feat: add NetworkPolicies

ilyakazm · Feb 28, 2024 · cf9bfdf · cf9bfdf
1 parent c3f1285
commit cf9bfdf
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -83,6 +83,14 @@ please refer to [the official krakend documentation](https://www.krakend.io/docs
 | lifecycle | object | `{}` | Krakend container lifecycle hooks (PostStart, PreStop) |
 | livenessProbe | object | `{"httpGet":{"path":"/__health","port":"http"}}` | The livenessProbe to use for the krakend pod |
 | nameOverride | string | `""` |  |
+| networkPolicies | object | `{"enabled":false,"policies":[{"name":"allow-namespace1","namespace":"namespace1","type":"ingress"},{"name":"allow-namespace2","namespace":"namespace2","type":"egress"}]}` | The networkPolicies configures ingress NetworkPolicies for your application |
+| networkPolicies.enabled | bool | `false` | Set to true to create NetworkPolicies for your application |
+| networkPolicies.policies | list | `[{"name":"allow-namespace1","namespace":"namespace1","type":"ingress"},{"name":"allow-namespace2","namespace":"namespace2","type":"egress"}]` | List of NetworkPolicy objects |
+| networkPolicies.policies[0] | object | `{"name":"allow-namespace1","namespace":"namespace1","type":"ingress"}` | Name of the NetworkPolicy |
+| networkPolicies.policies[0].namespace | string | `"namespace1"` | Name of the namespace allowed to reach (or be reached by) your application |
+| networkPolicies.policies[0].type | string | `"ingress"` | Type of the network policy (ingress or egress) |
+| networkPolicies.policies[1].namespace | string | `"namespace2"` | Name of the namespace allowed to reach (or be reached by) your application |
+| networkPolicies.policies[1].type | string | `"egress"` | Type of the network policy (ingress or egress) |
 | nodeSelector | object | `{}` | The nodeSelector to use for the krakend pod |
 | podAnnotations | object | `{}` | The annotations to use for the krakend pod |
 | podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":"","minAvailable":1,"unhealthyPodEvictionPolicy":""}` | podDisruptionBudget allows you to define minumum and maximum available pods |

diff --git a/templates/networkPolicy.yaml b/templates/networkPolicy.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.networkPolicies.enabled }}
+{{- range $index, $policy := .Values.networkPolicies.policies }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $policy.name }}
+spec:
+  podSelector: {}
+  policyTypes:
+  {{- if eq $policy.type "ingress" }}
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: {{ $policy.namespace }}
+  {{- end }}
+  {{- if eq $policy.type "egress" }}
+  - Egress
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            name: {{ $policy.namespace }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/values.schema.json b/values.schema.json
@@ -235,6 +235,32 @@
         "nameOverride": {
             "type": "string"
         },
+        "networkPolicies": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                },
+                "policies": {
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string"
+                            },
+                            "namespace": {
+                                "type": "string"
+                            },
+                            "type": {
+                                "type": "string"
+                            }
+                        },
+                        "required": ["name", "namespace", "type"]
+                    }
+                }
+            }
+        },
         "nodeSelector": {
             "type": "object"
         },

diff --git a/values.yaml b/values.yaml
@@ -253,3 +253,21 @@ serviceMonitor:
   scrapeTimeout: 10s
   # -- prometheus metrics port exposed by krakend
   targetPort: 9091
+
+# -- (object) The networkPolicies configures ingress NetworkPolicies for your application
+networkPolicies:
+  # -- (bool) Set to true to create NetworkPolicies for your application
+  enabled: false
+  # -- (list) List of NetworkPolicy objects
+  policies:
+    # -- Name of the NetworkPolicy
+    - name: "allow-namespace1"
+      # -- Name of the namespace allowed to reach (or be reached by) your application
+      namespace: "namespace1"
+      # -- Type of the network policy (ingress or egress)
+      type: "ingress"
+    - name: "allow-namespace2"
+      # -- Name of the namespace allowed to reach (or be reached by) your application
+      namespace: "namespace2"
+      # -- Type of the network policy (ingress or egress)
+      type: "egress"