From aa1a1efcc654695053205c01fa5ce4bbd2b31adb Mon Sep 17 00:00:00 2001 From: ndebuhr Date: Sat, 11 Sep 2021 22:15:16 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=A6=20Group=20network=20policies,=20wi?= =?UTF-8?q?thin=20each=20template,=20for=20improved=20maintainability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- helm/templates/guacamole.yaml | 140 +++++++++++++++++----------------- helm/templates/keycloak.yaml | 116 ++++++++++++++-------------- 2 files changed, 127 insertions(+), 129 deletions(-) diff --git a/helm/templates/guacamole.yaml b/helm/templates/guacamole.yaml index a207a9f..ee8cbff 100644 --- a/helm/templates/guacamole.yaml +++ b/helm/templates/guacamole.yaml @@ -41,31 +41,6 @@ spec: securityContext: readOnlyRootFilesystem: true restartPolicy: Always -{{- if eq .Values.policies.enabled true }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: guacd - namespace: {{ .Values.namespace }} -spec: - podSelector: - matchLabels: - app: guacd - policyTypes: - - Egress - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: guacamole - egress: - - to: - - podSelector: - matchLabels: - app: guacamole -{{- end }} --- apiVersion: v1 kind: Service @@ -123,28 +98,6 @@ spec: value: myguac123 resources: {{- toYaml .Values.components.guacamole.resources | nindent 10 }} restartPolicy: Always -{{- if eq .Values.policies.enabled true }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: guacamole - namespace: {{ .Values.namespace }} -spec: - podSelector: - matchLabels: - app: guacamole - policyTypes: - - Egress - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: keycloak-gatekeeper - egress: - - {} -{{- end }} --- apiVersion: v1 kind: Service @@ -220,31 +173,6 @@ spec: configMap: name: guacamole-init-sql defaultMode: 0777 -{{- if eq .Values.policies.enabled true }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: guacamole-postgresql - namespace: {{ .Values.namespace }} -spec: - podSelector: - matchLabels: - app: guacamole-postgresql - policyTypes: - - Egress - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: guacamole - egress: - - to: - - podSelector: - matchLabels: - app: guacamole -{{- end }} --- apiVersion: v1 kind: ConfigMap @@ -1044,4 +972,72 @@ data: JOIN guacamole_entity ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER' JOIN guacamole_entity affected ON permissions.affected_username = affected.name AND guacamole_entity.type = 'USER' JOIN guacamole_user ON guacamole_user.entity_id = affected.entity_id; +{{- if eq .Values.policies.enabled true }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: guacd + namespace: {{ .Values.namespace }} +spec: + podSelector: + matchLabels: + app: guacd + policyTypes: + - Egress + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: guacamole + egress: + - to: + - podSelector: + matchLabels: + app: guacamole +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: guacamole + namespace: {{ .Values.namespace }} +spec: + podSelector: + matchLabels: + app: guacamole + policyTypes: + - Egress + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: keycloak-gatekeeper + egress: + - {} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: guacamole-postgresql + namespace: {{ .Values.namespace }} +spec: + podSelector: + matchLabels: + app: guacamole-postgresql + policyTypes: + - Egress + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: guacamole + egress: + - to: + - podSelector: + matchLabels: + app: guacamole +{{- end }} {{- end }} \ No newline at end of file diff --git a/helm/templates/keycloak.yaml b/helm/templates/keycloak.yaml index 8f86dcb..a3fad19 100644 --- a/helm/templates/keycloak.yaml +++ b/helm/templates/keycloak.yaml @@ -41,25 +41,6 @@ spec: - name: keycloak-postgres persistentVolumeClaim: claimName: keycloak-postgres-pvc -{{- if eq .Values.policies.enabled true }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: keycloak-postgres - namespace: {{ .Values.namespace }} -spec: - podSelector: - matchLabels: - app: keycloak-postgres - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: keycloak -{{- end }} --- apiVersion: v1 kind: Service @@ -134,28 +115,6 @@ spec: runAsNonRoot: true resources: {{- toYaml .Values.components.keycloak.resources | nindent 10 }} restartPolicy: Always -{{- if eq .Values.policies.enabled true }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: keycloak - namespace: {{ .Values.namespace }} -spec: - podSelector: - matchLabels: - app: keycloak - policyTypes: - - Egress - - Ingress - ingress: - - {} - egress: - - to: - - podSelector: - matchLabels: - app: keycloak-postgres -{{- end }} --- apiVersion: v1 kind: Service @@ -225,42 +184,85 @@ spec: - --server-write-timeout=50s {{- end }} restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: keycloak-gatekeeper + namespace: {{ .Values.namespace }} + labels: + app: keycloak-gatekeeper +spec: + type: ClusterIP + ports: + {{- range .Values.access }} + - name: {{ .name }} + port: {{ .port }} + {{- end }} + selector: + app: keycloak-gatekeeper {{- if eq .Values.policies.enabled true }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: keycloak-gatekeeper + name: keycloak-postgres namespace: {{ .Values.namespace }} spec: podSelector: matchLabels: - app: keycloak-gatekeeper + app: keycloak-postgres + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: keycloak +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: keycloak + namespace: {{ .Values.namespace }} +spec: + podSelector: + matchLabels: + app: keycloak policyTypes: - Egress - Ingress ingress: - from: + - podSelector: + matchLabels: + app: keycloak-init - podSelector: matchLabels: app: haproxy egress: - - {} -{{- end }} + - to: + - podSelector: + matchLabels: + app: keycloak-postgres --- -apiVersion: v1 -kind: Service +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: name: keycloak-gatekeeper namespace: {{ .Values.namespace }} - labels: - app: keycloak-gatekeeper spec: - type: ClusterIP - ports: - {{- range .Values.access }} - - name: {{ .name }} - port: {{ .port }} - {{- end }} - selector: - app: keycloak-gatekeeper + podSelector: + matchLabels: + app: keycloak-gatekeeper + policyTypes: + - Egress + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: haproxy + egress: + - {} +{{- end }} \ No newline at end of file