Skip to content

D
devops-intern-labs
Switch branch/tag
Find file
Normal viewHistoryPermalink
image-renderer-network-policy.yaml 2.37 KB
Newer Older
Vũ Hoàng Nam's avatar
Update project
5891c888
 
Vũ Hoàng Nam committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 
{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitIngress }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "grafana.fullname" . }}-image-renderer-ingress
  namespace: {{ include "grafana.namespace" . }}
  annotations:
    comment: Limit image-renderer ingress traffic from grafana
spec:
  podSelector:
    matchLabels:
      {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }}
      {{- with .Values.imageRenderer.podLabels }}
      {{- toYaml . | nindent 6 }}
      {{- end }}

  policyTypes:
    - Ingress
  ingress:
    - ports:
        - port: {{ .Values.imageRenderer.service.targetPort }}
          protocol: TCP
      from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: {{ include "grafana.namespace" . }}
          podSelector:
            matchLabels:
              {{- include "grafana.selectorLabels" . | nindent 14 }}
              {{- with .Values.podLabels }}
              {{- toYaml . | nindent 14 }}
              {{- end }}
        {{- with .Values.imageRenderer.networkPolicy.extraIngressSelectors -}}
        {{ toYaml . | nindent 8 }}
        {{- end }}
{{- end }}

{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitEgress }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "grafana.fullname" . }}-image-renderer-egress
  namespace: {{ include "grafana.namespace" . }}
  annotations:
    comment: Limit image-renderer egress traffic to grafana
spec:
  podSelector:
    matchLabels:
      {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }}
      {{- with .Values.imageRenderer.podLabels }}
      {{- toYaml . | nindent 6 }}
      {{- end }}

  policyTypes:
    - Egress
  egress:
    # allow dns resolution
    - ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    # talk only to grafana
    - ports:
        - port: {{ .Values.service.targetPort }}
          protocol: TCP
      to:
        - namespaceSelector:
            matchLabels:
              name: {{ include "grafana.namespace" . }}
          podSelector:
            matchLabels:
              {{- include "grafana.selectorLabels" . | nindent 14 }}
              {{- with .Values.podLabels }}
              {{- toYaml . | nindent 14 }}
              {{- end }}
{{- end }}