new network policy for ingress-nginx

Signed-off-by: Mehdi Bechiri <[email protected]>
particuleio · Apr 19, 2023 · 31cc632 · 31cc632
1 parent cb52deb
commit 31cc632
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 2 deletions.
diff --git a/ingress-nginx.tf b/ingress-nginx.tf
@@ -11,6 +11,8 @@ locals {
       enabled                = false
       default_network_policy = true
       ingress_cidrs          = ["0.0.0.0/0"]
+      linkerd-viz-enabled    = false
+      linkerd-viz-namespace  = "linkerd-viz"
       allowed_cidrs          = ["0.0.0.0/0"]
     },
     var.ingress-nginx
@@ -232,7 +234,7 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" {
 }
 
 resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
-  count = local.ingress-nginx["enabled"] && local.linkerd-viz["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0
+  count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0
 
   metadata {
     name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz"
@@ -247,7 +249,7 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
       from {
         namespace_selector {
           match_labels = {
-            name = local.linkerd-viz["namespace"]
+            name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"]
           }
         }
       }

diff --git a/modules/aws/README.md b/modules/aws/README.md
@@ -242,6 +242,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [kubernetes_network_policy.flux_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |

diff --git a/modules/aws/ingress-nginx.tf b/modules/aws/ingress-nginx.tf
@@ -13,6 +13,8 @@ locals {
       use_l7                 = false
       enabled                = false
       default_network_policy = true
+      linkerd-viz-enabled    = false
+      linkerd-viz-namespace  = "linkerd-viz"
       ingress_cidrs          = ["0.0.0.0/0"]
       allowed_cidrs          = ["0.0.0.0/0"]
     },
@@ -318,3 +320,29 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" {
     policy_types = ["Ingress"]
   }
 }
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
+  count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
diff --git a/modules/scaleway/README.md b/modules/scaleway/README.md
@@ -145,6 +145,7 @@ No modules.
 | [kubernetes_network_policy.flux_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |

diff --git a/modules/scaleway/ingress-nginx.tf b/modules/scaleway/ingress-nginx.tf
@@ -10,6 +10,8 @@ locals {
       namespace              = "ingress-nginx"
       enabled                = false
       default_network_policy = true
+      linkerd-viz-enabled    = false
+      linkerd-viz-namespace  = "linkerd-viz"
       ingress_cidrs          = ["0.0.0.0/0"]
       allowed_cidrs          = ["0.0.0.0/0"]
     },
@@ -238,3 +240,29 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" {
     policy_types = ["Ingress"]
   }
 }
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
+  count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}