From 9e7b8a1ddc20fc8dfaa25248ef5ed0ca766b090e Mon Sep 17 00:00:00 2001 From: Jeremy Facchetti Date: Fri, 2 Aug 2024 14:26:29 +0200 Subject: [PATCH] [fix] add exception for the platform in network policy (#2007) * [fix] add exception for the platform in network policy * removed netPol tests because kind doesn't enforce them --- chart/templates/networkpolicy.yaml | 2 +- chart/values.schema.json | 4 ++++ chart/values.yaml | 3 ++- config/config.go | 3 +++ config/values.yaml | 2 +- 5 files changed, 11 insertions(+), 3 deletions(-) diff --git a/chart/templates/networkpolicy.yaml b/chart/templates/networkpolicy.yaml index d8a1191353..efdf30f3c0 100644 --- a/chart/templates/networkpolicy.yaml +++ b/chart/templates/networkpolicy.yaml @@ -95,7 +95,7 @@ spec: podSelector: matchLabels: k8s-app: kube-dns - {{- if .Values.policies.networkPolicy.platformEnabled }} + {{- if .Values.policies.networkPolicy.outgoingConnections.platform }} - podSelector: matchLabels: app: loft diff --git a/chart/values.schema.json b/chart/values.schema.json index 01343c93fa..73ca91fe35 100755 --- a/chart/values.schema.json +++ b/chart/values.schema.json @@ -1949,6 +1949,10 @@ "ipBlock": { "$ref": "#/$defs/IPBlock", "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed\nto the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs\nthat should not be included within this rule." + }, + "platform": { + "type": "boolean", + "description": "Platform enables egress access towards loft platform" } }, "additionalProperties": false, diff --git a/chart/values.yaml b/chart/values.yaml index 31a36dee2b..5837fc623b 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -734,11 +734,12 @@ policies: networkPolicy: # Enabled defines if the network policy should be deployed by vCluster. enabled: false - platformEnabled: false labels: {} annotations: {} fallbackDns: 8.8.8.8 outgoingConnections: + # Platform enables egress access towards loft platform + platform: true # IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed # to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs # that should not be included within this rule. diff --git a/config/config.go b/config/config.go index af6c06ec95..efb84421d3 100644 --- a/config/config.go +++ b/config/config.go @@ -1400,6 +1400,9 @@ type OutgoingConnections struct { // to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs // that should not be included within this rule. IPBlock IPBlock `json:"ipBlock,omitempty"` + + // Platform enables egress access towards loft platform + Platform bool `json:"platform,omitempty"` } type IPBlock struct { diff --git a/config/values.yaml b/config/values.yaml index 760edc1174..b82217971a 100644 --- a/config/values.yaml +++ b/config/values.yaml @@ -443,11 +443,11 @@ policies: networkPolicy: enabled: false - platformEnabled: false labels: {} annotations: {} fallbackDns: 8.8.8.8 outgoingConnections: + platform: true ipBlock: cidr: 0.0.0.0/0 except: