Feature: Network policies #76

New Issue

Open

opened 2024-08-14 14:53:30 +00:00 by unicode-it · 1 comment

unicode-it commented 2024-08-14 14:53:30 +00:00 (Migrated from github.com)

Copy Link

It would be great to have an option to also generate network policies automatically. A plausible default would be to limit access to exposed ports to all pods/services only to ressources of the same application via the existent labels. This restricts all foreign traffic to use the ingress if configured.
It could be an extra label to provide a network policy for the given service.

Something like this:

{{- if .Values.db.networkPolicy.enabled -}}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  annotations:
    katenary.v3/compose-hash: f7e37491abe3220deeb5961e7dd0075983ee7cb0
    katenary.v3/version: develop-4367a01
  labels:
    {{- include "mosparo.labels" . | nindent 4 }}
    katenary.v3/component: db
  name: '{{ include "mosparo.fullname" . }}-db'
spec:
  podSelector:
    matchLabels:
      {{- include "mosparo.selectorLabels" . | nindent 6 }}
      katenary.v3/component: db
  ingress:
  - from:
    - podSelector:
        matchLabels:
          {{- include "mosparo.selectorLabels" . | nindent 10 }}
    ports:
    - protocol: TCP
      port: 3306
  policyTypes:
    - Ingress

# vim: ft=helm.gotmpl.yaml
{{- end }}

It would be great to have an option to also generate network policies automatically. A plausible default would be to limit access to exposed ports to all pods/services only to ressources of the same application via the existent labels. This restricts all foreign traffic to use the ingress if configured. It could be an extra label to provide a network policy for the given service. Something like this: ``` {{- if .Values.db.networkPolicy.enabled -}} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: annotations: katenary.v3/compose-hash: f7e37491abe3220deeb5961e7dd0075983ee7cb0 katenary.v3/version: develop-4367a01 labels: {{- include "mosparo.labels" . | nindent 4 }} katenary.v3/component: db name: '{{ include "mosparo.fullname" . }}-db' spec: podSelector: matchLabels: {{- include "mosparo.selectorLabels" . | nindent 6 }} katenary.v3/component: db ingress: - from: - podSelector: matchLabels: {{- include "mosparo.selectorLabels" . | nindent 10 }} ports: - protocol: TCP port: 3306 policyTypes: - Ingress # vim: ft=helm.gotmpl.yaml {{- end }} ```

metal3d commented 2024-11-19 12:38:42 +00:00

Copy Link

I really like the idea. I set it up for the 3.0.1 release. I need to fix up the master branch with the newest features and I will adapt to integrate the network policies.

I really like the idea. I set it up for the 3.0.1 release. I need to fix up the master branch with the newest features and I will adapt to integrate the network policies.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

develop

feat-composev2-102

releases/3.0.0-rc7

3.0.0-rc6

3.0.0-rc5

3.0.0-rc4

3.0.0-rc3

3.0.0-rc2

v3.0.0-rc1

2.0.0-beta2

2.0.0-beta1

1.0.0-rc7

1.0.0-rc6

1.0.0-rc5

1.0.0-rc4

1.0.0-rc3

1.0.0-rc2

1.0.0-rc1

0.2.0-alpha2

0.2.0-alpha

0.1.2-alpha

0.1.1-alpha

Labels

Clear labels

bug

Something isn't working

dependencies

Pull requests that update a dependency file

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

go

Pull requests that update go code

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

partially fixed

Some fixes are already made in current release / developpement

question

Further information is requested

wontfix

This will not be worked on

No Label

enhancement

Milestone

No items

No Milestone v3.0.1

Projects

Clear projects

No project

Assignees

Clear assignees

metal3d

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Katenary/katenary#76

No description provided.