fix network-policies

2026-02-02 06:55:53 +00:00 · 2024-08-09 04:47:00 +02:00
5 changed files with 64 additions and 26 deletions
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg

 type: application
-version: 1.3.0
+version: 1.3.1
--- a/packages/apps/tenant/templates/namespace.yaml
+++ b/packages/apps/tenant/templates/namespace.yaml
@@ -21,6 +21,15 @@ metadata:
    namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $.Release.Namespace $x) }}"
    {{- end }}
    {{- end }}
+  labels:
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    tenant.cozystack.io/{{ join "-" (slice $parts 0 (add $i 1)) }}: ""
+    {{- end }}
+    {{- end }}
+    {{- end }}
  ownerReferences:
  - apiVersion: v1
    blockOwnerDeletion: true
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -28,17 +28,6 @@ spec:
  - toEntities:
      - world
 ---
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-from-system
-  namespace: {{ include "tenant.name" . }}
-spec:
-  endpointSelector: {}
-  ingress:
-  - fromEntities:
-    - cluster
---
 {{- if ne (include "tenant.name" .) "tenant-root" }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
@@ -49,35 +38,63 @@ spec:
  endpointSelector: {}
  ingress:
  - fromEndpoints:
-    - matchLabels:
-        "kubernetes.io/metadata.name": "tenant-root"
    {{- if hasPrefix "tenant-" .Release.Namespace }}
    {{- $parts := splitList "-" .Release.Namespace }}
    {{- range $i, $v := $parts }}
    {{- if ne $i 0 }}
    - matchLabels:
-        "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }}
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-upper-tenants
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    - matchLabels:
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
    {{- end }}
    {{- end }}
    {{- end }}
 {{- end }}
 ---
-{{- if not .Values.etcd }}
-{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-to-etcd
-  namespace: {{ include "tenant.name" . }}
+  name: "allow-to-down-labels-{{ include "tenant.name" . }}"
 spec:
  endpointSelector:
    matchLabels:
-      policy.cozystack.io/allow-to-etcd: "true"
+      k8s:io.kubernetes.pod.namespace: "{{ include "tenant.name" . }}"
  egress:
  - toEndpoints:
    - matchLabels:
-        io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}"
-        cozystack.io/service: etcd
+        "k8s:io.cilium.k8s.namespace.labels.tenant.cozystack.io/{{ include "tenant.name" . }}": ""
+---
+{{- if .Values.etcd }}
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "allow-to-etcd-{{ include "tenant.name" . }}"
+spec:
+  endpointSelector:
+    matchLabels:
+      k8s:io.kubernetes.pod.namespace: "{{ include "tenant.name" . }}"
+      cozystack.io/service: etcd
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        k8s:io.cilium.k8s.namespace.labels.namespace.cozystack.io/etcd: "{{ include "tenant.name" . }}"
 {{- end }}
 ---
 apiVersion: cilium.io/v2
@@ -107,7 +124,7 @@ spec:
  egress:
  - toEndpoints:
    - matchLabels:
-        io.kubernetes.pod.namespace: kube-system
+        k8s:io.kubernetes.pod.namespace: kube-system
        k8s-app: kube-dns
 ---
 apiVersion: cilium.io/v2
@@ -120,7 +137,7 @@ spec:
  egress:
  - toEndpoints:
      - matchLabels:
-          io.kubernetes.pod.namespace: cozy-dashboard
+          k8s:io.kubernetes.pod.namespace: cozy-dashboard
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -39,7 +39,8 @@ tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
 tenant 1.1.0 4da8ac3b
 tenant 1.2.0 15478a88
-tenant 1.3.0 HEAD
+tenant 1.3.0 ceefae03
+tenant 1.3.1 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD
--- a/packages/system/cilium/templates/clusterwide-networkpolicies.yaml
+++ b/packages/system/cilium/templates/clusterwide-networkpolicies.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-from-system
+spec:
+  endpointSelector: {}
+  ingress:
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.cilium.k8s.namespace.labels.cozystack.io/system": "true"