Merge pull request #2008 from facchettos/network-fix-backport

[BACKPORT v0.20] [fix] add exception for the platform in network policy
loft-sh · Aug 5, 2024 · 201026d · 201026d
2 parents 7a0dac2 + 5b3275a
commit 201026d
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 0 deletions.
diff --git a/chart/templates/networkpolicy.yaml b/chart/templates/networkpolicy.yaml
@@ -95,6 +95,12 @@ spec:
           podSelector:
             matchLabels:
               k8s-app: kube-dns
+        {{- if .Values.policies.networkPolicy.outgoingConnections.platform }}
+        - podSelector:
+            matchLabels:
+              app: loft
+          namespaceSelector: {}
+        {{- end }}
   policyTypes:
     - Egress
   {{- end }}
diff --git a/chart/values.schema.json b/chart/values.schema.json
@@ -1946,6 +1946,10 @@
         "ipBlock": {
           "$ref": "#/$defs/IPBlock",
           "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed\nto the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs\nthat should not be included within this rule."
+        },
+        "platform": {
+          "type": "boolean",
+          "description": "Platform enables egress access towards loft platform"
         }
       },
       "additionalProperties": false,

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -738,6 +738,8 @@ policies:
     annotations: {}
     fallbackDns: 8.8.8.8
     outgoingConnections:
+      # Platform enables egress access towards loft platform
+      platform: true
       # IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
       # to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
       # that should not be included within this rule.

diff --git a/config/config.go b/config/config.go
@@ -1399,6 +1399,9 @@ type OutgoingConnections struct {
 	// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
 	// that should not be included within this rule.
 	IPBlock IPBlock `json:"ipBlock,omitempty"`
+
+	// Platform enables egress access towards loft platform
+	Platform bool `json:"platform,omitempty"`
 }
 
 type IPBlock struct {

diff --git a/config/values.yaml b/config/values.yaml
@@ -447,6 +447,7 @@ policies:
     annotations: {}
     fallbackDns: 8.8.8.8
     outgoingConnections:
+      platform: true
       ipBlock:
         cidr: 0.0.0.0/0
         except: