fix network-policies

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-01-28 18:18:41 +00:00 · 2024-08-09 04:46:16 +02:00
parent f81be0758e
commit 4a885ab0e7
9 changed files with 105 additions and 46 deletions
--- a/packages/apps/ferretdb/templates/postgres.yaml
+++ b/packages/apps/ferretdb/templates/postgres.yaml
@@ -16,6 +16,10 @@ spec:
  storage:
    size: {{ required ".Values.size is required" .Values.size }}

+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
+
  {{- if .Values.users }}
  managed:
    roles:
--- a/packages/apps/kafka/templates/kafka.yaml
+++ b/packages/apps/kafka/templates/kafka.yaml
@@ -65,3 +65,8 @@ spec:
  entityOperator:
    topicOperator: {}
    userOperator: {}
+    template:
+      pod:
+        metadata:
+         labels:
+           policy.cozystack.io/allow-to-apiserver: "true"
--- a/packages/apps/postgres/templates/db.yaml
+++ b/packages/apps/postgres/templates/db.yaml
@@ -19,3 +19,7 @@ spec:

  storage:
    size: {{ required ".Values.size is required" .Values.size }}
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg

 type: application
-version: 1.3.0
+version: 1.3.1
--- a/packages/apps/tenant/templates/namespace.yaml
+++ b/packages/apps/tenant/templates/namespace.yaml
@@ -1,3 +1,20 @@
+{{- define "cozystack.namespace-anotations" }}
+{{- $context := index . 0 }}
+{{- $existingNS := index . 1 }}
+{{- range $x := list "etcd" "monitoring" "ingress" }}
+{{- if (index $context.Values $x) }}
+namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $context }}"
+{{- else }}
+namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $context.Release.Namespace $x) }}"
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- if not $existingNS }}
+{{- fail (printf "error lookup existing namespace: %s" .Release.Namespace) }}
+{{- end }}
+
 {{- if ne (include "tenant.name" .) "tenant-root" }}
 ---
 apiVersion: v1
@@ -5,22 +22,25 @@ kind: Namespace
 metadata:
  name: {{ include "tenant.name" . }}
  {{- if hasPrefix "tenant-" .Release.Namespace }}
-  {{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-  {{- if $existingNS }}
  annotations:
    {{- if .Values.host }}
    namespace.cozystack.io/host: "{{ .Values.host }}"
    {{- else }}
-    {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" $.Release.Namespace) }}
+    {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" .Release.Namespace) }}
    namespace.cozystack.io/host: "{{ splitList "-" (include "tenant.name" .) | last }}.{{ $parentHost }}"
    {{- end }}
-    {{- range $x := list "etcd" "monitoring" "ingress" }}
-    {{- if (index $.Values $x) }}
-    namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $ }}"
-    {{- else }}
-    namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $.Release.Namespace $x) }}"
+    {{- include "cozystack.namespace-anotations" (list . $existingNS) | nindent 4 }}
+  labels:
+    tenant.cozystack.io/{{ include "tenant.name" $ }}: ""
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    tenant.cozystack.io/{{ join "-" (slice $parts 0 (add $i 1)) }}: ""
    {{- end }}
    {{- end }}
+    {{- end }}
+    {{- include "cozystack.namespace-anotations" (list $ $existingNS) | nindent 4 }}
  ownerReferences:
  - apiVersion: v1
    blockOwnerDeletion: true
@@ -28,8 +48,5 @@ metadata:
    kind: Namespace
    name: {{ .Release.Namespace }}
    uid: {{ $existingNS.metadata.uid }}
-  {{- else }}
-  {{- fail (printf "error lookup exiting namespace: %s" .Release.Namespace) }}
-  {{- end }}
  {{- end }}
 {{- end }}
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -29,55 +29,75 @@ spec:
      - world
 ---
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-from-system
-  namespace: {{ include "tenant.name" . }}
+  name: {{ include "tenant.name" . }}-egress
 spec:
-  endpointSelector: {}
-  ingress:
-  - fromEntities:
-    - cluster
---
-{{- if ne (include "tenant.name" .) "tenant-root" }}
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-from-upper-tenants
-  namespace: {{ include "tenant.name" . }}
-spec:
-  endpointSelector: {}
-  ingress:
-  - fromEndpoints:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+  egress:
+  - toEndpoints:
    - matchLabels:
-        "kubernetes.io/metadata.name": "tenant-root"
+        "k8s:io.cilium.k8s.namespace.labels.tenant.cozystack.io/{{ include "tenant.name" . }}": ""
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - toEndpoints:
    {{- if hasPrefix "tenant-" .Release.Namespace }}
    {{- $parts := splitList "-" .Release.Namespace }}
    {{- range $i, $v := $parts }}
    {{- if ne $i 0 }}
    - matchLabels:
-        "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }}
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
    {{- end }}
    {{- end }}
    {{- end }}
-{{- end }}
+  {{- end }}
 ---
-{{- if not .Values.etcd }}
-{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-to-etcd
-  namespace: {{ include "tenant.name" . }}
+  name: {{ include "tenant.name" . }}-ingress
 spec:
  endpointSelector:
    matchLabels:
-      policy.cozystack.io/allow-to-etcd: "true"
-  egress:
-  - toEndpoints:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.cilium.k8s.namespace.labels.cozystack.io/system": "true"
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": kube-system
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - fromEndpoints:
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
    - matchLabels:
-        io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}"
-        cozystack.io/service: etcd
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
+---
+{{- if .Values.etcd }}
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "tenant.name" . }}-ingress-etcd
+spec:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+      cozystack.io/service: etcd
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        "k8s:io.cilium.k8s.namespace.labels.namespace.cozystack.io/etcd": "{{ include "tenant.name" . }}"
+        policy.cozystack.io/allow-to-etcd: "true"
 {{- end }}
 ---
 apiVersion: cilium.io/v2
@@ -107,7 +127,7 @@ spec:
  egress:
  - toEndpoints:
    - matchLabels:
-        io.kubernetes.pod.namespace: kube-system
+        "k8s:io.kubernetes.pod.namespace": kube-system
        k8s-app: kube-dns
 ---
 apiVersion: cilium.io/v2
@@ -120,7 +140,7 @@ spec:
  egress:
  - toEndpoints:
      - matchLabels:
-          io.kubernetes.pod.namespace: cozy-dashboard
+          "k8s:io.kubernetes.pod.namespace": cozy-dashboard
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -39,7 +39,8 @@ tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
 tenant 1.1.0 4da8ac3b
 tenant 1.2.0 15478a88
-tenant 1.3.0 HEAD
+tenant 1.3.0 ceefae03
+tenant 1.3.1 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD
--- a/packages/extra/monitoring/templates/grafana/db.yaml
+++ b/packages/extra/monitoring/templates/grafana/db.yaml
@@ -6,3 +6,7 @@ spec:
  instances: 2
  storage:
    size: 10Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
--- a/packages/extra/monitoring/templates/oncall/oncall-db.yaml
+++ b/packages/extra/monitoring/templates/oncall/oncall-db.yaml
@@ -8,4 +8,8 @@ spec:
  instances: 2
  storage:
    size: 10Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
 {{- end }}