[bitnami/fluentd] feat: 🔒 Enable networkPolicy (#23272)

* [bitnami/fluentd] feat: 🔒 Enable networkPolicy Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update bitnami/fluentd/templates/forwarder-networkpolicy.yaml Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> * Update bitnami/fluentd/templates/forwarder-networkpolicy.yaml Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> * Update bitnami/fluentd/templates/forwarder-networkpolicy.yaml Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> * Update bitnami/fluentd/templates/forwarder-networkpolicy.yaml Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> * Update bitnami/fluentd/templates/aggregator-networkpolicy.yaml Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> * Update bitnami/fluentd/templates/aggregator-networkpolicy.yaml Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> * Update bitnami/fluentd/templates/aggregator-networkpolicy.yaml Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> * Update bitnami/fluentd/templates/aggregator-networkpolicy.yaml Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> Co-authored-by: Fran Mulero <fmulero@vmware.com>
2026-03-16 06:47:30 +08:00 · 2024-02-08 12:53:18 +01:00
parent a2a732dd80
commit 3b817c6b97
5 changed files with 322 additions and 1 deletions
--- a/bitnami/fluentd/README.md
+++ b/bitnami/fluentd/README.md
@@ -130,6 +130,14 @@ The command removes all the Kubernetes components associated with the chart and
 | `forwarder.service.annotations`                                | Provide any additional annotations which may be required                                                                                                           | `{}`                                                       |
 | `forwarder.service.sessionAffinity`                            | Session Affinity for Kubernetes service, can be "None" or "ClientIP"                                                                                               | `None`                                                     |
 | `forwarder.service.sessionAffinityConfig`                      | Additional settings for the sessionAffinity                                                                                                                        | `{}`                                                       |
+| `forwarder.networkPolicy.enabled`                              | Specifies whether a NetworkPolicy should be created                                                                                                                | `true`                                                     |
+| `forwarder.networkPolicy.allowExternal`                        | Don't require server label for connections                                                                                                                         | `true`                                                     |
+| `forwarder.networkPolicy.allowExternalEgress`                  | Allow the pod to access any range of port and all destinations.                                                                                                    | `true`                                                     |
+| `forwarder.networkPolicy.kubeAPIServerPorts`                   | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)                                                                 | `[]`                                                       |
+| `forwarder.networkPolicy.extraIngress`                         | Add extra ingress rules to the NetworkPolice                                                                                                                       | `[]`                                                       |
+| `forwarder.networkPolicy.extraEgress`                          | Add extra ingress rules to the NetworkPolicy                                                                                                                       | `[]`                                                       |
+| `forwarder.networkPolicy.ingressNSMatchLabels`                 | Labels to match to allow traffic from other namespaces                                                                                                             | `{}`                                                       |
+| `forwarder.networkPolicy.ingressNSPodMatchLabels`              | Pod labels to match to allow traffic from other namespaces                                                                                                         | `{}`                                                       |
 | `forwarder.startupProbe.enabled`                               | Enable startupProbe                                                                                                                                                | `false`                                                    |
 | `forwarder.startupProbe.httpGet.path`                          | Request path for startupProbe                                                                                                                                      | `/fluentd.healthcheck?json=%7B%22ping%22%3A+%22pong%22%7D` |
 | `forwarder.startupProbe.httpGet.port`                          | Port for startupProbe                                                                                                                                              | `http`                                                     |
@@ -233,6 +241,13 @@ The command removes all the Kubernetes components associated with the chart and
 | `aggregator.service.sessionAffinityConfig`                     | Additional settings for the sessionAffinity                                                                                                                        | `{}`                                                       |
 | `aggregator.service.annotationsHeadless`                       | Provide any additional annotations which may be required on headless service                                                                                       | `{}`                                                       |
 | `aggregator.service.headless.annotations`                      | Annotations for the headless service.                                                                                                                              | `{}`                                                       |
+| `aggregator.networkPolicy.enabled`                             | Specifies whether a NetworkPolicy should be created                                                                                                                | `true`                                                     |
+| `aggregator.networkPolicy.allowExternal`                       | Don't require server label for connections                                                                                                                         | `true`                                                     |
+| `aggregator.networkPolicy.allowExternalEgress`                 | Allow the pod to access any range of port and all destinations.                                                                                                    | `true`                                                     |
+| `aggregator.networkPolicy.extraIngress`                        | Add extra ingress rules to the NetworkPolice                                                                                                                       | `[]`                                                       |
+| `aggregator.networkPolicy.extraEgress`                         | Add extra ingress rules to the NetworkPolicy                                                                                                                       | `[]`                                                       |
+| `aggregator.networkPolicy.ingressNSMatchLabels`                | Labels to match to allow traffic from other namespaces                                                                                                             | `{}`                                                       |
+| `aggregator.networkPolicy.ingressNSPodMatchLabels`             | Pod labels to match to allow traffic from other namespaces                                                                                                         | `{}`                                                       |
 | `aggregator.ingress.enabled`                                   | Set to true to enable ingress record generation                                                                                                                    | `false`                                                    |
 | `aggregator.ingress.pathType`                                  | Ingress Path type. How the path matching is interpreted                                                                                                            | `ImplementationSpecific`                                   |
 | `aggregator.ingress.apiVersion`                                | Override API Version (automatically detected if not set)                                                                                                           | `""`                                                       |