From f60cd38551c2bcb7fc94b426bc13bdaefb015c5e Mon Sep 17 00:00:00 2001 From: Davide Madrisan Date: Fri, 10 Dec 2021 11:30:55 +0100 Subject: [PATCH] [bitnami/postgresql-ha] Add network egress policy rules (#8358) --- bitnami/postgresql-ha/Chart.yaml | 2 +- bitnami/postgresql-ha/README.md | 30 +++++++++-------- .../templates/networkpolicy-egress.yaml | 32 +++++++++++++++++++ ...policy.yaml => networkpolicy-ingress.yaml} | 4 ++- bitnami/postgresql-ha/values.yaml | 14 ++++++++ 5 files changed, 66 insertions(+), 16 deletions(-) create mode 100644 bitnami/postgresql-ha/templates/networkpolicy-egress.yaml rename bitnami/postgresql-ha/templates/{networkpolicy.yaml => networkpolicy-ingress.yaml} (92%) diff --git a/bitnami/postgresql-ha/Chart.yaml b/bitnami/postgresql-ha/Chart.yaml index a22245777a..00ec77a3ce 100644 --- a/bitnami/postgresql-ha/Chart.yaml +++ b/bitnami/postgresql-ha/Chart.yaml @@ -27,4 +27,4 @@ name: postgresql-ha sources: - https://github.com/bitnami/bitnami-docker-postgresql - https://www.postgresql.org/ -version: 8.0.5 +version: 8.1.0 diff --git a/bitnami/postgresql-ha/README.md b/bitnami/postgresql-ha/README.md index 2410ae5fe5..2caab13e56 100644 --- a/bitnami/postgresql-ha/README.md +++ b/bitnami/postgresql-ha/README.md @@ -404,20 +404,22 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua ### Traffic Exposure parameters -| Name | Description | Value | -| ---------------------------------- | ------------------------------------------------------------------- | ----------- | -| `service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) | `ClusterIP` | -| `service.port` | PostgreSQL port | `5432` | -| `service.nodePort` | Kubernetes service nodePort | `""` | -| `service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | -| `service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | -| `service.clusterIP` | Set the Cluster IP to use | `""` | -| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.annotations` | Provide any additional annotations for PostgreSQL service | `{}` | -| `service.serviceLabels` | Labels for PostgreSQL service | `{}` | -| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| Name | Description | Value | +| ----------------------------------------------------- | --------------------------------------------------------------------------------------------- | ----------- | +| `service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) | `ClusterIP` | +| `service.port` | PostgreSQL port | `5432` | +| `service.nodePort` | Kubernetes service nodePort | `""` | +| `service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `service.clusterIP` | Set the Cluster IP to use | `""` | +| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.annotations` | Provide any additional annotations for PostgreSQL service | `{}` | +| `service.serviceLabels` | Labels for PostgreSQL service | `{}` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53) | `false` | +| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/bitnami/postgresql-ha/templates/networkpolicy-egress.yaml b/bitnami/postgresql-ha/templates/networkpolicy-egress.yaml new file mode 100644 index 0000000000..95c19810a2 --- /dev/null +++ b/bitnami/postgresql-ha/templates/networkpolicy-egress.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} +kind: NetworkPolicy +apiVersion: {{ template "postgresql-ha.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-egress" (include "common.names.fullname" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: postgresql + policyTypes: + - Egress + egress: + {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + - namespaceSelector: {} + {{- end }} + {{- if .Values.networkPolicy.egressRules.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/postgresql-ha/templates/networkpolicy.yaml b/bitnami/postgresql-ha/templates/networkpolicy-ingress.yaml similarity index 92% rename from bitnami/postgresql-ha/templates/networkpolicy.yaml rename to bitnami/postgresql-ha/templates/networkpolicy-ingress.yaml index 5003ca48ad..57d3f041f2 100644 --- a/bitnami/postgresql-ha/templates/networkpolicy.yaml +++ b/bitnami/postgresql-ha/templates/networkpolicy-ingress.yaml @@ -2,7 +2,7 @@ kind: NetworkPolicy apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: - name: {{ include "common.names.fullname" . }} + name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -14,6 +14,8 @@ spec: podSelector: matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} app.kubernetes.io/component: postgresql + policyTypes: + - Ingress ingress: # Allow inbound connections - ports: diff --git a/bitnami/postgresql-ha/values.yaml b/bitnami/postgresql-ha/values.yaml index 9b933452f5..769c9288bd 100644 --- a/bitnami/postgresql-ha/values.yaml +++ b/bitnami/postgresql-ha/values.yaml @@ -1359,3 +1359,17 @@ networkPolicy: ## (with the correct destination port). ## allowExternal: true + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53) + ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: []