From 3cab385f32423046f0470af1627d8040a07e7a8c Mon Sep 17 00:00:00 2001 From: F1ko Date: Sat, 19 Nov 2022 02:56:15 +0100 Subject: [PATCH] fix: remove 0.0.0.0/0 ipblock from network policies (#11321) (#11322) * fix: remove 0.0.0.0/0 ipblock from network policies https://github.com/argoproj/argo-cd/issues/11321 Signed-off-by: Filip Nikolic * chore: add postfinance to the list of users Signed-off-by: Filip Nikolic Signed-off-by: Filip Nikolic --- USERS.md | 1 + .../redis/argocd-redis-network-policy.yaml | 41 ++++++------- manifests/core-install.yaml | 3 - .../argocd-redis-ha-proxy-network-policy.yaml | 61 +++++++++---------- ...argocd-redis-ha-server-network-policy.yaml | 55 ++++++++--------- manifests/ha/install.yaml | 6 -- manifests/ha/namespace-install.yaml | 6 -- manifests/install.yaml | 3 - manifests/namespace-install.yaml | 3 - 9 files changed, 74 insertions(+), 105 deletions(-) diff --git a/USERS.md b/USERS.md index b2f06b540e9cd..8b523e82c35ce 100644 --- a/USERS.md +++ b/USERS.md @@ -169,6 +169,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [Pipefy](https://www.pipefy.com/) 1. [Pismo](https://pismo.io/) 1. [Polarpoint.io](https://polarpoint.io) +1. [PostFinance](https://github.com/postfinance) 1. [Preferred Networks](https://preferred.jp/en/) 1. [Productboard](https://www.productboard.com/) 1. [Prudential](https://prudential.com.sg) diff --git a/manifests/base/redis/argocd-redis-network-policy.yaml b/manifests/base/redis/argocd-redis-network-policy.yaml index a0f29d973a247..837b3e0424502 100644 --- a/manifests/base/redis/argocd-redis-network-policy.yaml +++ b/manifests/base/redis/argocd-redis-network-policy.yaml @@ -10,27 +10,22 @@ spec: - Ingress - Egress ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-server - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - ports: - - protocol: TCP - port: 6379 + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-server + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-repo-server + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-application-controller + ports: + - protocol: TCP + port: 6379 egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index 15a9666f307d4..d5f9183dcdbd1 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -10544,9 +10544,6 @@ spec: protocol: UDP - port: 53 protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 ingress: - from: - podSelector: diff --git a/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml b/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml index bf21d91f3060a..7732c0debdae4 100644 --- a/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml +++ b/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml @@ -10,36 +10,33 @@ spec: - Ingress - Egress ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-server - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - ports: - - port: 6379 - protocol: TCP - - port: 26379 - protocol: TCP + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-server + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-repo-server + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-application-controller + ports: + - port: 6379 + protocol: TCP + - port: 26379 + protocol: TCP egress: - - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-redis-ha - ports: - - port: 6379 - protocol: TCP - - port: 26379 - protocol: TCP - - to: - - ipBlock: - cidr: 0.0.0.0/0 - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-redis-ha + ports: + - port: 6379 + protocol: TCP + - port: 26379 + protocol: TCP + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP diff --git a/manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml b/manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml index 04c5ddd94f6d0..0fc9379802a90 100644 --- a/manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml +++ b/manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml @@ -10,33 +10,30 @@ spec: - Ingress - Egress ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-redis-ha-haproxy - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-redis-ha - ports: - - port: 6379 - protocol: TCP - - port: 26379 - protocol: TCP + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-redis-ha-haproxy + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-redis-ha + ports: + - port: 6379 + protocol: TCP + - port: 26379 + protocol: TCP egress: - - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-redis-ha - ports: - - port: 6379 - protocol: TCP - - port: 26379 - protocol: TCP - - to: - - ipBlock: - cidr: 0.0.0.0/0 - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP \ No newline at end of file + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-redis-ha + ports: + - port: 6379 + protocol: TCP + - port: 26379 + protocol: TCP + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index ed635ee5c74d1..441bd240b9bbb 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -12546,9 +12546,6 @@ spec: protocol: UDP - port: 53 protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 ingress: - from: - podSelector: @@ -12592,9 +12589,6 @@ spec: protocol: UDP - port: 53 protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 ingress: - from: - podSelector: diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index 9174dd36fdcdd..43b7c31b1ebf4 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -2968,9 +2968,6 @@ spec: protocol: UDP - port: 53 protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 ingress: - from: - podSelector: @@ -3014,9 +3011,6 @@ spec: protocol: UDP - port: 53 protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 ingress: - from: - podSelector: diff --git a/manifests/install.yaml b/manifests/install.yaml index 5f0d1be65348e..ad5db1a9dc18b 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -11361,9 +11361,6 @@ spec: protocol: UDP - port: 53 protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 ingress: - from: - podSelector: diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index 10ff420a1b4d5..6c86d37005411 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -1783,9 +1783,6 @@ spec: protocol: UDP - port: 53 protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 ingress: - from: - podSelector: