diff --git a/cost-analyzer/templates/cost-analyzer-network-policy.yaml b/cost-analyzer/templates/cost-analyzer-network-policy.yaml index 872951bd1..c806c3d51 100644 --- a/cost-analyzer/templates/cost-analyzer-network-policy.yaml +++ b/cost-analyzer/templates/cost-analyzer-network-policy.yaml @@ -2,18 +2,49 @@ {{- if .Values.networkPolicy.enabled -}} apiVersion: {{ include "cost-analyzer.networkPolicy.apiVersion" . }} kind: NetworkPolicy +{{- if .Values.networkPolicy.denyEgress }} metadata: name: deny-egress labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} spec: podSelector: matchLabels: - {{ include "cost-analyzer.selectorLabels" . | nindent 6 }} + {{- include "cost-analyzer.selectorLabels" . | nindent 6 }} policyTypes: - Egress egress: - to: - namespaceSelector: {} +{{- else }} +{{- if .Values.networkPolicy.sameNamespace}} +metadata: + name: shared-namespace + namespace: {{ default "kubecost" .Values.networkPolicy.namespace}} +spec: + podSelector: + matchLabels: + app: prometheus + component: server +{{- else }} +metadata: + name: closed-traffic + namespace: {{ default "kubecost" .Values.networkPolicy.namespace}} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: cost-analyzer +{{- end }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: cost-analyzer + - namespaceSelector: + matchLabels: + name: k8s-kubecost +{{- end }} {{- end -}} {{- end -}} diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml index 08f377fde..a76148acb 100755 --- a/cost-analyzer/values.yaml +++ b/cost-analyzer/values.yaml @@ -242,6 +242,9 @@ priority: # If true, enable creation of NetworkPolicy resources. networkPolicy: enabled: false + denyEgress: true # create a network policy that denies egress from kubecost + sameNamespace: true # Set to true if cost analyser and prometheus are on the same namespace +# namespace: kubecost # Namespace where prometheus is installed podSecurityPolicy: enabled: true