loki.name" . }}-ingress-metrics
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	86	namespace: {{ $.Release.Namespace }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	87	labels:
				88	{{- include "loki.labels" . \| nindent 4 }}
				89	spec:
				90	policyTypes:
				91	- Ingress
				92	podSelector:
				93	matchLabels:
				94	{{- include "loki.selectorLabels" . \| nindent 6 }}
				95	ingress:
				96	- ports:
				97	- port: http-metrics
				98	protocol: TCP
				99	{{- if .Values.networkPolicy.metrics.cidrs }}
				100	from:
				101	{{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
				102	- ipBlock:
				103	cidr: {{ $cidr }}
				104	{{- end }}
				105	{{- if .Values.networkPolicy.metrics.namespaceSelector }}
				106	- namespaceSelector:
				107	{{- toYaml .Values.networkPolicy.metrics.namespaceSelector \| nindent 12 }}
				108	{{- if .Values.networkPolicy.metrics.podSelector }}
				109	podSelector:
				110	{{- toYaml .Values.networkPolicy.metrics.podSelector \| nindent 12 }}
				111	{{- end }}
				112	{{- end }}
				113	{{- end }}
				114
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	115	---
				116	apiVersion: networking.k8s.io/v1
				117	kind: NetworkPolicy
				118	metadata:
				119	name: {{ include "loki.name" . }}-egress-alertmanager
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	120	namespace: {{ $.Release.Namespace }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	121	labels:
				122	{{- include "loki.labels" . \| nindent 4 }}
				123	spec:
				124	policyTypes:
				125	- Egress
				126	podSelector:
				127	matchLabels:
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	128	{{- include "loki.backendSelectorLabels" . \| nindent 6 }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	129	egress:
				130	- ports:
				131	- port: {{ .Values.networkPolicy.alertmanager.port }}
				132	protocol: TCP
				133	{{- if .Values.networkPolicy.alertmanager.namespaceSelector }}
				134	to:
				135	- namespaceSelector:
				136	{{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector \| nindent 12 }}
				137	{{- if .Values.networkPolicy.alertmanager.podSelector }}
				138	podSelector:
				139	{{- toYaml .Values.networkPolicy.alertmanager.podSelector \| nindent 12 }}
				140	{{- end }}
				141	{{- end }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	142
				143	{{- if .Values.networkPolicy.externalStorage.ports }}
				144	---
				145	apiVersion: networking.k8s.io/v1
				146	kind: NetworkPolicy
				147	metadata:
				148	name: {{ include "loki.name" . }}-egress-external-storage
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	149	namespace: {{ $.Release.Namespace }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	150	labels:
				151	{{- include "loki.labels" . \| nindent 4 }}
				152	spec:
				153	policyTypes:
				154	- Egress
				155	podSelector:
				156	matchLabels:
				157	{{- include "loki.selectorLabels" . \| nindent 6 }}
				158	egress:
				159	- ports:
				160	{{- range $port := .Values.networkPolicy.externalStorage.ports }}
				161	- port: {{ $port }}
				162	protocol: TCP
				163	{{- end }}
				164	{{- if .Values.networkPolicy.externalStorage.cidrs }}
				165	to:
				166	{{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }}
				167	- ipBlock:
				168	cidr: {{ $cidr }}
				169	{{- end }}
				170	{{- end }}
				171	{{- end }}
				172
				173	{{- end }}
				174
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	175	{{- if and .Values.networkPolicy.discovery.port (eq .Values.networkPolicy.flavor "kubernetes") }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	176	---
				177	apiVersion: networking.k8s.io/v1
				178	kind: NetworkPolicy
				179	metadata:
				180	name: {{ include "loki.name" . }}-egress-discovery
Giovanni Tirloni	59219b6	2024-04-09 14:50:25 -0300	[diff] [blame]	181	namespace: {{ $.Release.Namespace }}
Mohammed Naser	8a2c8fb	2023-02-19 17:23:55 +0000	[diff] [blame]	182	labels:
				183	{{- include "loki.labels" . \| nindent 4 }}
				184	spec:
				185	policyTypes:
				186	- Egress
				187	podSelector:
				188	matchLabels:
				189	{{- include "loki.selectorLabels" . \| nindent 6 }}
				190	egress:
				191	- ports:
				192	- port: {{ .Values.networkPolicy.discovery.port }}
				193	protocol: TCP
				194	{{- if .Values.networkPolicy.discovery.namespaceSelector }}
				195	to:
				196	- namespaceSelector:
				197	{{- toYaml .Values.networkPolicy.discovery.namespaceSelector \| nindent 12 }}
				198	{{- if .Values.networkPolicy.discovery.podSelector }}
				199	podSelector:
				200	{{- toYaml .Values.networkPolicy.discovery.podSelector \| nindent 12 }}
				201	{{- end }}
				202	{{- end }}
				203	{{- end }}