Skip to content

Commit

Permalink
Add other network policy options
Browse files Browse the repository at this point in the history
  • Loading branch information
@Sean-Holcomb
Sean-Holcomb committed Feb 25, 2021
1 parent dea4d55 commit e5016c4
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 2 deletions.
35 changes: 33 additions & 2 deletions cost-analyzer/templates/cost-analyzer-network-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,49 @@
{{- if .Values.networkPolicy.enabled -}}
apiVersion: {{ include "cost-analyzer.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
{{- if .Values.networkPolicy.denyEgress }}
metadata:
name: deny-egress
labels:
{{ include "cost-analyzer.commonLabels" . | nindent 4 }}
{{- include "cost-analyzer.commonLabels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{ include "cost-analyzer.selectorLabels" . | nindent 6 }}
{{- include "cost-analyzer.selectorLabels" . | nindent 6 }}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
{{- else }}
{{- if .Values.networkPolicy.sameNamespace}}
metadata:
name: shared-namespace
namespace: {{ default "kubecost" .Values.networkPolicy.namespace}}
spec:
podSelector:
matchLabels:
app: prometheus
component: server
{{- else }}
metadata:
name: closed-traffic
namespace: {{ default "kubecost" .Values.networkPolicy.namespace}}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: cost-analyzer
{{- end }}
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: cost-analyzer
- namespaceSelector:
matchLabels:
name: k8s-kubecost
{{- end }}
{{- end -}}
{{- end -}}
3 changes: 3 additions & 0 deletions cost-analyzer/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,9 @@ priority:
# If true, enable creation of NetworkPolicy resources.
networkPolicy:
enabled: false
denyEgress: true # create a network policy that denies egress from kubecost
sameNamespace: true # Set to true if cost analyser and prometheus are on the same namespace
# namespace: kubecost # Namespace where prometheus is installed

podSecurityPolicy:
enabled: true
Expand Down

3 comments on commit e5016c4

@djsly
Copy link

@djsly djsly commented on e5016c4 Jun 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Sean-Holcomb this seems to be broken, I'm having hard time understanding the goal of the new netpols.

The current IF statement either creates a netpol for Deny or nothing, and both

sameNamespace: false # Set to true if cost analyser and prometheus are on the same namespace
namespace: monitoring # Namespace where prometheus is installed

don't seem to be possible to enable. is the {{ else }} on line 19 to be removed maybe ?

@Sean-Holcomb
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sameNamespace can be enable if denyEgress is false.
Is there something in particular that you would like to happen here that is not?

@djsly
Copy link

@djsly djsly commented on e5016c4 Jun 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will need to try again but with the following setting , I wasn't getting any NetPol

networkPolicy:
  enabled: true
  denyEgress: false # create a network policy that denies egress from kubecost
  sameNamespace: false # Set to true if cost analyser and prometheus are on the same namespace
  namespace: monitoring # Namespace where prometheus is installed

Please sign in to comment.