From d155cbb60b2e52eb421adc89f405b3433ee74c3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Tue, 13 Feb 2024 17:59:01 +0100 Subject: [PATCH] [bitnami/jenkins] feat: :lock: Enable networkPolicy (#23192) Signed-off-by: Javier Salmeron Garcia --- bitnami/jenkins/Chart.yaml | 2 +- bitnami/jenkins/README.md | 8 ++ bitnami/jenkins/templates/networkpolicy.yaml | 82 ++++++++++++++++++++ bitnami/jenkins/values.yaml | 59 ++++++++++++++ 4 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 bitnami/jenkins/templates/networkpolicy.yaml diff --git a/bitnami/jenkins/Chart.yaml b/bitnami/jenkins/Chart.yaml index 4c76383c79..4889c026d9 100644 --- a/bitnami/jenkins/Chart.yaml +++ b/bitnami/jenkins/Chart.yaml @@ -35,4 +35,4 @@ maintainers: name: jenkins sources: - https://github.com/bitnami/charts/tree/main/bitnami/jenkins -version: 12.6.7 +version: 12.7.0 diff --git a/bitnami/jenkins/README.md b/bitnami/jenkins/README.md index 5569173192..4854e09d4c 100644 --- a/bitnami/jenkins/README.md +++ b/bitnami/jenkins/README.md @@ -271,6 +271,14 @@ The command removes all the Kubernetes components associated with the chart and | `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | | `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `agentListenerService.enabled` | | `true` | | `agentListenerService.type` | Jenkins service type | `ClusterIP` | | `agentListenerService.ports.agentListener` | Jenkins service agent listener port | `50000` | diff --git a/bitnami/jenkins/templates/networkpolicy.yaml b/bitnami/jenkins/templates/networkpolicy.yaml new file mode 100644 index 0000000000..accb63dbad --- /dev/null +++ b/bitnami/jenkins/templates/networkpolicy.yaml @@ -0,0 +1,82 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: jenkins-controller + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: jenkins-controller + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow http and https for plugin download + - port: 80 + - port: 443 + {{- range $port := .Values.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + - ports: + # Allow traffic to Kubernetes agents + - port: {{ .Values.agentListenerService.ports.agentListener }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: jenkins-agent + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + - port: {{ .Values.containerPorts.https }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/jenkins/values.yaml b/bitnami/jenkins/values.yaml index 7b059c8837..a7f39fd2ec 100644 --- a/bitnami/jenkins/values.yaml +++ b/bitnami/jenkins/values.yaml @@ -713,6 +713,65 @@ service: ## sessionAffinityConfig: {} +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Jenkins agent listener service parameters ## NOTE: ignored if agent.enabled=false ##