Helm: add cilium networkpolicy (#18650)

Signed-off-by: QuantumEnigmaa <thibaud@giantswarm.io>
2024-01-24 08:27:57 +01:00 · 2024-01-24 08:27:57 +01:00 · 82739574b5
parent f78d677ab6
commit 82739574b5
4 changed files with 42 additions and 1 deletions
--- a/helm/minio/README.md
+++ b/helm/minio/README.md
@ -112,6 +112,8 @@ the DefaultDeny namespace annotation. Note: this will enforce policy for *all* p
 kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
 ```

+When using `Cilium` as a CNI in your cluster, please edit the `flavor` field to `cilium`.
+
 With NetworkPolicy enabled, traffic will be limited to just port 9000.

 For more precise policy, set `networkPolicy.allowExternal=true`. This will
--- a/helm/minio/templates/ciliumnetworkpolicy.yaml
+++ b/helm/minio/templates/ciliumnetworkpolicy.yaml
@ -0,0 +1,33 @@
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
+kind: CiliumNetworkPolicy
+apiVersion: cilium.io/v2
+metadata:
+  name: {{ template "minio.fullname" . }}
+  labels:
+    app: {{ template "minio.name" . }}
+    chart: {{ template "minio.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app: {{ template "minio.name" . }}
+      release: {{ .Release.Name }}
+  ingress:
+  - toPorts:
+    - ports:
+      - port: {{ .Values.minioAPIPort }}
+        protocol: TCP
+      - port: {{ .Values.minioConsolePort }}
+        protocol: TCP
+    {{- if not .Values.networkPolicy.allowExternal }}
+    fromEndpoints:
+    - matchLabels:
+        {{ template "minio.name" . }}-client: "true"
+    {{- end }}
+  egress:
+  {{- range $entity := .Values.networkPolicy.egressEntities }}
+  - toEntities:
+    - {{ $entity }}
+  {{- end }}
+{{- end }}
--- a/helm/minio/templates/networkpolicy.yaml
+++ b/helm/minio/templates/networkpolicy.yaml
@ -1,4 +1,4 @@
-{{- if .Values.networkPolicy.enabled }}
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
 kind: NetworkPolicy
 apiVersion: {{ template "minio.networkPolicy.apiVersion" . }}
 metadata:
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@ -498,7 +498,13 @@ oidc:

 networkPolicy:
  enabled: false
+  # Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
+  # or Cilium Network Policies (flavor: cilium)
+  flavor: kubernetes
  allowExternal: true
+  # only when using flavor: cilium
+  egressEntities:
+   - kube-apiserver

 ## PodDisruptionBudget settings
 ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/