From 06ff33b39b2ed76884ff7a4c88568f04451aaa32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Tue, 30 Jan 2024 16:07:40 +0100 Subject: [PATCH] [bitnami/pinniped] feat: :lock: Enable networkPolicy (#22827) Signed-off-by: Javier Salmeron Garcia --- bitnami/pinniped/Chart.yaml | 2 +- bitnami/pinniped/README.md | 42 ++++--- .../templates/concierge/networkpolicy.yaml | 73 ++++++++++++ .../templates/supervisor/networkpolicy.yaml | 81 +++++++++++++ bitnami/pinniped/values.yaml | 107 ++++++++++++++++++ 5 files changed, 290 insertions(+), 15 deletions(-) create mode 100644 bitnami/pinniped/templates/concierge/networkpolicy.yaml create mode 100644 bitnami/pinniped/templates/supervisor/networkpolicy.yaml diff --git a/bitnami/pinniped/Chart.yaml b/bitnami/pinniped/Chart.yaml index c8506ab8f9..40cb22e353 100644 --- a/bitnami/pinniped/Chart.yaml +++ b/bitnami/pinniped/Chart.yaml @@ -27,4 +27,4 @@ maintainers: name: pinniped sources: - https://github.com/bitnami/charts/tree/main/bitnami/pinniped -version: 1.6.1 +version: 1.7.0 diff --git a/bitnami/pinniped/README.md b/bitnami/pinniped/README.md index d906c0f3d8..6e96e70bfb 100644 --- a/bitnami/pinniped/README.md +++ b/bitnami/pinniped/README.md @@ -182,20 +182,27 @@ The command removes all the Kubernetes components associated with the chart and ### Concierge Traffic Exposure Parameters -| Name | Description | Value | -| -------------------------------------------- | ------------------------------------------------------------------------------------ | ----------- | -| `concierge.service.type` | Concierge service type | `ClusterIP` | -| `concierge.service.ports.https` | Concierge service HTTPS port | `443` | -| `concierge.service.nodePorts.https` | Node port for HTTPS | `""` | -| `concierge.service.clusterIP` | Concierge service Cluster IP | `""` | -| `concierge.service.labels` | Add labels to the service | `{}` | -| `concierge.service.loadBalancerIP` | Concierge service Load Balancer IP | `""` | -| `concierge.service.loadBalancerSourceRanges` | Concierge service Load Balancer sources | `[]` | -| `concierge.service.externalTrafficPolicy` | Concierge service external traffic policy | `Cluster` | -| `concierge.service.annotations` | Additional custom annotations for Concierge service | `{}` | -| `concierge.service.extraPorts` | Extra ports to expose in Concierge service (normally used with the `sidecars` value) | `[]` | -| `concierge.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `concierge.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| Name | Description | Value | +| ------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ----------- | +| `concierge.service.type` | Concierge service type | `ClusterIP` | +| `concierge.service.ports.https` | Concierge service HTTPS port | `443` | +| `concierge.service.nodePorts.https` | Node port for HTTPS | `""` | +| `concierge.service.clusterIP` | Concierge service Cluster IP | `""` | +| `concierge.service.labels` | Add labels to the service | `{}` | +| `concierge.service.loadBalancerIP` | Concierge service Load Balancer IP | `""` | +| `concierge.service.loadBalancerSourceRanges` | Concierge service Load Balancer sources | `[]` | +| `concierge.service.externalTrafficPolicy` | Concierge service external traffic policy | `Cluster` | +| `concierge.service.annotations` | Additional custom annotations for Concierge service | `{}` | +| `concierge.service.extraPorts` | Extra ports to expose in Concierge service (normally used with the `sidecars` value) | `[]` | +| `concierge.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `concierge.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `concierge.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `concierge.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `concierge.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `concierge.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `concierge.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `concierge.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `concierge.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Supervisor Parameters @@ -311,6 +318,13 @@ The command removes all the Kubernetes components associated with the chart and | `supervisor.service.public.extraPorts` | Extra ports to expose in Supervisor service (normally used with the `sidecars` value) | `[]` | | `supervisor.service.public.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | | `supervisor.service.public.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `supervisor.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `supervisor.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `supervisor.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `supervisor.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `supervisor.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `supervisor.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `supervisor.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `supervisor.ingress.enabled` | Enable ingress record generation for Pinniped Supervisor | `false` | | `supervisor.ingress.pathType` | Ingress path type | `ImplementationSpecific` | | `supervisor.ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | diff --git a/bitnami/pinniped/templates/concierge/networkpolicy.yaml b/bitnami/pinniped/templates/concierge/networkpolicy.yaml new file mode 100644 index 0000000000..a7d612f023 --- /dev/null +++ b/bitnami/pinniped/templates/concierge/networkpolicy.yaml @@ -0,0 +1,73 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.concierge.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "pinniped.concierge.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: pinniped + app.kubernetes.io/component: concierge + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.concierge.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/part-of: pinniped + app.kubernetes.io/component: concierge + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow access to kube-apiserver + {{- range $port := .Values.concierge.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.concierge.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.concierge.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.concierge.containerPorts.proxy }} + - port: {{ .Values.concierge.containerPorts.api }} + {{- if not .Values.concierge.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "pinniped.concierge.fullname" . }}-client: "true" + {{- if .Values.concierge.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.concierge.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.concierge.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.concierge.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: vault + {{- end }} + {{- if .Values.concierge.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.concierge.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/pinniped/templates/supervisor/networkpolicy.yaml b/bitnami/pinniped/templates/supervisor/networkpolicy.yaml new file mode 100644 index 0000000000..d3477e782b --- /dev/null +++ b/bitnami/pinniped/templates/supervisor/networkpolicy.yaml @@ -0,0 +1,81 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.supervisor.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "pinniped.supervisor.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: pinniped + app.kubernetes.io/component: supervisor + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.supervisor.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/part-of: pinniped + app.kubernetes.io/component: supervisor + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow access to kube-apiserver + {{- range $port := .Values.supervisor.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.concierge.service.ports.proxy }} + - port: {{ .Values.concierge.service.ports.api }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: pinniped + app.kubernetes.io/component: concierge + {{- if .Values.supervisor.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.supervisor.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.supervisor.containerPorts.https }} + {{- if not .Values.supervisor.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "pinniped.supervisor.fullname" . }}-client: "true" + {{- if .Values.supervisor.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.supervisor.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.supervisor.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.supervisor.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: vault + {{- end }} + {{- if .Values.supervisor.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.supervisor.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/pinniped/values.yaml b/bitnami/pinniped/values.yaml index f9667c24b3..ea934c201f 100644 --- a/bitnami/pinniped/values.yaml +++ b/bitnami/pinniped/values.yaml @@ -484,6 +484,61 @@ concierge: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param concierge.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param concierge.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param concierge.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param concierge.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param concierge.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param concierge.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param concierge.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Supervisor Parameters ## @@ -879,6 +934,58 @@ supervisor: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} + networkPolicy: + ## @param supervisor.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param supervisor.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param supervisor.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param supervisor.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param supervisor.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param supervisor.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param supervisor.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## Configure the ingress resource that allows you to access the Pinniped Supervisor installation ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/