From 4332d80ba2e112aa88828132901859c822f608d8 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Tue, 27 Feb 2024 21:10:47 +0100 Subject: [PATCH 1/6] Add network policy for nodered pods --- .../templates/projects-networkpolicy.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 helm/flowforge/templates/projects-networkpolicy.yaml diff --git a/helm/flowforge/templates/projects-networkpolicy.yaml b/helm/flowforge/templates/projects-networkpolicy.yaml new file mode 100644 index 00000000..cf470474 --- /dev/null +++ b/helm/flowforge/templates/projects-networkpolicy.yaml @@ -0,0 +1,35 @@ +{{- if .Values.forge.projectNetworkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: flowfuse-projects-policy + namespace: {{ .Values.forge.projectNamespace }} + labels: + {{- include "forge.labels" . | nindent 4 }} + {{- with .Values.forge.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + policyTypes: + {{- if .Values.forge.projectNetworkPolicy.ingress }} + - Ingress + {{- end }} + {{- if .Values.forge.projectNetworkPolicy.egress }} + - Egress + {{- end }} + podSelector: + matchLabels: + nodered: true + {{- if .Values.forge.projectNetworkPolicy.egress }} + egress: + {{- with .Values.forge.projectNetworkPolicy.egress }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.forge.projectNetworkPolicy.ingress }} + ingress: + {{- with .Values.forge.projectNetworkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} From 99e11e4659eb7482895d02d8aa1f439a8731615e Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Tue, 27 Feb 2024 21:11:10 +0100 Subject: [PATCH 2/6] Refactor existing network policy --- helm/flowforge/templates/network-policy.yaml | 27 +------------------- 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/helm/flowforge/templates/network-policy.yaml b/helm/flowforge/templates/network-policy.yaml index ed20cec0..81e403e8 100644 --- a/helm/flowforge/templates/network-policy.yaml +++ b/helm/flowforge/templates/network-policy.yaml @@ -1,29 +1,4 @@ -{{- if not .Values.forge.localPostgresql }} -{{- if .Values.forge.cloudProvider }} -{{- if eq .Values.forge.cloudProvider "aws" }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: flowforge-database-policy - namespace: {{ .Release.Namespace }} - labels: - {{- include "forge.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - nodered: "true" - role: projects - policyTypes: - - Egress - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/24 -{{- end }} -{{- end }} -{{- else }} +{{- if .Values.forge.localPostgresql }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: From 7a9a727cf3ca46202e5bec11fc785297e8602173 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Tue, 27 Feb 2024 21:11:59 +0100 Subject: [PATCH 3/6] Update default values and schema --- helm/flowforge/values.schema.json | 14 ++++++++++++++ helm/flowforge/values.yaml | 6 ++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json index 2addd49a..4e22e93b 100644 --- a/helm/flowforge/values.schema.json +++ b/helm/flowforge/values.schema.json @@ -94,6 +94,20 @@ "projectSelector": { "type": "object" }, + "projectNetworkPolicy": { + "type": "object", + "properties": { + "egress": { + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "ingress": { + "type": "array" + } + } + }, "projectDeploymentTolerations": { "type": "array", "items": { diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml index d98ce972..d8772b21 100644 --- a/helm/flowforge/values.yaml +++ b/helm/flowforge/values.yaml @@ -5,10 +5,8 @@ forge: projectSelector: role: projects projectDeploymentTolerations: [] - # - key: purpose - # operator: Equal - # value: flowforge-projects - # effect: NoSchedule + projectNetworkPolicy: + enabled: false managementSelector: role: management telemetry: From 7a177444648e2344379ec7fec6f34f9b54b28cfb Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Tue, 27 Feb 2024 21:12:32 +0100 Subject: [PATCH 4/6] Add projectNetworkPolicy object documentation --- helm/flowforge/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md index fb62daa4..0f844596 100644 --- a/helm/flowforge/README.md +++ b/helm/flowforge/README.md @@ -30,12 +30,15 @@ For other values please refer to the documentation below. - `forge.localPostrgresql` Deploy a PostgreSQL v14 Database into Kubernetes cluster (default `true`) - `forge.cloudProvider` currently only accepts `aws` but will include more as needed (default not set) - `forge.projectSelector` a collection of labels and values to filter nodes that Project Pods will run on (default `role: projects`) + - `forge.projectNamespace` namespace Project Pods will run in (default `flowforge`) + - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`. + - `forge.projectNetworkPolicy.enabled` specified if [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) should be created for project pods ( default `false`) + - `forge.projectNetworkPolicy.ingress` a list of ingress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied on project pods ( default `[]`) + - `forge.projectNetworkPolicy.egress` a list of egress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied in project pods ( default `[]`) - `forge.managementSelector` a collection of labels and values to filter nodes the Forge App will run on (default `role: management`) - `forge.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the core application pod - - `forge.projectNamespace` namespace Project Pods will run in (default `flowforge`) - `forge.license` FlowForge EE license string (optional, default not set) - `forge.branding` Object holding branding inserts (default not set) - - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`. - `forge.clusterRole.name` custom name for the ClusterRole (default `create-pod`) - `forge.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the core application container - `forge.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application pod From bed7c51f00df39c0e183dcd4ec39f0aa9b915845 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Tue, 27 Feb 2024 21:30:07 +0100 Subject: [PATCH 5/6] Add forge.projectNetworkPolicy.enabled default value --- helm/flowforge/templates/projects-networkpolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/flowforge/templates/projects-networkpolicy.yaml b/helm/flowforge/templates/projects-networkpolicy.yaml index cf470474..fd5469e2 100644 --- a/helm/flowforge/templates/projects-networkpolicy.yaml +++ b/helm/flowforge/templates/projects-networkpolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.forge.projectNetworkPolicy.enabled }} +{{- if .Values.forge.projectNetworkPolicy.enabled | default false }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: From 3045fe9b953cbcb8e87164dcc0e41da3dfbb2ab8 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Wed, 28 Feb 2024 12:22:55 +0100 Subject: [PATCH 6/6] Validate projectNetworkPolicy values --- helm/flowforge/templates/projects-networkpolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/flowforge/templates/projects-networkpolicy.yaml b/helm/flowforge/templates/projects-networkpolicy.yaml index fd5469e2..9e2d940d 100644 --- a/helm/flowforge/templates/projects-networkpolicy.yaml +++ b/helm/flowforge/templates/projects-networkpolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.forge.projectNetworkPolicy.enabled | default false }} +{{- if (((.Values.forge).projectNetworkPolicy).enabled) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: