From 965c6bee3456f71c001aa575a0f0a96f886bc7d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Wed, 7 Feb 2024 12:10:52 +0100 Subject: [PATCH] [bitnami/milvus] feat: :lock: Enable networkPolicy (#22923) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/milvus] feat: :lock: Enable networkPolicy Signed-off-by: Javier Salmeron Garcia * fix: :bug: Add allowExternalEgress to avoid breaking istio Signed-off-by: Javier Salmeron Garcia * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * fix: :bug: Set proper ports Signed-off-by: Javier Salmeron Garcia --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Bitnami Containers Signed-off-by: Javier J. Salmerón-García Co-authored-by: Bitnami Containers --- bitnami/milvus/Chart.yaml | 2 +- bitnami/milvus/README.md | 33 +++++-- .../milvus/templates/attu/networkpolicy.yaml | 32 +++---- .../data-coordinator/networkpolicy.yaml | 74 ++++++++++---- .../templates/data-node/networkpolicy.yaml | 70 ++++++++++---- .../index-coordinator/networkpolicy.yaml | 70 ++++++++++---- .../templates/index-node/networkpolicy.yaml | 67 +++++++++---- .../templates/init-job-networkpolicy.yaml | 55 +++++++++++ bitnami/milvus/templates/init-job.yaml | 2 + .../milvus/templates/proxy/networkpolicy.yaml | 71 ++++++++++---- .../query-coordinator/networkpolicy.yaml | 67 +++++++++---- .../templates/query-node/networkpolicy.yaml | 70 ++++++++++---- .../root-coordinator/networkpolicy.yaml | 67 +++++++++---- bitnami/milvus/values.yaml | 96 +++++++++++++++++-- 14 files changed, 601 insertions(+), 175 deletions(-) create mode 100644 bitnami/milvus/templates/init-job-networkpolicy.yaml diff --git a/bitnami/milvus/Chart.yaml b/bitnami/milvus/Chart.yaml index e02cf0846d..041fe7b10f 100644 --- a/bitnami/milvus/Chart.yaml +++ b/bitnami/milvus/Chart.yaml @@ -48,4 +48,4 @@ maintainers: name: milvus sources: - https://github.com/bitnami/charts/tree/main/bitnami/milvus -version: 5.3.2 +version: 5.4.0 diff --git a/bitnami/milvus/README.md b/bitnami/milvus/README.md index 1f6afe8d6c..75e19c98da 100644 --- a/bitnami/milvus/README.md +++ b/bitnami/milvus/README.md @@ -145,6 +145,12 @@ The command removes all the Kubernetes components associated with the chart and | `initJob.annotations` | Add annotations to the job | `{}` | | `initJob.podLabels` | Additional pod labels | `{}` | | `initJob.podAnnotations` | Additional pod annotations | `{}` | +| `initJob.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `initJob.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `initJob.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `initJob.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `initJob.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `initJob.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Data Coordinator Deployment Parameters @@ -266,8 +272,9 @@ The command removes all the Kubernetes components associated with the chart and | `dataCoord.service.externalTrafficPolicy` | Data Coordinator service external traffic policy | `Cluster` | | `dataCoord.service.annotations` | Additional custom annotations for Data Coordinator service | `{}` | | `dataCoord.service.extraPorts` | Extra ports to expose in the Data Coordinator service | `[]` | -| `dataCoord.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `dataCoord.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `dataCoord.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `dataCoord.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `dataCoord.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `dataCoord.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `dataCoord.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -411,8 +418,9 @@ The command removes all the Kubernetes components associated with the chart and | `rootCoord.service.externalTrafficPolicy` | Root Coordinator service external traffic policy | `Cluster` | | `rootCoord.service.annotations` | Additional custom annotations for Root Coordinator service | `{}` | | `rootCoord.service.extraPorts` | Extra ports to expose in the Root Coordinator service | `[]` | -| `rootCoord.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `rootCoord.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `rootCoord.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `rootCoord.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `rootCoord.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `rootCoord.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `rootCoord.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -556,8 +564,9 @@ The command removes all the Kubernetes components associated with the chart and | `queryCoord.service.externalTrafficPolicy` | Query Coordinator service external traffic policy | `Cluster` | | `queryCoord.service.annotations` | Additional custom annotations for Query Coordinator service | `{}` | | `queryCoord.service.extraPorts` | Extra ports to expose in the Query Coordinator service | `[]` | -| `queryCoord.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `queryCoord.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `queryCoord.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `queryCoord.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `queryCoord.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `queryCoord.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `queryCoord.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -701,8 +710,9 @@ The command removes all the Kubernetes components associated with the chart and | `indexCoord.service.externalTrafficPolicy` | Index Coordinator service external traffic policy | `Cluster` | | `indexCoord.service.annotations` | Additional custom annotations for Index Coordinator service | `{}` | | `indexCoord.service.extraPorts` | Extra ports to expose in the Index Coordinator service | `[]` | -| `indexCoord.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `indexCoord.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `indexCoord.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `indexCoord.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `indexCoord.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `indexCoord.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `indexCoord.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -846,8 +856,9 @@ The command removes all the Kubernetes components associated with the chart and | `dataNode.service.externalTrafficPolicy` | Data Node service external traffic policy | `Cluster` | | `dataNode.service.annotations` | Additional custom annotations for Data Node service | `{}` | | `dataNode.service.extraPorts` | Extra ports to expose in the Data Node service | `[]` | -| `dataNode.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `dataNode.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `dataNode.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `dataNode.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `dataNode.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `dataNode.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `dataNode.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -991,8 +1002,9 @@ The command removes all the Kubernetes components associated with the chart and | `queryNode.service.externalTrafficPolicy` | Query Node service external traffic policy | `Cluster` | | `queryNode.service.annotations` | Additional custom annotations for Query Node service | `{}` | | `queryNode.service.extraPorts` | Extra ports to expose in the Query Node service | `[]` | -| `queryNode.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `queryNode.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `queryNode.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `queryNode.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `queryNode.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `queryNode.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `queryNode.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -1136,8 +1148,9 @@ The command removes all the Kubernetes components associated with the chart and | `indexNode.service.externalTrafficPolicy` | Index Node service external traffic policy | `Cluster` | | `indexNode.service.annotations` | Additional custom annotations for Index Node service | `{}` | | `indexNode.service.extraPorts` | Extra ports to expose in the Index Node service | `[]` | -| `indexNode.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `indexNode.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `indexNode.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `indexNode.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `indexNode.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `indexNode.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `indexNode.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -1293,8 +1306,9 @@ The command removes all the Kubernetes components associated with the chart and | `proxy.service.externalTrafficPolicy` | Proxy service external traffic policy | `Cluster` | | `proxy.service.annotations` | Additional custom annotations for Proxy service | `{}` | | `proxy.service.extraPorts` | Extra ports to expose in the Proxy service | `[]` | -| `proxy.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `proxy.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `proxy.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `proxy.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `proxy.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `proxy.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `proxy.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -1451,8 +1465,9 @@ The command removes all the Kubernetes components associated with the chart and | `attu.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | | `attu.ingress.secrets` | Custom TLS certificates as secrets | `[]` | | `attu.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | -| `attu.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `attu.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `attu.networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `attu.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `attu.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `attu.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `attu.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | diff --git a/bitnami/milvus/templates/attu/networkpolicy.yaml b/bitnami/milvus/templates/attu/networkpolicy.yaml index fc7f878911..c42c073168 100644 --- a/bitnami/milvus/templates/attu/networkpolicy.yaml +++ b/bitnami/milvus/templates/attu/networkpolicy.yaml @@ -26,6 +26,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.attu.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,35 +37,30 @@ spec: protocol: UDP - port: 53 protocol: TCP - # Allow outbound connections to other cluster pods + # Allow outbound connections to Milvus Proxy - ports: - - port: {{ .Values.attu.service.ports.http }} - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} - to: + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} + to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: milvus + app.kubernetes.io/component: proxy {{- if .Values.attu.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.attu.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.attu.service.ports.http }} + - port: {{ .Values.attu.containerPorts.http }} {{- if not .Values.attu.networkPolicy.allowExternal }} from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: milvus - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.attu.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -76,6 +75,7 @@ spec: {{- end }} {{- end }} {{- end }} + {{- end }} {{- if .Values.attu.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.attu.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/templates/data-coordinator/networkpolicy.yaml b/bitnami/milvus/templates/data-coordinator/networkpolicy.yaml index 57eab4c8c1..b402afa02b 100644 --- a/bitnami/milvus/templates/data-coordinator/networkpolicy.yaml +++ b/bitnami/milvus/templates/data-coordinator/networkpolicy.yaml @@ -24,6 +24,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.attu.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,35 +37,68 @@ spec: protocol: TCP # Allow outbound connections to other cluster pods - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: milvus + # Allow outbound connections to S3 + - ports: + - port: {{ include "milvus.s3.port" . }} + {{- if .Values.minio.enabled }} + - port: {{ .Values.minio.containerPorts.api }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to etcd + - ports: + - port: {{ include "milvus.etcd.port" . }} + to: + {{- if .Values.etcd.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: etcd + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to kafka + - ports: + - port: {{ include "milvus.kafka.port" . }} + to: + {{- if .Values.kafka.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: kafka + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} {{- if .Values.dataCoord.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.dataCoord.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.dataCoord.service.ports.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + {{- if .Values.dataCoord.metrics.enabled }} + - port: {{ .Values.dataCoord.containerPorts.metrics }} + {{- end }} {{- if not .Values.dataCoord.networkPolicy.allowExternal }} from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: milvus - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.dataCoord.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -76,10 +113,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.dataCoord.metrics.enabled }} - - ports: - - port: {{ .Values.dataCoord.service.ports.metrics }} - {{- end }} + {{- end }} {{- if .Values.dataCoord.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.dataCoord.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/templates/data-node/networkpolicy.yaml b/bitnami/milvus/templates/data-node/networkpolicy.yaml index 7413667f83..9ff4a56b78 100644 --- a/bitnami/milvus/templates/data-node/networkpolicy.yaml +++ b/bitnami/milvus/templates/data-node/networkpolicy.yaml @@ -24,6 +24,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.dataNode.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,32 +37,67 @@ spec: protocol: TCP # Allow outbound connections to other cluster pods - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + # Allow outbound connections to S3 + - ports: + - port: {{ include "milvus.s3.port" . }} + {{- if .Values.minio.enabled }} + - port: {{ .Values.minio.containerPorts.api }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to etcd + - ports: + - port: {{ include "milvus.etcd.port" . }} + to: + {{- if .Values.etcd.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: etcd + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to kafka + - ports: + - port: {{ include "milvus.kafka.port" . }} + to: + {{- if .Values.kafka.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: kafka + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} {{- if .Values.dataNode.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.dataNode.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.dataNode.service.ports.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + {{- if .Values.dataNode.metrics.enabled }} + - port: {{ .Values.dataNode.containerPorts.metrics }} + {{- end }} {{- if not .Values.dataNode.networkPolicy.allowExternal }} from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: milvus - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.dataNode.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -73,10 +112,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.dataNode.metrics.enabled }} - - ports: - - port: {{ .Values.dataNode.service.ports.metrics }} - {{- end }} + {{- end }} {{- if .Values.dataNode.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.dataNode.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/templates/index-coordinator/networkpolicy.yaml b/bitnami/milvus/templates/index-coordinator/networkpolicy.yaml index 9ceac1500a..60674d8d7c 100644 --- a/bitnami/milvus/templates/index-coordinator/networkpolicy.yaml +++ b/bitnami/milvus/templates/index-coordinator/networkpolicy.yaml @@ -24,6 +24,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.indexCoord.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,32 +37,67 @@ spec: protocol: TCP # Allow outbound connections to other cluster pods - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + # Allow outbound connections to S3 + - ports: + - port: {{ include "milvus.s3.port" . }} + {{- if .Values.minio.enabled }} + - port: {{ .Values.minio.containerPorts.api }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to etcd + - ports: + - port: {{ include "milvus.etcd.port" . }} + to: + {{- if .Values.etcd.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: etcd + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to kafka + - ports: + - port: {{ include "milvus.kafka.port" . }} + to: + {{- if .Values.kafka.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: kafka + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} {{- if .Values.indexCoord.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.indexCoord.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.indexCoord.service.ports.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + {{- if .Values.indexCoord.metrics.enabled }} + - port: {{ .Values.indexCoord.containerPorts.metrics }} + {{- end }} {{- if not .Values.indexCoord.networkPolicy.allowExternal }} from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: milvus - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.indexCoord.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -73,10 +112,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.indexCoord.metrics.enabled }} - - ports: - - port: {{ .Values.indexCoord.service.ports.metrics }} - {{- end }} + {{- end }} {{- if .Values.indexCoord.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.indexCoord.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/templates/index-node/networkpolicy.yaml b/bitnami/milvus/templates/index-node/networkpolicy.yaml index 77068c28f8..b69b7e9c8e 100644 --- a/bitnami/milvus/templates/index-node/networkpolicy.yaml +++ b/bitnami/milvus/templates/index-node/networkpolicy.yaml @@ -24,6 +24,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.indexNode.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,32 +37,64 @@ spec: protocol: TCP # Allow outbound connections to other cluster pods - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + # Allow outbound connections to S3 + - ports: + - port: {{ include "milvus.s3.port" . }} + {{- if .Values.minio.enabled }} + - port: {{ .Values.minio.containerPorts.api }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to etcd + - ports: + - port: {{ include "milvus.etcd.port" . }} + to: + {{- if .Values.etcd.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: etcd + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to kafka + - ports: + - port: {{ include "milvus.kafka.port" . }} + to: + {{- if .Values.kafka.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: kafka + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} {{- if .Values.indexNode.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.indexNode.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.indexNode.service.ports.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + {{- if .Values.indexNode.metrics.enabled }} + - port: {{ .Values.indexNode.containerPorts.metrics }} + {{- end }} {{- if not .Values.indexNode.networkPolicy.allowExternal }} from: - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.indexNode.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -73,10 +109,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.indexNode.metrics.enabled }} - - ports: - - port: {{ .Values.indexNode.service.ports.metrics }} - {{- end }} + {{- end }} {{- if .Values.indexNode.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.indexNode.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/templates/init-job-networkpolicy.yaml b/bitnami/milvus/templates/init-job-networkpolicy.yaml new file mode 100644 index 0000000000..bc6e3e48c2 --- /dev/null +++ b/bitnami/milvus/templates/init-job-networkpolicy.yaml @@ -0,0 +1,55 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.initJob.networkPolicy.enabled (include "milvus.init-job.create" .) }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }}-init + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.initJob.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: milvus + app.kubernetes.io/component: initJob + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.initJob.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/part-of: milvus + app.kubernetes.io/component: init + policyTypes: + - Ingress + - Egress + {{- if .Values.initJob.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to Milvus Proxy + - ports: + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.initJob.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.initJob.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + {{- if .Values.initJob.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.initJob.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/milvus/templates/init-job.yaml b/bitnami/milvus/templates/init-job.yaml index b31b864cb4..ec7179cfc6 100644 --- a/bitnami/milvus/templates/init-job.yaml +++ b/bitnami/milvus/templates/init-job.yaml @@ -13,6 +13,7 @@ metadata: {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/part-of: milvus + app.kubernetes.io/component: init annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.initJob.annotations "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -23,6 +24,7 @@ spec: metadata: {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.initJob.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/part-of: milvus app.kubernetes.io/component: init {{- if .Values.initJob.podAnnotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.initJob.podAnnotations "context" $) | nindent 8 }} diff --git a/bitnami/milvus/templates/proxy/networkpolicy.yaml b/bitnami/milvus/templates/proxy/networkpolicy.yaml index 0b22f0c171..f4c1d44a5c 100644 --- a/bitnami/milvus/templates/proxy/networkpolicy.yaml +++ b/bitnami/milvus/templates/proxy/networkpolicy.yaml @@ -24,6 +24,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.proxy.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,32 +37,68 @@ spec: protocol: TCP # Allow outbound connections to other cluster pods - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + # Allow outbound connections to S3 + - ports: + - port: {{ include "milvus.s3.port" . }} + {{- if .Values.minio.enabled }} + - port: {{ .Values.minio.containerPorts.api }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to etcd + - ports: + - port: {{ include "milvus.etcd.port" . }} + to: + {{- if .Values.etcd.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: etcd + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to kafka + - ports: + - port: {{ include "milvus.kafka.port" . }} + to: + {{- if .Values.kafka.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: kafka + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} {{- if .Values.proxy.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.proxy.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.proxy.service.ports.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} + {{- if .Values.proxy.metrics.enabled }} + - port: {{ .Values.proxy.containerPorts.metrics }} + {{- end }} {{- if not .Values.proxy.networkPolicy.allowExternal }} from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: milvus - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.proxy.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -73,10 +113,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.proxy.metrics.enabled }} - - ports: - - port: {{ .Values.proxy.service.ports.metrics }} - {{- end }} + {{- end }} {{- if .Values.proxy.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.proxy.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/templates/query-coordinator/networkpolicy.yaml b/bitnami/milvus/templates/query-coordinator/networkpolicy.yaml index ee49bfecf8..a6e63824b2 100644 --- a/bitnami/milvus/templates/query-coordinator/networkpolicy.yaml +++ b/bitnami/milvus/templates/query-coordinator/networkpolicy.yaml @@ -24,6 +24,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.queryCoord.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,32 +37,64 @@ spec: protocol: TCP # Allow outbound connections to other cluster pods - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + # Allow outbound connections to S3 + - ports: + - port: {{ include "milvus.s3.port" . }} + {{- if .Values.minio.enabled }} + - port: {{ .Values.minio.containerPorts.api }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to etcd + - ports: + - port: {{ include "milvus.etcd.port" . }} + to: + {{- if .Values.etcd.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: etcd + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to kafka + - ports: + - port: {{ include "milvus.kafka.port" . }} + to: + {{- if .Values.kafka.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: kafka + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} {{- if .Values.queryCoord.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.queryCoord.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + {{- if .Values.queryCoord.metrics.enabled }} + - port: {{ .Values.queryCoord.containerPorts.metrics }} + {{- end }} {{- if not .Values.queryCoord.networkPolicy.allowExternal }} from: - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.queryCoord.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -73,10 +109,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.queryCoord.metrics.enabled }} - - ports: - - port: {{ .Values.queryCoord.service.ports.metrics }} - {{- end }} + {{- end }} {{- if .Values.queryCoord.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.queryCoord.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/templates/query-node/networkpolicy.yaml b/bitnami/milvus/templates/query-node/networkpolicy.yaml index 1a3cff9e34..550ecca6db 100644 --- a/bitnami/milvus/templates/query-node/networkpolicy.yaml +++ b/bitnami/milvus/templates/query-node/networkpolicy.yaml @@ -24,6 +24,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.queryNode.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,32 +37,67 @@ spec: protocol: TCP # Allow outbound connections to other cluster pods - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + # Allow outbound connections to S3 + - ports: + - port: {{ include "milvus.s3.port" . }} + {{- if .Values.minio.enabled }} + - port: {{ .Values.minio.containerPorts.api }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to etcd + - ports: + - port: {{ include "milvus.etcd.port" . }} + to: + {{- if .Values.etcd.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: etcd + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to kafka + - ports: + - port: {{ include "milvus.kafka.port" . }} + to: + {{- if .Values.kafka.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: kafka + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} {{- if .Values.queryNode.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.queryNode.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.queryNode.service.ports.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + {{- if .Values.queryNode.metrics.enabled }} + - port: {{ .Values.queryNode.containerPorts.metrics }} + {{- end }} {{- if not .Values.queryNode.networkPolicy.allowExternal }} from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/part-of: milvus - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.queryNode.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -73,10 +112,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.queryNode.metrics.enabled }} - - ports: - - port: {{ .Values.queryNode.service.ports.metrics }} - {{- end }} + {{- end }} {{- if .Values.queryNode.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.queryNode.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/templates/root-coordinator/networkpolicy.yaml b/bitnami/milvus/templates/root-coordinator/networkpolicy.yaml index 67582ca506..4072a10217 100644 --- a/bitnami/milvus/templates/root-coordinator/networkpolicy.yaml +++ b/bitnami/milvus/templates/root-coordinator/networkpolicy.yaml @@ -24,6 +24,10 @@ spec: policyTypes: - Ingress - Egress + {{- if .Values.rootCoord.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: # Allow dns resolution - ports: @@ -33,32 +37,64 @@ spec: protocol: TCP # Allow outbound connections to other cluster pods - ports: - - port: {{ .Values.queryCoord.service.ports.grpc }} - - port: {{ .Values.dataCoord.service.ports.grpc }} - - port: {{ .Values.indexCoord.service.ports.grpc }} - - port: {{ .Values.rootCoord.service.ports.grpc }} - - port: {{ .Values.queryNode.service.ports.grpc }} - - port: {{ .Values.dataNode.service.ports.grpc }} - - port: {{ .Values.indexNode.service.ports.grpc }} - - port: {{ .Values.proxy.service.ports.grpc }} - - port: {{ include "milvus.etcd.port" . }} - - port: {{ include "milvus.s3.port" . }} - - port: {{ include "milvus.kafka.port" . }} + - port: {{ .Values.queryCoord.containerPorts.grpc }} + - port: {{ .Values.dataCoord.containerPorts.grpc }} + - port: {{ .Values.indexCoord.containerPorts.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + - port: {{ .Values.queryNode.containerPorts.grpc }} + - port: {{ .Values.dataNode.containerPorts.grpc }} + - port: {{ .Values.indexNode.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpc }} + - port: {{ .Values.proxy.containerPorts.grpcInternal }} to: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + # Allow outbound connections to S3 + - ports: + - port: {{ include "milvus.s3.port" . }} + {{- if .Values.minio.enabled }} + - port: {{ .Values.minio.containerPorts.api }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to etcd + - ports: + - port: {{ include "milvus.etcd.port" . }} + to: + {{- if .Values.etcd.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: etcd + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to kafka + - ports: + - port: {{ include "milvus.kafka.port" . }} + to: + {{- if .Values.kafka.enabled }} + - podSelector: + matchLabels: + app.kubernetes.io/name: kafka + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} {{- if .Values.rootCoord.networkPolicy.extraEgress }} {{- include "common.tplvalues.render" ( dict "value" .Values.rootCoord.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} + {{- end }} ingress: - ports: - - port: {{ .Values.rootCoord.service.ports.grpc }} + - port: {{ .Values.rootCoord.containerPorts.grpc }} + {{- if .Values.rootCoord.metrics.enabled }} + - port: {{ .Values.rootCoord.containerPorts.metrics }} + {{- end }} {{- if not .Values.rootCoord.networkPolicy.allowExternal }} from: - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- end }} {{- if .Values.rootCoord.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: @@ -73,10 +109,7 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.rootCoord.metrics.enabled }} - - ports: - - port: {{ .Values.rootCoord.service.ports.metrics }} - {{- end }} + {{- end }} {{- if .Values.rootCoord.networkPolicy.extraIngress }} {{- include "common.tplvalues.render" ( dict "value" .Values.rootCoord.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} diff --git a/bitnami/milvus/values.yaml b/bitnami/milvus/values.yaml index 6c547b3818..f6f6cba844 100644 --- a/bitnami/milvus/values.yaml +++ b/bitnami/milvus/values.yaml @@ -401,6 +401,55 @@ initJob: ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} + ## Network Policy configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param initJob.networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: true + ## @param initJob.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param initJob.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param initJob.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param initJob.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param initJob.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Data Coordinator Deployment Parameters ## @@ -803,12 +852,15 @@ dataCoord: networkPolicy: ## @param dataCoord.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param dataCoord.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param dataCoord.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param dataCoord.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -949,7 +1001,7 @@ rootCoord: ## @param rootCoord.containerPorts.grpc GRPC port for Root Coordinator ## @param rootCoord.containerPorts.metrics Metrics port for Root Coordinator containerPorts: - grpc: 19530 + grpc: 19530 metrics: 9091 ## Configure extra options for Root Coordinator containers' liveness, readiness and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes @@ -1302,12 +1354,15 @@ rootCoord: networkPolicy: ## @param rootCoord.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param rootCoord.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param rootCoord.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param rootCoord.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -1800,12 +1855,15 @@ queryCoord: networkPolicy: ## @param queryCoord.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param queryCoord.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param queryCoord.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param queryCoord.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -2299,12 +2357,15 @@ indexCoord: networkPolicy: ## @param indexCoord.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param indexCoord.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param indexCoord.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param indexCoord.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -2798,12 +2859,15 @@ dataNode: networkPolicy: ## @param dataNode.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param dataNode.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param dataNode.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param dataNode.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -3297,12 +3361,15 @@ queryNode: networkPolicy: ## @param queryNode.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param queryNode.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param queryNode.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param queryNode.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -3796,12 +3863,15 @@ indexNode: networkPolicy: ## @param indexNode.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param indexNode.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param indexNode.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param indexNode.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -4324,12 +4394,15 @@ proxy: networkPolicy: ## @param proxy.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param proxy.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param proxy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param proxy.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -4935,12 +5008,15 @@ attu: networkPolicy: ## @param attu.networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param attu.networkPolicy.allowExternal The Policy model to apply ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param attu.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param attu.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: