From e8e5072a186fe472be4a17742a4e1c04a7caed14 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Mon, 23 Sep 2019 15:06:37 -0500 Subject: [PATCH] Apply network policy to all services The base network policy framework currently applies only to some OpenStack services' charts but not others. This patch set applies the same base network policies framework to all services. Change-Id: I786c68057f6742a79a33f78db6e3bba8b99cf1b8 Signed-off-by: Tin Lam --- aodh/templates/network_policy.yaml | 18 ++++++++++++++++++ aodh/values.yaml | 8 ++++++++ ceilometer/values.yaml | 2 ++ congress/values.yaml | 2 ++ ironic/values.yaml | 2 ++ magnum/values.yaml | 21 +++------------------ mistral/values.yaml | 21 +++------------------ panko/templates/network_policy.yaml | 18 ++++++++++++++++++ panko/values.yaml | 8 ++++++++ senlin/values.yaml | 2 ++ 10 files changed, 66 insertions(+), 36 deletions(-) create mode 100644 aodh/templates/network_policy.yaml create mode 100644 panko/templates/network_policy.yaml diff --git a/aodh/templates/network_policy.yaml b/aodh/templates/network_policy.yaml new file mode 100644 index 00000000..e8692ef7 --- /dev/null +++ b/aodh/templates/network_policy.yaml @@ -0,0 +1,18 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $opts := dict "envAll" . "name" "application" "label" "aodh" -}} +{{ $opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/aodh/values.yaml b/aodh/values.yaml index 65147b01..b1dce220 100644 --- a/aodh/values.yaml +++ b/aodh/values.yaml @@ -693,6 +693,13 @@ endpoints: metrics: default: 24220 +network_policy: + aodh: + ingress: + - {} + egress: + - {} + manifests: configmap_bin: true configmap_etc: true @@ -711,6 +718,7 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + network_policy: false pdb_api: true pod_aodh_test: true secret_db: true diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index 44dda74d..0e0ddfe0 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -2101,6 +2101,8 @@ network_policy: ceilometer: ingress: - {} + egress: + - {} manifests: configmap_bin: true diff --git a/congress/values.yaml b/congress/values.yaml index d70f5694..66272a62 100644 --- a/congress/values.yaml +++ b/congress/values.yaml @@ -350,6 +350,8 @@ network_policy: congress: ingress: - {} + egress: + - {} conf: congress: diff --git a/ironic/values.yaml b/ironic/values.yaml index d9c4d840..8372d41d 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -697,6 +697,8 @@ network_policy: ironic: ingress: - {} + egress: + - {} manifests: configmap_bin: true diff --git a/magnum/values.yaml b/magnum/values.yaml index 8031e31e..a0979c1a 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -622,24 +622,9 @@ pod: network_policy: magnum: ingress: - - from: - - podSelector: - matchLabels: - application: magnum - - podSelector: - matchLabels: - application: horizon - - podSelector: - matchLabels: - application: ingress - - podSelector: - matchLabels: - application: heat - ports: - - protocol: TCP - port: 80 - - protocol: TCP - port: 9511 + - {} + egress: + - {} manifests: configmap_bin: true diff --git a/mistral/values.yaml b/mistral/values.yaml index a12c2af2..b2d8aa0f 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -701,24 +701,9 @@ pod: network_policy: mistral: ingress: - - from: - - podSelector: - matchLabels: - application: mistral - - podSelector: - matchLabels: - application: horizon - - podSelector: - matchLabels: - application: ingress - - podSelector: - matchLabels: - application: heat - ports: - - protocol: TCP - port: 80 - - protocol: TCP - port: 8989 + - {} + egress: + - {} manifests: configmap_bin: true diff --git a/panko/templates/network_policy.yaml b/panko/templates/network_policy.yaml new file mode 100644 index 00000000..a972bcdb --- /dev/null +++ b/panko/templates/network_policy.yaml @@ -0,0 +1,18 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.network_policy -}} +{{- $opts := dict "envAll" . "name" "application" "label" "panko" -}} +{{ $opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/panko/values.yaml b/panko/values.yaml index de75c0dc..57fb5190 100644 --- a/panko/values.yaml +++ b/panko/values.yaml @@ -454,6 +454,13 @@ endpoints: metrics: default: 24220 +network_policy: + panko: + ingress: + - {} + egress: + - {} + pod: security_context: panko: @@ -606,6 +613,7 @@ manifests: job_ks_endpoints: true job_ks_service: true job_ks_user: true + network_policy: false pdb_api: true pod_rally_test: true secret_db: true diff --git a/senlin/values.yaml b/senlin/values.yaml index 586e5d68..ead1edb3 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -658,6 +658,8 @@ network_policy: senlin: ingress: - {} + egress: + - {} manifests: configmap_bin: true