Skip to content

Commit

Permalink
Add support for NetworkPolicy (#1320)
Browse files Browse the repository at this point in the history 
Signed-off-by: Arnob kumar saha <[email protected]>
  • Loading branch information
@ArnobKumarSaha
ArnobKumarSaha authored Sep 26, 2024
1 parent 3703dca commit 25866e9
Show file tree
Hide file tree
Showing 13 changed files with 104 additions and 0 deletions.
3 changes: 3 additions & 0 deletions apis/installer/v1alpha1/kubedb_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@ type GlobalValues struct {
// +optional
Affinity *core.Affinity `json:"affinity"`
WaitForWebhook bool `json:"waitForWebhook"`

// +optional
NetworkPolicy NetworkPolicy `json:"networkPolicy"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
Expand Down
4 changes: 4 additions & 0 deletions apis/installer/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,7 @@ type EASMonitoring struct {
type PSPSpec struct {
Enabled bool `json:"enabled"`
}

type NetworkPolicy struct {
Enabled bool `json:"enabled"`
}
17 changes: 17 additions & 0 deletions apis/installer/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions charts/kubedb-opscenter/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ The following table lists the configurable parameters of the `kubedb-opscenter`
| global.imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace. <br> Example: <br> `helm template charts/kubedb \` <br> `--set global.imagePullSecrets[0].name=sec0 \` <br> `--set global.imagePullSecrets[1].name=sec1` | <code>[]</code> |
| global.monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | <code>""</code> |
| global.monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | <code>{"monitoring.appscode.com/prometheus":"auto"}</code> |
| global.networkPolicy.enabled | | <code>false</code> |
| kubedb-metrics.enabled | If enabled, installs the kubedb-metrics chart | <code>true</code> |
| kubedb-ui-server.enabled | If enabled, installs the kubedb-ui-server chart | <code>true</code> |
| kubedb-grafana-dashboards.enabled | If enabled, installs the kubedb-grafana-dashboards chart | <code>true</code> |
Expand Down
17 changes: 17 additions & 0 deletions charts/kubedb-opscenter/templates/network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if and .Values.global .Values.global.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Release.Name }}-egress
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
egress:
# Scenarios considered:
# - Communication with apiServer
- {}
policyTypes:
- Egress
{{- end }}
4 changes: 4 additions & 0 deletions charts/kubedb-opscenter/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ global:
labels: # +doc-gen:break
monitoring.appscode.com/prometheus: auto

# Controls the network policy creation
networkPolicy:
enabled: false

kubedb-metrics:
# If enabled, installs the kubedb-metrics chart
enabled: true
Expand Down
5 changes: 5 additions & 0 deletions charts/kubedb-provisioner/templates/cluster-role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,11 @@ rules:
- backupconfigurations
verbs: [ "get", "list", "watch" ]

- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs: [ "get", "list", "watch", "create", "patch"]
- apiGroups:
- cacerts.csi.cert-manager.io
resources:
Expand Down
3 changes: 3 additions & 0 deletions charts/kubedb-provisioner/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,9 @@ spec:
{{- with $maxConcurrentReconciles }}
- --max-concurrent-reconciles={{.}}
{{- end }}
{{- if and .Values.global .Values.global.networkPolicy.enabled }}
- --enable-network-policy=true
{{- end }}
env:
- name: POD_NAME
valueFrom:
Expand Down
18 changes: 18 additions & 0 deletions charts/kubedb-webhook-server/templates/network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if and .Values.global .Values.global.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "kubedb-webhook-server.fullname" . }}-ingress
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
{{- include "kubedb-webhook-server.selectorLabels" . | nindent 6 }}
ingress:
# Scenarios considered:
# - Mutation, Validation
# - Conversion
- {}
policyTypes:
- Ingress
{{- end }}
1 change: 1 addition & 0 deletions charts/kubedb/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ The following table lists the configurable parameters of the `kubedb` chart and
| global.tolerations | Tolerations for pod assignment | <code>[]</code> |
| global.affinity | Affinity rules for pod assignment | <code>{}</code> |
| global.waitForWebhook | | <code>true</code> |
| global.networkPolicy.enabled | | <code>false</code> |
| petset.enabled | If enabled, installs the petset chart | <code>true</code> |
| sidekick.enabled | If enabled, installs the sidekick chart | <code>true</code> |
| supervisor.enabled | If enabled, installs the supervisor chart | <code>false</code> |
Expand Down
20 changes: 20 additions & 0 deletions charts/kubedb/templates/network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- if and .Values.global .Values.global.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .Release.Name }}-egress
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
egress:
# Scenarios considered:
# - Communication with apiServer
# - DB Health Check
# - Pull Image from external sources like docker hub
# - Calls of discovery.DiscoveryInterface from cloud providers
- {}
policyTypes:
- Egress
{{- end }}
7 changes: 7 additions & 0 deletions charts/kubedb/values.openapiv3_schema.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -998,6 +998,13 @@ properties:
- agent
- serviceMonitor
type: object
networkPolicy:
properties:
enabled:
type: boolean
required:
- enabled
type: object
nodeSelector:
additionalProperties:
type: string
Expand Down
4 changes: 4 additions & 0 deletions charts/kubedb/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,10 @@ global:

waitForWebhook: true

# Controls the network policy creation
networkPolicy:
enabled: false

petset:
# If enabled, installs the petset chart
enabled: true
Expand Down

0 comments on commit 25866e9

Please sign in to comment.