Replace network policy ingress rules with matchLabel

hub.jupyter.org/network-access-*: "true"
jupyterhub · Mar 6, 2018 · e22e4a3 · e22e4a3
1 parent c112942
commit e22e4a3
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 19 deletions.
diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml
@@ -170,11 +170,10 @@ data:
   {{ if .Values.singleuser.cpu.guarantee -}}
   singleuser.cpu.guarantee: {{ .Values.singleuser.cpu.guarantee | quote}}
   {{- end }}
-  {{ if .Values.singleuser.extraLabels -}}
   singleuser.extra-labels: |
-    {{ range $key, $value := .Values.singleuser.extraLabels -}}
+    hub.jupyter.org/network-access-hub: "true"
+  {{ range $key, $value := .Values.singleuser.extraLabels -}}
     {{ $key | quote }}: {{ $value | quote }}
-    {{- end }}
   {{- end }}
   {{ if .Values.singleuser.extraEnv -}}
   singleuser.extra-env: |

diff --git a/jupyterhub/templates/hub/deployment.yaml b/jupyterhub/templates/hub/deployment.yaml
@@ -25,6 +25,9 @@ spec:
         component: hub
         release: {{ .Release.Name }}
         heritage: {{ .Release.Service }}
+        hub.jupyter.org/network-access-proxy-api: "true"
+        hub.jupyter.org/network-access-proxy-http: "true"
+        hub.jupyter.org/network-access-singleuser: "true"
         {{ if .Values.hub.labels -}}
         # Because toYaml + indent is super flaky
         {{ range $key, $value := .Values.proxy.labels -}}

diff --git a/jupyterhub/templates/hub/netpol-hub.yaml b/jupyterhub/templates/hub/netpol-hub.yaml
@@ -16,12 +16,7 @@ spec:
   - from:
     - podSelector:
         matchLabels:
-          name: proxy
-          component: proxy
-    - podSelector:
-        matchLabels:
-          app: jupyterhub
-          component: singleuser-server
+          hub.jupyter.org/network-access-hub: "true"
     ports:
     - protocol: TCP
       port: 8081

diff --git a/jupyterhub/templates/hub/netpol-singleuser.yaml b/jupyterhub/templates/hub/netpol-singleuser.yaml
@@ -15,13 +15,7 @@ spec:
   - from:
     - podSelector:
         matchLabels:
-          name: hub
-          app: jupyterhub
-          component: hub
-    - podSelector:
-        matchLabels:
-          name: proxy
-          component: proxy
+          hub.jupyter.org/network-access-singleuser: "true"
     ports:
     - protocol: TCP
       port: 8888

diff --git a/jupyterhub/templates/proxy/deployment.yaml b/jupyterhub/templates/proxy/deployment.yaml
@@ -31,6 +31,8 @@ spec:
         # required for kube-lego to work
         app: kube-lego
         {{- end }}
+        hub.jupyter.org/network-access-hub: "true"
+        hub.jupyter.org/network-access-singleuser: "true"
     spec:
       {{- if .Values.rbac.enabled }}
       serviceAccountName: proxy

diff --git a/jupyterhub/templates/proxy/netpol-proxy.yaml b/jupyterhub/templates/proxy/netpol-proxy.yaml
@@ -26,12 +26,15 @@ spec:
   - from:
     - podSelector:
         matchLabels:
-          name: hub
-          app: jupyterhub
-          component: hub
+          hub.jupyter.org/network-access-proxy-http: "true"
     ports:
       - protocol: TCP
         port: 8000
+  - from:
+    - podSelector:
+        matchLabels:
+          hub.jupyter.org/network-access-proxy-api: "true"
+    ports:
       - protocol: TCP
         port: 8001
   egress: