From 6e9548ba9279d944d32c313a9c779ced28b5883f Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Sat, 15 Feb 2025 19:39:14 +0100 Subject: [PATCH] feat(networkPolicies): template custom network policies --- README.md | 55 ++++++++ .../_networkPolicies.tpl | 19 +++ .../networkPolicies.yaml | 36 ++++++ unittests/networkPolicies/default.yaml | 118 ++++++++++++++++++ values.yaml | 50 +++++++- 5 files changed, 275 insertions(+), 3 deletions(-) create mode 100644 templates/prometheus-fail2ban-exporter/_networkPolicies.tpl create mode 100644 templates/prometheus-fail2ban-exporter/networkPolicies.yaml create mode 100644 unittests/networkPolicies/default.yaml diff --git a/README.md b/README.md index dee2178..7dcb649 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,61 @@ helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2b --set 'grafana.enabled=true' ``` +### Network policies + +Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom +network policy implementation of CNI plugins. It's support only the official API resource of `networking.k8s.io/v1`. + +The object networkPolicies can contains multiple networkPolicy definitions. There is currently only one example +predefined - it's named `default`. Further networkPolicy rules can easy be added by defining additional objects. For example: + +> [!NOTE] +> The structure of each custom network policy must be equal like that of default. For this reason don't forget to define +> `annotations`, `labels` and the other properties as well. + +```yaml +networkPolicies: + enabled: false + default: {} + my-custom-network-policy: {} +``` + +The example below is an excerpt of the `values.yaml` file. The network policy `default` contains ingress rules to allow +incoming traffic from Prometheus. + +> [!IMPORTANT] +> Please keep in mind, that the namespace and pod selector labels can be different from environment to environment. For +> this reason, there is are not default network policy rules defined. + +```yaml +networkPolicies: + enabled: true + default: + enabled: true + annotations: {} + labels: {} + policyTypes: + - Egress + - Ingress + egress: [] + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: http + protocol: TCP +``` + ## Parameters ### Global diff --git a/templates/prometheus-fail2ban-exporter/_networkPolicies.tpl b/templates/prometheus-fail2ban-exporter/_networkPolicies.tpl new file mode 100644 index 0000000..9165cbd --- /dev/null +++ b/templates/prometheus-fail2ban-exporter/_networkPolicies.tpl @@ -0,0 +1,19 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* annotations */}} + +{{- define "prometheus-fail2ban-exporter.networkPolicies.annotations" -}} +{{ include "prometheus-fail2ban-exporter.annotations" .context }} +{{- if .networkPolicy.annotations }} +{{ toYaml .networkPolicy.annotations }} +{{- end }} +{{- end }} + +{{/* labels */}} + +{{- define "prometheus-fail2ban-exporter.networkPolicies.labels" -}} +{{ include "prometheus-fail2ban-exporter.labels" .context }} +{{- if .networkPolicy.labels }} +{{ toYaml .networkPolicy.labels }} +{{- end }} +{{- end }} diff --git a/templates/prometheus-fail2ban-exporter/networkPolicies.yaml b/templates/prometheus-fail2ban-exporter/networkPolicies.yaml new file mode 100644 index 0000000..7385f2a --- /dev/null +++ b/templates/prometheus-fail2ban-exporter/networkPolicies.yaml @@ -0,0 +1,36 @@ +{{- if .Values.networkPolicies.enabled }} +{{- range $key, $value := .Values.networkPolicies -}} +{{- if and (not (eq $key "enabled")) $value.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + {{- with (include "prometheus-fail2ban-exporter.networkPolicies.annotations" (dict "networkPolicy" $value "context" $) | fromYaml) }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with (include "prometheus-fail2ban-exporter.networkPolicies.labels" (dict "networkPolicy" $value "context" $) | fromYaml) }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ printf "%s-%s" (include "prometheus-fail2ban-exporter.fullname" $ ) $key }} + namespace: {{ $.Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "prometheus-fail2ban-exporter.pod.selectorLabels" $ | nindent 6 }} + {{- with $value.policyTypes }} + policyTypes: + {{- toYaml . | nindent 2 }} + {{- end }} + {{- with $value.egress }} + egress: + {{- toYaml . | nindent 2 }} + {{- end }} + {{- with $value.ingress }} + ingress: + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/unittests/networkPolicies/default.yaml b/unittests/networkPolicies/default.yaml new file mode 100644 index 0000000..426b022 --- /dev/null +++ b/unittests/networkPolicies/default.yaml @@ -0,0 +1,118 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: NetworkPolicies template (basic) +release: + name: prometheus-fail2ban-exporter-unittest + namespace: testing +templates: +- templates/prometheus-fail2ban-exporter/networkPolicies.yaml +tests: +- it: Skip networkPolicies in general disabled. + set: + networkPolicies.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip networkPolicy 'default' when disabled. + set: + networkPolicies.enabled: true + networkPolicies.default.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Loop over networkPolicies + set: + networkPolicies.enabled: true + networkPolicies.default.enabled: false + networkPolicies.nginx.enabled: true + networkPolicies.prometheus.enabled: true + asserts: + - hasDocuments: + count: 2 + +- it: Template networkPolicy 'default' without policyTypes, egress and ingress configuration + set: + networkPolicies.enabled: true + networkPolicies.default.enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: prometheus-fail2ban-exporter-unittest-default + namespace: testing + - notExists: + path: metadata.annotations + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: prometheus-fail2ban-exporter-unittest + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: prometheus-fail2ban-exporter + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: prometheus-fail2ban-exporter-0.1.0 + - equal: + path: spec.podSelector.matchLabels + value: + app.kubernetes.io/instance: prometheus-fail2ban-exporter-unittest + app.kubernetes.io/name: prometheus-fail2ban-exporter + - notExists: + path: spec.policyTypes + - notExists: + path: spec.egress + - notExists: + path: spec.ingress + +- it: Template networkPolicy 'default' with policyTypes, egress and ingress configuration + set: + networkPolicies.enabled: true + networkPolicies.default.enabled: true + networkPolicies.default.policyTypes: + - Egress + - Ingress + networkPolicies.default.ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: khv-production + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + networkPolicies.default.egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: database + podSelector: + matchLabels: + app.kubernetes.io/name: oracle + asserts: + - equal: + path: spec.policyTypes + value: + - Egress + - Ingress + - equal: + path: spec.egress + value: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: database + podSelector: + matchLabels: + app.kubernetes.io/name: oracle + - equal: + path: spec.ingress + value: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: khv-production + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus diff --git a/values.yaml b/values.yaml index e75b043..88b759a 100644 --- a/values.yaml +++ b/values.yaml @@ -270,9 +270,53 @@ podDisruptionBudget: {} # maxUnavailable: 1 # minAvailable: 1 -## @section Network -## @param networkPolicies Deploy network policies based on the used container network interface (CNI) implementation - like calico or weave. -networkPolicies: {} +## @section NetworkPolicies +## @param networkPolicies.enabled Enable network policies in general. +networkPolicies: + enabled: false + + ## @param networkPolicies.default.enabled Enable the network policy for accessing the application by default. For example to scape the metrics. + ## @param networkPolicies.default.annotations Additional network policy annotations. + ## @param networkPolicies.default.labels Additional network policy labels. + ## @param networkPolicies.default.policyTypes List of policy types. Supported is ingress, egress or ingress and egress. + ## @param networkPolicies.default.egress Concrete egress network policy implementation. + ## @skip networkPolicies.default.egress Skip individual egress configuration. + ## @param networkPolicies.default.ingress Concrete ingress network policy implementation. + ## @skip networkPolicies.default.ingress Skip individual ingress configuration. + default: + enabled: false + annotations: {} + labels: {} + policyTypes: [] + # - Egress + # - Ingress + egress: [] + ingress: [] + # Allow incoming HTTP traffic from prometheus. + # + # - from: + # - namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: monitoring + # podSelector: + # matchLabels: + # app.kubernetes.io/name: prometheus + # ports: + # - port: http + # protocol: TCP + + # Allow incoming HTTP traffic from ingress-nginx. + # + # - from: + # - namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: ingress-nginx + # podSelector: + # matchLabels: + # app.kubernetes.io/name: ingress-nginx + # ports: + # - port: http + # protocol: TCP ## @section Prometheus prometheus: