diff --git a/apis/installer/v1alpha1/kubedb_types.go b/apis/installer/v1alpha1/kubedb_types.go
index 2a40ac96b..9aa94d32e 100644
--- a/apis/installer/v1alpha1/kubedb_types.go
+++ b/apis/installer/v1alpha1/kubedb_types.go
@@ -155,6 +155,9 @@ type GlobalValues struct {
// +optional
Affinity *core.Affinity `json:"affinity"`
WaitForWebhook bool `json:"waitForWebhook"`
+
+ // +optional
+ NetworkPolicy NetworkPolicy `json:"networkPolicy"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
diff --git a/apis/installer/v1alpha1/types.go b/apis/installer/v1alpha1/types.go
index 4535fd591..6109b1d3e 100644
--- a/apis/installer/v1alpha1/types.go
+++ b/apis/installer/v1alpha1/types.go
@@ -99,3 +99,7 @@ type EASMonitoring struct {
type PSPSpec struct {
Enabled bool `json:"enabled"`
}
+
+type NetworkPolicy struct {
+ Enabled bool `json:"enabled"`
+}
diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go
index 85f48820a..0e181f794 100644
--- a/apis/installer/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go
@@ -268,6 +268,7 @@ func (in *GlobalValues) DeepCopyInto(out *GlobalValues) {
*out = new(v1.Affinity)
(*in).DeepCopyInto(*out)
}
+ out.NetworkPolicy = in.NetworkPolicy
return
}
@@ -2340,6 +2341,22 @@ func (in *MySQLRestore) DeepCopy() *MySQLRestore {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicy.
+func (in *NetworkPolicy) DeepCopy() *NetworkPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(NetworkPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NodeConfiguration) DeepCopyInto(out *NodeConfiguration) {
*out = *in
diff --git a/charts/kubedb-opscenter/README.md b/charts/kubedb-opscenter/README.md
index e956cba81..cd94bc1a7 100644
--- a/charts/kubedb-opscenter/README.md
+++ b/charts/kubedb-opscenter/README.md
@@ -54,6 +54,7 @@ The following table lists the configurable parameters of the `kubedb-opscenter`
| global.imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/kubedb \`
`--set global.imagePullSecrets[0].name=sec0 \`
`--set global.imagePullSecrets[1].name=sec1` | [] |
| global.monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" |
| global.monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {"monitoring.appscode.com/prometheus":"auto"} |
+| global.networkPolicy.enabled | | false |
| kubedb-metrics.enabled | If enabled, installs the kubedb-metrics chart | true |
| kubedb-ui-server.enabled | If enabled, installs the kubedb-ui-server chart | true |
| kubedb-grafana-dashboards.enabled | If enabled, installs the kubedb-grafana-dashboards chart | true |
diff --git a/charts/kubedb-opscenter/templates/network-policy.yaml b/charts/kubedb-opscenter/templates/network-policy.yaml
new file mode 100644
index 000000000..6a2bfe807
--- /dev/null
+++ b/charts/kubedb-opscenter/templates/network-policy.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.global .Values.global.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ .Release.Name }}-egress
+ namespace: {{ .Release.Namespace }}
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ egress:
+ # Scenarios considered:
+ # - Communication with apiServer
+ - {}
+ policyTypes:
+ - Egress
+{{- end }}
diff --git a/charts/kubedb-opscenter/values.yaml b/charts/kubedb-opscenter/values.yaml
index 1b289af40..00248699b 100644
--- a/charts/kubedb-opscenter/values.yaml
+++ b/charts/kubedb-opscenter/values.yaml
@@ -42,6 +42,10 @@ global:
labels: # +doc-gen:break
monitoring.appscode.com/prometheus: auto
+ # Controls the network policy creation
+ networkPolicy:
+ enabled: false
+
kubedb-metrics:
# If enabled, installs the kubedb-metrics chart
enabled: true
diff --git a/charts/kubedb-provisioner/templates/cluster-role.yaml b/charts/kubedb-provisioner/templates/cluster-role.yaml
index 90cd60723..d20dea148 100644
--- a/charts/kubedb-provisioner/templates/cluster-role.yaml
+++ b/charts/kubedb-provisioner/templates/cluster-role.yaml
@@ -220,6 +220,11 @@ rules:
- backupconfigurations
verbs: [ "get", "list", "watch" ]
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - networkpolicies
+ verbs: [ "get", "list", "watch", "create", "patch"]
- apiGroups:
- cacerts.csi.cert-manager.io
resources:
diff --git a/charts/kubedb-provisioner/templates/deployment.yaml b/charts/kubedb-provisioner/templates/deployment.yaml
index 3d60aa984..a82c28353 100644
--- a/charts/kubedb-provisioner/templates/deployment.yaml
+++ b/charts/kubedb-provisioner/templates/deployment.yaml
@@ -86,6 +86,9 @@ spec:
{{- with $maxConcurrentReconciles }}
- --max-concurrent-reconciles={{.}}
{{- end }}
+ {{- if and .Values.global .Values.global.networkPolicy.enabled }}
+ - --enable-network-policy=true
+ {{- end }}
env:
- name: POD_NAME
valueFrom:
diff --git a/charts/kubedb-webhook-server/templates/network-policy.yaml b/charts/kubedb-webhook-server/templates/network-policy.yaml
new file mode 100644
index 000000000..9adc3f8b8
--- /dev/null
+++ b/charts/kubedb-webhook-server/templates/network-policy.yaml
@@ -0,0 +1,18 @@
+{{- if and .Values.global .Values.global.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "kubedb-webhook-server.fullname" . }}-ingress
+ namespace: {{ .Release.Namespace }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "kubedb-webhook-server.selectorLabels" . | nindent 6 }}
+ ingress:
+ # Scenarios considered:
+ # - Mutation, Validation
+ # - Conversion
+ - {}
+ policyTypes:
+ - Ingress
+{{- end }}
diff --git a/charts/kubedb/README.md b/charts/kubedb/README.md
index 051bc5e39..617879282 100644
--- a/charts/kubedb/README.md
+++ b/charts/kubedb/README.md
@@ -80,6 +80,7 @@ The following table lists the configurable parameters of the `kubedb` chart and
| global.tolerations | Tolerations for pod assignment | [] |
| global.affinity | Affinity rules for pod assignment | {} |
| global.waitForWebhook | | true |
+| global.networkPolicy.enabled | | false |
| petset.enabled | If enabled, installs the petset chart | true |
| sidekick.enabled | If enabled, installs the sidekick chart | true |
| supervisor.enabled | If enabled, installs the supervisor chart | false |
diff --git a/charts/kubedb/templates/network-policy.yaml b/charts/kubedb/templates/network-policy.yaml
new file mode 100644
index 000000000..5a40cbab4
--- /dev/null
+++ b/charts/kubedb/templates/network-policy.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.global .Values.global.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ .Release.Name }}-egress
+ namespace: {{ .Release.Namespace }}
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ egress:
+ # Scenarios considered:
+ # - Communication with apiServer
+ # - DB Health Check
+ # - Pull Image from external sources like docker hub
+ # - Calls of discovery.DiscoveryInterface from cloud providers
+ - {}
+ policyTypes:
+ - Egress
+{{- end }}
diff --git a/charts/kubedb/values.openapiv3_schema.yaml b/charts/kubedb/values.openapiv3_schema.yaml
index 933a204e4..2b61fdf9d 100644
--- a/charts/kubedb/values.openapiv3_schema.yaml
+++ b/charts/kubedb/values.openapiv3_schema.yaml
@@ -998,6 +998,13 @@ properties:
- agent
- serviceMonitor
type: object
+ networkPolicy:
+ properties:
+ enabled:
+ type: boolean
+ required:
+ - enabled
+ type: object
nodeSelector:
additionalProperties:
type: string
diff --git a/charts/kubedb/values.yaml b/charts/kubedb/values.yaml
index 9795df75a..61a81b1d9 100644
--- a/charts/kubedb/values.yaml
+++ b/charts/kubedb/values.yaml
@@ -84,6 +84,10 @@ global:
waitForWebhook: true
+ # Controls the network policy creation
+ networkPolicy:
+ enabled: false
+
petset:
# If enabled, installs the petset chart
enabled: true