01d8bdc5e6
Limit egress traffic from crawler/profilebrowser pods to the internet and limited internal services like dns, redis, frontend, auth-signer on certain ports --------- Co-authored-by: Ilya Kreymer <ikreymer@gmail.com>
102 lines
2.2 KiB
YAML
102 lines
2.2 KiB
YAML
{{- if .Values.crawler_enable_network_policy -}}
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: crawler-limit-egress
|
|
namespace: {{ .Values.crawler_namespace }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
network-policy: limit-crawler-egress
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
{{- if .Values.crawler_network_policy_egress | default false -}}
|
|
{{- .Values.crawler_network_policy_egress | toYaml | nindent 4 -}}
|
|
{{- else }}
|
|
# allow WWW
|
|
- to:
|
|
- ipBlock:
|
|
cidr: 0.0.0.0/0
|
|
except: # Exclude traffic to Kubernetes service IPs and pods
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
|
|
# allow frontend access for QA runs
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: {{ .Release.Namespace }}
|
|
podSelector:
|
|
matchLabels:
|
|
role: frontend
|
|
|
|
ports:
|
|
- port: 80
|
|
protocol: TCP
|
|
|
|
# allow DNS
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
podSelector:
|
|
matchLabels:
|
|
k8s-app: kube-dns
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|
|
|
|
|
|
# allow other redis
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: {{ .Values.crawler_namespace }}
|
|
podSelector:
|
|
matchLabels:
|
|
role: redis
|
|
|
|
ports:
|
|
- port: 6379
|
|
protocol: TCP
|
|
|
|
|
|
{{ if .Values.minio_local }}
|
|
# allow minio
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: {{ .Release.Namespace }}
|
|
podSelector:
|
|
matchLabels:
|
|
app: local-minio
|
|
|
|
ports:
|
|
- port: 9000
|
|
protocol: TCP
|
|
|
|
{{- end -}}
|
|
|
|
|
|
{{ if .Values.signer.enabled }}
|
|
# allow auth signer
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: {{ .Release.Namespace }}
|
|
podSelector:
|
|
matchLabels:
|
|
app: auth-signer
|
|
|
|
ports:
|
|
- port: {{ .Values.signer.port | default "5053" }}
|
|
protocol: TCP
|
|
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- end -}}
|