diff --git a/bitnami/kiam/Chart.yaml b/bitnami/kiam/Chart.yaml index fa0863f499..65236d05cb 100644 --- a/bitnami/kiam/Chart.yaml +++ b/bitnami/kiam/Chart.yaml @@ -28,4 +28,4 @@ maintainers: name: kiam sources: - https://github.com/bitnami/charts/tree/main/bitnami/kiam -version: 1.7.5 +version: 1.8.0 diff --git a/bitnami/kiam/README.md b/bitnami/kiam/README.md index ccee37a48a..b2818fcb28 100644 --- a/bitnami/kiam/README.md +++ b/bitnami/kiam/README.md @@ -176,19 +176,27 @@ The command removes all the Kubernetes components associated with the chart and ### kiam server exposure parameters -| Name | Description | Value | -| ----------------------------------------- | ---------------------------------------------------------------------------- | ----------- | -| `server.service.type` | Kubernetes service type | `ClusterIP` | -| `server.service.port` | Service grpc-lb port | `8443` | -| `server.service.nodePorts` | Specify the nodePort values for the LoadBalancer and NodePort service types. | `{}` | -| `server.service.clusterIP` | kiam service clusterIP IP | `None` | -| `server.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `""` | -| `server.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` | -| `server.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `server.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `server.service.annotations` | Annotations for kiam service | `{}` | -| `server.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `server.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| Name | Description | Value | +| ---------------------------------------------- | -------------------------------------------------------------------------------------------------- | ----------- | +| `server.service.type` | Kubernetes service type | `ClusterIP` | +| `server.service.port` | Service grpc-lb port | `8443` | +| `server.service.nodePorts` | Specify the nodePort values for the LoadBalancer and NodePort service types. | `{}` | +| `server.service.clusterIP` | kiam service clusterIP IP | `None` | +| `server.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `""` | +| `server.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` | +| `server.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `server.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `server.service.annotations` | Annotations for kiam service | `{}` | +| `server.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `server.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `server.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `server.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `server.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `server.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `server.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `server.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `server.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `server.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### kiam server Service Account parameters @@ -307,18 +315,25 @@ The command removes all the Kubernetes components associated with the chart and ### kiam agent exposure parameters -| Name | Description | Value | -| ---------------------------------------- | ---------------------------------------------------------------------------- | ----------- | -| `agent.service.type` | Kubernetes service type | `ClusterIP` | -| `agent.service.nodePorts` | Specify the nodePort values for the LoadBalancer and NodePort service types. | `{}` | -| `agent.service.clusterIP` | kiam service clusterIP IP | `""` | -| `agent.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `""` | -| `agent.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` | -| `agent.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `agent.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `agent.service.annotations` | Annotations for kiam service | `{}` | -| `agent.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `agent.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------------------- | ----------- | +| `agent.service.type` | Kubernetes service type | `ClusterIP` | +| `agent.service.nodePorts` | Specify the nodePort values for the LoadBalancer and NodePort service types. | `{}` | +| `agent.service.clusterIP` | kiam service clusterIP IP | `""` | +| `agent.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `""` | +| `agent.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` | +| `agent.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `agent.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `agent.service.annotations` | Annotations for kiam service | `{}` | +| `agent.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `agent.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `agent.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `agent.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `agent.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `agent.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `agent.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `agent.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `agent.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### kiam agent Service Account parameters diff --git a/bitnami/kiam/templates/agent/agent-networkpolicy.yaml b/bitnami/kiam/templates/agent/agent-networkpolicy.yaml new file mode 100644 index 0000000000..4eef17aab4 --- /dev/null +++ b/bitnami/kiam/templates/agent/agent-networkpolicy.yaml @@ -0,0 +1,83 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.agent.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }}-agent + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.agent.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: agent + policyTypes: + - Ingress + - Egress + {{- if .Values.agent.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow port 80 forAWS metadata API + - port: 80 + # Allow access to kube-apiserver + {{- range $port := .Values.agent.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + # Allow outbound connections to server + - ports: + - port: {{ .Values.server.containerPort }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: server + {{- if .Values.agent.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.agent.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + {{- if .Values.agent.metrics.enabled }} + - ports: + - port: {{ .Values.agent.metrics.port }} + {{- if not .Values.agent.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.agent.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.agent.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.agent.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.agent.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.agent.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.agent.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/kiam/templates/server/server-networkpolicy.yaml b/bitnami/kiam/templates/server/server-networkpolicy.yaml new file mode 100644 index 0000000000..78c4a61071 --- /dev/null +++ b/bitnami/kiam/templates/server/server-networkpolicy.yaml @@ -0,0 +1,77 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.server.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }}-server + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.server.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: server + policyTypes: + - Ingress + - Egress + {{- if .Values.server.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow port 80 forAWS metadata API + - port: 80 + # Allow access to kube-apiserver + {{- range $port := .Values.server.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.server.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.server.containerPort }} + {{- if .Values.server.metrics.enabled }} + - port: {{ .Values.server.metrics.port }} + {{- end }} + {{- if not .Values.server.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.server.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.server.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.server.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.server.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.server.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/kiam/values.yaml b/bitnami/kiam/values.yaml index 4a4f80aa45..e78ab3c635 100644 --- a/bitnami/kiam/values.yaml +++ b/bitnami/kiam/values.yaml @@ -436,6 +436,65 @@ server: ## sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param server.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param server.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param server.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param server.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param server.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param server.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @section kiam server Service Account parameters ## Kiam server Service Account @@ -868,6 +927,61 @@ agent: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param agent.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param agent.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param agent.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param agent.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param agent.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param agent.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param agent.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section kiam agent Service Account parameters