From 8580945a6ae4f8579b2b0c8d5f1092a68be8bab7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Mon, 12 Feb 2024 10:49:05 +0100 Subject: [PATCH] [bitnami/argo-workflows] feat: :lock: Enable networkPolicy (#23343) Signed-off-by: Javier Salmeron Garcia --- bitnami/argo-workflows/Chart.yaml | 2 +- bitnami/argo-workflows/README.md | 16 +++ .../templates/controller/networkpolicy.yaml | 94 ++++++++++++++ .../templates/server/networkpolicy.yaml | 91 ++++++++++++++ bitnami/argo-workflows/values.yaml | 116 ++++++++++++++++++ 5 files changed, 318 insertions(+), 1 deletion(-) create mode 100644 bitnami/argo-workflows/templates/controller/networkpolicy.yaml create mode 100644 bitnami/argo-workflows/templates/server/networkpolicy.yaml diff --git a/bitnami/argo-workflows/Chart.yaml b/bitnami/argo-workflows/Chart.yaml index 563fed53a3..0c353b96d5 100644 --- a/bitnami/argo-workflows/Chart.yaml +++ b/bitnami/argo-workflows/Chart.yaml @@ -42,4 +42,4 @@ maintainers: name: argo-workflows sources: - https://github.com/bitnami/charts/tree/main/bitnami/argo-workflows -version: 6.3.2 +version: 6.4.0 diff --git a/bitnami/argo-workflows/README.md b/bitnami/argo-workflows/README.md index 7b1410f8f7..f826f83576 100644 --- a/bitnami/argo-workflows/README.md +++ b/bitnami/argo-workflows/README.md @@ -187,6 +187,14 @@ The command removes all the Kubernetes components associated with the chart and | `server.service.externalTrafficPolicy` | server service external traffic policy | `Cluster` | | `server.service.annotations` | Additional custom annotations for server service | `{}` | | `server.service.extraPorts` | Extra port to expose on the server service | `[]` | +| `server.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `server.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `server.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `server.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `server.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `server.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | +| `server.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `server.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Argo Workflows Controller configuration parameters @@ -301,6 +309,14 @@ The command removes all the Kubernetes components associated with the chart and | `controller.service.externalTrafficPolicy` | controller service external traffic policy | `Cluster` | | `controller.service.annotations` | Additional custom annotations for controller service | `{}` | | `controller.service.extraPorts` | Extra port to expose on the controller service | `[]` | +| `controller.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `controller.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `controller.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `controller.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `controller.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `controller.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | +| `controller.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `controller.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Executor configuration section diff --git a/bitnami/argo-workflows/templates/controller/networkpolicy.yaml b/bitnami/argo-workflows/templates/controller/networkpolicy.yaml new file mode 100644 index 0000000000..69101d84ca --- /dev/null +++ b/bitnami/argo-workflows/templates/controller/networkpolicy.yaml @@ -0,0 +1,94 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controller.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.controller.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: argo-workflows + app.kubernetes.io/component: controller + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.controller.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/part-of: argo-workflows + app.kubernetes.io/component: controller + {{- if .Values.controller.networkPolicy.extraEgress }} + egress: {{- include "common.tplvalues.render" ( dict "value" .Values.controller.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.controller.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.controller.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + # Allow connection to Database + - ports: + - port: {{ include "argo-workflows.controller.database.port" . }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- else if .Values.mysql.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: mysql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.controller.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controller.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.controller.containerPorts.metrics }} + # The controller port is hardcoded in the source code. + # Ref: https://github.com/argoproj/argo-workflows/blob/b35aabe86be9fa5db80299cebcfb29c32be21047/cmd/workflow-controller/main.go#L116 + - port: 6060 + {{- if not .Values.controller.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "argo-workflows.controller.fullname" . }}-client: "true" + {{- if .Values.controller.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.controller.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.controller.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.controller.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.controller.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controller.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/argo-workflows/templates/server/networkpolicy.yaml b/bitnami/argo-workflows/templates/server/networkpolicy.yaml new file mode 100644 index 0000000000..6abcb7d825 --- /dev/null +++ b/bitnami/argo-workflows/templates/server/networkpolicy.yaml @@ -0,0 +1,91 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.server.enabled .Values.server.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.server.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: argo-workflows + app.kubernetes.io/component: server + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.server.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/part-of: argo-workflows + app.kubernetes.io/component: server + {{- if .Values.server.networkPolicy.extraEgress }} + egress: {{- include "common.tplvalues.render" ( dict "value" .Values.server.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.server.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.server.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + # Allow connection to Database + - ports: + - port: {{ include "argo-workflows.controller.database.port" . }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- else if .Values.mysql.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: mysql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.server.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.server.containerPorts.web }} + {{- if not .Values.server.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "argo-workflows.server.fullname" . }}-client: "true" + {{- if .Values.server.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.server.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.server.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.server.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/argo-workflows/values.yaml b/bitnami/argo-workflows/values.yaml index 2fb429169c..b79a51e06e 100644 --- a/bitnami/argo-workflows/values.yaml +++ b/bitnami/argo-workflows/values.yaml @@ -479,6 +479,64 @@ server: ## @param server.service.extraPorts Extra port to expose on the server service ## extraPorts: [] + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param server.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param server.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param server.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param server.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param server.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param server.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Argo Workflows Controller configuration parameters ## @@ -981,6 +1039,64 @@ controller: ## @param controller.service.extraPorts Extra port to expose on the controller service ## extraPorts: [] + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param controller.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param controller.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param controller.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param controller.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param controller.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param controller.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param controller.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param controller.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Executor configuration section ##