Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-05 14:57:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/elasticsearch] feat: 🔒 Enable networkPolicy (#23288)

Browse Source 
* [bitnami/elasticsearch] feat: 🔒 Enable networkPolicy

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* chore: 🔖 Bump chart version

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-13 17:58:52 +01:00
committed by GitHub
parent 98d94a8999
commit 2197d7a5ea
9 changed files with 697 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/elasticsearch/Chart.yaml
View File

@@ -34,4 +34,4 @@ maintainers:
name: elasticsearch
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/elasticsearch
version: 19.17.6
version: 19.18.0

36
bitnami/elasticsearch/README.md
View File

@@ -196,6 +196,13 @@ helm delete --purge my-release
| `master.containerSecurityContext.runAsUser` | Set master-elegible containers' Security Context runAsUser | `1001` |
| `master.containerSecurityContext.runAsNonRoot` | Set master-elegible containers' Security Context runAsNonRoot | `true` |
| `master.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `master.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `master.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `master.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `master.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `master.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `master.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `master.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `master.hostAliases` | master-elegible pods host aliases | `[]` |
| `master.podLabels` | Extra labels for master-elegible pods | `{}` |
@@ -289,6 +296,13 @@ helm delete --purge my-release
| `data.containerSecurityContext.runAsUser` | Set data containers' Security Context runAsUser | `1001` |
| `data.containerSecurityContext.runAsNonRoot` | Set data containers' Security Context runAsNonRoot | `true` |
| `data.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `data.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `data.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `data.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `data.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `data.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `data.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `data.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `data.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `data.hostAliases` | data pods host aliases | `[]` |
| `data.podLabels` | Extra labels for data pods | `{}` |
@@ -382,6 +396,13 @@ helm delete --purge my-release
| `coordinating.containerSecurityContext.runAsUser` | Set coordinating-only containers' Security Context runAsUser | `1001` |
| `coordinating.containerSecurityContext.runAsNonRoot` | Set coordinating-only containers' Security Context runAsNonRoot | `true` |
| `coordinating.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `coordinating.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `coordinating.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `coordinating.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `coordinating.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `coordinating.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `coordinating.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `coordinating.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `coordinating.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `coordinating.hostAliases` | coordinating-only pods host aliases | `[]` |
| `coordinating.podLabels` | Extra labels for coordinating-only pods | `{}` |
@@ -470,6 +491,13 @@ helm delete --purge my-release
| `ingest.containerSecurityContext.runAsUser` | Set ingest-only containers' Security Context runAsUser | `1001` |
| `ingest.containerSecurityContext.runAsNonRoot` | Set ingest-only containers' Security Context runAsNonRoot | `true` |
| `ingest.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `ingest.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `ingest.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `ingest.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `ingest.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `ingest.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `ingest.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `ingest.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `ingest.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `ingest.hostAliases` | ingest-only pods host aliases | `[]` |
| `ingest.podLabels` | Extra labels for ingest-only pods | `{}` |
@@ -574,6 +602,14 @@ helm delete --purge my-release
| `metrics.hostAliases` | Add deployment host aliases | `[]` |
| `metrics.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `metrics.priorityClassName` | Elasticsearch metrics exporter pods' priorityClassName | `""` |
| `metrics.containerPorts.http` | Metrics HTTP port | `9114` |
| `metrics.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `metrics.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `metrics.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `metrics.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `metrics.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `metrics.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `metrics.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `metrics.service.type` | Metrics exporter endpoint service type | `ClusterIP` |
| `metrics.service.port` | Metrics exporter endpoint service port | `9114` |
| `metrics.service.annotations` | Provide any additional annotations which may be required. | `{}` |

76
bitnami/elasticsearch/templates/coordinating/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,76 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (include "elasticsearch.coordinating.enabled" .) .Values.coordinating.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "elasticsearch.coordinating.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: coordinating-only
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.coordinating.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: coordinating-only
policyTypes:
- Ingress
- Egress
{{- if .Values.coordinating.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to other cluster pods
- ports:
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.coordinating.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.coordinating.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
{{- if not .Values.coordinating.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.coordinating.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.coordinating.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.coordinating.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.coordinating.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.coordinating.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.coordinating.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

76
bitnami/elasticsearch/templates/data/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,76 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (include "elasticsearch.data.enabled" .) .Values.data.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "elasticsearch.data.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: data
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.data.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: data
policyTypes:
- Ingress
- Egress
{{- if .Values.data.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to other cluster pods
- ports:
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.data.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.data.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
{{- if not .Values.data.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.data.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.data.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.data.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.data.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.data.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.data.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

76
bitnami/elasticsearch/templates/ingest/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,76 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (include "elasticsearch.ingest.enabled" .) .Values.ingest.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "elasticsearch.ingest.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: ingest
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingest.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: ingest
policyTypes:
- Ingress
- Egress
{{- if .Values.ingest.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to other cluster pods
- ports:
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.ingest.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.ingest.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
{{- if not .Values.ingest.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.ingest.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.ingest.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.ingest.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.ingest.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.ingest.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.ingest.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

76
bitnami/elasticsearch/templates/master/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,76 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (include "elasticsearch.master.enabled" .) .Values.master.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "elasticsearch.master.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: master
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: master
policyTypes:
- Ingress
- Egress
{{- if .Values.master.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to other cluster pods
- ports:
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.master.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.master.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
{{- if not .Values.master.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.master.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.master.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.master.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.master.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.master.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.master.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

3
bitnami/elasticsearch/templates/metrics/deployment.yaml
View File

@@ -96,6 +96,7 @@ spec:
{{- if .Values.security.tls.restEncryption }}
- --es.ssl-skip-verify
{{- end }}
- --web.listen-address=:{{ .Values.metrics.containerPorts.http }}
{{- if .Values.metrics.extraArgs }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraArgs "context" $) | nindent 12 }}
{{- end }}
@@ -124,7 +125,7 @@ spec:
{{- end }}
ports:
- name: metrics
containerPort: 9114
containerPort: {{ .Values.metrics.containerPorts.http }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.metrics.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}

74
bitnami/elasticsearch/templates/metrics/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,74 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "elasticsearch.metrics.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: metrics
policyTypes:
- Ingress
- Egress
{{- if .Values.metrics.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to Elasticsearch pods
- ports:
- port: {{ .Values.containerPorts.restAPI }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.metrics.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.metrics.containerPorts.http }}
{{- if not .Values.metrics.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.metrics.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.metrics.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.metrics.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.metrics.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.metrics.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

280
bitnami/elasticsearch/values.yaml
View File

@@ -555,6 +555,61 @@ master:
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param master.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param master.networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param master.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param master.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param master.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param master.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param master.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## @param master.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
@@ -880,6 +935,61 @@ data:
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param data.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param data.networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param data.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param data.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param data.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param data.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param data.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## @param data.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
@@ -1206,6 +1316,61 @@ coordinating:
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param coordinating.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param coordinating.networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param coordinating.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param coordinating.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param coordinating.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param coordinating.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param coordinating.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## @param coordinating.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
@@ -1501,6 +1666,61 @@ ingest:
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param ingest.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param ingest.networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param ingest.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param ingest.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param ingest.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param ingest.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param ingest.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## @param ingest.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
@@ -1934,6 +2154,66 @@ metrics:
## @param metrics.priorityClassName Elasticsearch metrics exporter pods' priorityClassName
##
priorityClassName: ""
## Elasticsearch Prometheus exporter container ports
## @param metrics.containerPorts.http Metrics HTTP port
##
containerPorts:
http: 9114
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param metrics.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param metrics.networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param metrics.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param metrics.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param metrics.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param metrics.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param metrics.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## Elasticsearch Prometheus exporter service type
##
service: