diff --git a/openshift/templates/backup-container-2.6.1/cronjob.md b/openshift/templates/backup-container-2.6.1/cronjob.md new file mode 100644 index 00000000..25b81607 --- /dev/null +++ b/openshift/templates/backup-container-2.6.1/cronjob.md @@ -0,0 +1,22 @@ +# Cronjob prerequisites +Backup PVC: backup +KNP: allow CronJob to connect to Spilo + +# Create database backup cronjob +oc process -f ./db-backup-cronjob-2.6.1.yaml \ +JOB_NAME=cthub-db-backup \ +JOB_PERSISTENT_STORAGE_NAME=backup \ +SCHEDULE="00 07,21 * * *" \ +TAG_NAME=2.6.1 \ +DATABASE_SERVICE_NAME=cthub-test-crunchy-replicas \ +DATABASE_DEFAULT_PORT=5432 \ +DATABASE_NAME=cthub \ +DATABASE_DEPLOYMENT_NAME=cthub-patroni-app \ +DATABASE_USER_KEY_NAME=app-db-username \ +DATABASE_PASSWORD_KEY_NAME=app-db-password \ +BACKUP_STRATEGY=rolling \ +BACKUP_DIR=/backups \ +DAILY_BACKUPS=30 \ +WEEKLY_BACKUPS=8 \ +MONTHLY_BACKUPS=2 | oc apply -f - -n 30b186-test + diff --git a/openshift/templates/backup-container-2.6.1/db-backup-cronjob-2.6.1.yaml b/openshift/templates/backup-container-2.6.1/db-backup-cronjob-2.6.1.yaml new file mode 100644 index 00000000..e36f9628 --- /dev/null +++ b/openshift/templates/backup-container-2.6.1/db-backup-cronjob-2.6.1.yaml @@ -0,0 +1,253 @@ +--- +kind: "Template" +apiVersion: "template.openshift.io/v1" +metadata: + name: "{$JOB_NAME}-cronjob-template" + annotations: + description: "Scheduled Task to perform a Database Backup" + tags: "cronjob,backup" +parameters: + - name: "JOB_NAME" + displayName: "Job Name" + description: "Name of the Scheduled Job to Create." + value: "backup-postgres" + required: true + - name: "JOB_PERSISTENT_STORAGE_NAME" + displayName: "Backup Persistent Storage Name" + description: "Pre-Created PVC to use for backup target" + value: "bk-devex-von-tools-a9vlgd1jpsg1" + required: true + - name: "SCHEDULE" + displayName: "Cron Schedule" + description: "Cron Schedule to Execute the Job (using local cluster system TZ)" + # Currently targeting 1:00 AM Daily + value: "0 1 * * *" + required: true + - name: "SOURCE_IMAGE_NAME" + displayName: "Source Image Name" + description: "The name of the image to use for this resource." + required: true + value: "backup-container" + - name: "IMAGE_REGISTRY" + description: "The base OpenShift docker registry" + displayName: "Docker Image Registry" + required: true + # Set value to "docker-registry.default.svc:5000" if using OCP3 + value: "docker.io" + - name: "IMAGE_NAMESPACE" + displayName: "Image Namespace" + description: "The namespace of the OpenShift project containing the imagestream for the application." + required: true + value: "bcgovimages" + - name: "TAG_NAME" + displayName: "Environment TAG name" + description: "The TAG name for this environment, e.g., dev, test, prod" + required: true + value: "dev" + - name: "DATABASE_SERVICE_NAME" + displayName: "Database Service Name" + description: "The name of the database service." + required: true + value: "postgresql" + - name: "DATABASE_DEFAULT_PORT" + displayName: "Database Service Port" + description: "The configured port for the database service" + required: true + value: "5432" + - name: "DATABASE_NAME" + displayName: "Database Name" + description: "The name of the database." + required: true + value: "MyDatabase" + - name: "DATABASE_DEPLOYMENT_NAME" + displayName: "Database Deployment Name" + description: "The name associated to the database deployment resources. In particular, this is used to wire up the credentials associated to the database." + required: true + value: "postgresql" + - name: DATABASE_USER_KEY_NAME + displayName: Database User Key Name + description: + The database user key name stored in database deployment resources specified + by DATABASE_DEPLOYMENT_NAME. + required: true + value: database-user + - name: DATABASE_PASSWORD_KEY_NAME + displayName: Database Password Key Name + description: + The database password key name stored in database deployment resources + specified by DATABASE_DEPLOYMENT_NAME. + required: true + value: database-password + - name: "BACKUP_STRATEGY" + displayName: "Backup Strategy" + description: "The strategy to use for backups; for example daily, or rolling." + required: true + value: "rolling" + - name: "BACKUP_DIR" + displayName: "The root backup directory" + description: "The name of the root backup directory" + required: true + value: "/backups/" + - name: "NUM_BACKUPS" + displayName: "The number of backup files to be retained" + description: "The number of backup files to be retained. Used for the `daily` backup strategy. Ignored when using the `rolling` backup strategy." + required: false + value: "5" + - name: "DAILY_BACKUPS" + displayName: "Number of Daily Backups to Retain" + description: "The number of daily backup files to be retained. Used for the `rolling` backup strategy." + required: false + value: "7" + - name: "WEEKLY_BACKUPS" + displayName: "Number of Weekly Backups to Retain" + description: "The number of weekly backup files to be retained. Used for the `rolling` backup strategy." + required: false + value: "4" + - name: "MONTHLY_BACKUPS" + displayName: "Number of Monthly Backups to Retain" + description: "The number of monthly backup files to be retained. Used for the `rolling` backup strategy." + required: false + value: "1" + - name: "JOB_SERVICE_ACCOUNT" + displayName: "Service Account Name" + description: "Name of the Service Account To Exeucte the Job As." + value: "default" + required: true + - name: "SUCCESS_JOBS_HISTORY_LIMIT" + displayName: "Successful Job History Limit" + description: "The number of successful jobs that will be retained" + value: "5" + required: true + - name: "FAILED_JOBS_HISTORY_LIMIT" + displayName: "Failed Job History Limit" + description: "The number of failed jobs that will be retained" + value: "2" + required: true + - name: "JOB_BACKOFF_LIMIT" + displayName: "Job Backoff Limit" + description: "The number of attempts to try for a successful job outcome" + value: "0" + required: false +objects: +- kind: ConfigMap + apiVersion: v1 + metadata: + name: "${JOB_NAME}-config" + labels: + template: "${JOB_NAME}-config-template" + cronjob: "${JOB_NAME}" + data: + DATABASE_SERVICE_NAME: "${DATABASE_SERVICE_NAME}" + DEFAULT_PORT: "${DATABASE_DEFAULT_PORT}" + POSTGRESQL_DATABASE: "${DATABASE_NAME}" + # BACKUP_STRATEGY: "daily" + BACKUP_STRATEGY: "rolling" + RETENTION.NUM_BACKUPS: "${NUM_BACKUPS}" + RETENTION.DAILY_BACKUPS: "${DAILY_BACKUPS}" + RETENTION.WEEKLY_BACKUPS: "${WEEKLY_BACKUPS}" + RETENTION.MONTHLY_BACKUPS: "${MONTHLY_BACKUPS}" + +- kind: "CronJob" + apiVersion: "batch/v1" + metadata: + name: "${JOB_NAME}" + labels: + template: "${JOB_NAME}-cronjob" + cronjob: "${JOB_NAME}" + spec: + schedule: "${SCHEDULE}" + concurrencyPolicy: "Forbid" + successfulJobsHistoryLimit: "${{SUCCESS_JOBS_HISTORY_LIMIT}}" + failedJobsHistoryLimit: "${{FAILED_JOBS_HISTORY_LIMIT}}" + jobTemplate: + metadata: + labels: + template: "${JOB_NAME}-job" + cronjob: "${JOB_NAME}" + spec: + backoffLimit: ${{JOB_BACKOFF_LIMIT}} + template: + metadata: + labels: + template: "${JOB_NAME}-job" + cronjob: "${JOB_NAME}" + spec: + containers: + - name: "${JOB_NAME}-cronjob" + image: "${IMAGE_REGISTRY}/${IMAGE_NAMESPACE}/${SOURCE_IMAGE_NAME}:${TAG_NAME}" + # image: backup + command: + - "/bin/bash" + - "-c" + - "/backup.sh -1" + volumeMounts: + - mountPath: "${BACKUP_DIR}" + name: "backup" + env: + - name: BACKUP_DIR + value: "${BACKUP_DIR}/db-backups-by-cron/" + - name: BACKUP_STRATEGY + valueFrom: + configMapKeyRef: + name: "${JOB_NAME}-config" + key: BACKUP_STRATEGY + - name: NUM_BACKUPS + valueFrom: + configMapKeyRef: + name: "${JOB_NAME}-config" + key: RETENTION.NUM_BACKUPS + optional: true + - name: DAILY_BACKUPS + valueFrom: + configMapKeyRef: + name: "${JOB_NAME}-config" + key: RETENTION.DAILY_BACKUPS + optional: true + - name: WEEKLY_BACKUPS + valueFrom: + configMapKeyRef: + name: "${JOB_NAME}-config" + key: RETENTION.WEEKLY_BACKUPS + optional: true + - name: MONTHLY_BACKUPS + valueFrom: + configMapKeyRef: + name: "${JOB_NAME}-config" + key: RETENTION.MONTHLY_BACKUPS + optional: true + - name: DATABASE_SERVICE_NAME + valueFrom: + configMapKeyRef: + name: "${JOB_NAME}-config" + key: DATABASE_SERVICE_NAME + - name: DEFAULT_PORT + valueFrom: + configMapKeyRef: + name: "${JOB_NAME}-config" + key: DEFAULT_PORT + optional: true + - name: POSTGRESQL_DATABASE + valueFrom: + configMapKeyRef: + name: "${JOB_NAME}-config" + key: POSTGRESQL_DATABASE + - name: DATABASE_USER + valueFrom: + secretKeyRef: + name: "${DATABASE_DEPLOYMENT_NAME}" + key: "${DATABASE_USER_KEY_NAME}" + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: "${DATABASE_DEPLOYMENT_NAME}" + key: "${DATABASE_PASSWORD_KEY_NAME}" + volumes: + - name: backup + persistentVolumeClaim: + claimName: "${JOB_PERSISTENT_STORAGE_NAME}" + restartPolicy: "Never" + terminationGracePeriodSeconds: 30 + activeDeadlineSeconds: 1600 + dnsPolicy: "ClusterFirst" + serviceAccountName: "${JOB_SERVICE_ACCOUNT}" + serviceAccount: "${JOB_SERVICE_ACCOUNT}" diff --git a/openshift/templates/knp/knp-env-base.yaml b/openshift/templates/knp/1-knp-base.yaml similarity index 66% rename from openshift/templates/knp/knp-env-base.yaml rename to openshift/templates/knp/1-knp-base.yaml index 0b75d846..b02d498f 100644 --- a/openshift/templates/knp/knp-env-base.yaml +++ b/openshift/templates/knp/1-knp-base.yaml @@ -6,17 +6,6 @@ labels: metadata: name: cthub-network-policy objects: - ## Base Network Policies - - kind: NetworkPolicy - apiVersion: networking.k8s.io/v1 - metadata: - name: deny-by-default - spec: - # The default posture for a security first namespace is to - # deny all traffic. If not added this rule will be added - # by Platform Services during environment cut-over. - podSelector: {} - ingress: [] - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/openshift/templates/knp/2-allow-crunchy-accept.yaml b/openshift/templates/knp/2-allow-crunchy-accept.yaml new file mode 100644 index 00000000..c5565417 --- /dev/null +++ b/openshift/templates/knp/2-allow-crunchy-accept.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: template.openshift.io/v1 +kind: Template +labels: + template: cthub-network-policy +metadata: + name: allow-crunchy-accept +parameters: + - name: ENVIRONMENT + displayName: null + description: such as dev, test or prod + required: true +objects: + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-crunchy-accept + spec: + podSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: cthub-${ENVIRONMENT}-crunchy + ingress: + - from: + - podSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: cthub-${ENVIRONMENT}-crunchy + - ports: + - protocol: TCP + port: 5432 + from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: cthub-${ENVIRONMENT} + app.kubernetes.io/name: backend + - ports: + - protocol: TCP + port: 5432 + from: + - podSelector: + matchLabels: + openshift.io/deployer-pod.type: hook-mid + - ports: + - protocol: TCP + port: 5432 + from: + - podSelector: + matchLabels: + cronjob: cthub-db-backup + - ports: + - protocol: TCP + port: 9187 + from: + - namespaceSelector: + matchLabels: + environment: tools + name: 0ab226 + - podSelector: + matchLabels: + name: crunchy-prometheus + - ports: + - protocol: TCP + port: 5432 + from: + - namespaceSelector: + matchLabels: + environment: ${ENVIRONMENT} + name: 30b186 + - podSelector: + matchLabels: + app: metabase + policyTypes: + - Ingress \ No newline at end of file diff --git a/openshift/templates/knp/README.md b/openshift/templates/knp/README.md deleted file mode 100644 index 0e2bf6dd..00000000 --- a/openshift/templates/knp/README.md +++ /dev/null @@ -1,34 +0,0 @@ - -## For Aporeto network security policies - -### remove all Aporeto network security policies -oc get nsp -n -oc delete nsp,en --all -n - -### Apply generic Aporeto network security policies -oc process -f nsp-generic.yaml NAMESPACE_PREFIX= ENVIRONMENT= | oc apply -f - -n -Note: once it is applied, the application will NOT be blocked by Aporeto. Aporeto should become transparent. - -## For the new network policies - -### For tools project, apply quick start -oc process -f knp-quick-start.yaml NAMESPACE_PREFIX= ENVIRONMENT= | oc apply -f - -n -Note : the quick start include three knps: deny-by-default, allow-from-openshift-ingress and allow-all-internal. Once the quick start is applied, the application will NOT be blocked by Openshift network policies. - -### For environment projects -oc process -f knp-env-base.yaml ENVIRONMENT= | oc create -f - -n -oc process -f knp-env-non-pr.yaml ENVIRONMENT= | oc create -f - -n -#### For Dev -Apply knp-env-pr.yaml through pipeline -#### For Test and Prod -oc process -f knp-env-pr.yaml SUFFIX=-test ENVIRONMENT=test | oc create -f - -n -oc process -f knp-env-pr.yaml SUFFIX=-prod ENVIRONMENT=prod | oc create -f - -n - -## Setup the new network policies on Test -oc get nsp -n e52f12-test -oc delete nsp,en --all -n e52f12-test -oc process -f nsp-generic.yaml NAMESPACE_PREFIX=e52f12 ENVIRONMENT=test | oc apply -f - -n e52f12-test -oc process -f knp-env-base.yaml ENVIRONMENT=test | oc create -f - -n e52f12-test -oc process -f knp-env-non-pr.yaml ENVIRONMENT=test | oc create -f - -n e52f12-test -oc process -f knp-env-pr.yaml SUFFIX=-test ENVIRONMENT=test | oc create -f - -n e52f12-test - \ No newline at end of file diff --git a/openshift/templates/knp/knp-diagram.drawio b/openshift/templates/knp/knp-diagram.drawio index b00c787c..2a5f2086 100644 --- a/openshift/templates/knp/knp-diagram.drawio +++ b/openshift/templates/knp/knp-diagram.drawio @@ -1 +1,90 @@ -3Vtbe6I8EP41XtqHU0Avrfa0X9vtud3eRYhKi4RCqNpf/wUJKEm0ukVhfXohGUKAeefwzoQ29O54ehbCYHSFHeQ1NMWZNvReQ9NU1bToTyKZMUlLaaWSYeg6TLYQ3LtfiAkVJo1dB0WFiQRjj7hBUWhj30c2KchgGOJJcdoAe8W7BnCIBMG9DT1R+uw6ZJRKW0BZyM+ROxxld1YVdmYMs8lMEI2ggydLIv2koXdDjEl6NJ52kZdoL9NLet3pirP5g4XIJ5tc0Dder7UrcDe4+dP5uL16O+/qTlMF7OHILHtj5FAFsCEOyQgPsQ+9k4X0OMSx76BkWYWOFnMuMQ6oUKXCN0TIjKEJY4KpaETGHjuLpi55WTr+kyx1BNioN2UrzwczNohIiN9RF3s4nD+nrqj0T6dnREUw3UQ4Dm207u2ZQcFwiMiaeXo6L9HM0g2Yms8QHiMSzuiEEHmQuJ9F04HMAof5vAVI9IDhtA1m6bqf0IvZnQYh9gnynYZmevQ9jvshPRomR7qS2CMvBYqiibh7HnWqBN/JyCXoPoBz3U2oYxfRg1GQetrAnSZWsBqATxQSNF2rsuysybyExYmmwcaTJadjotGSv2Wy0pWsmVU6hrLkGOre3ULf0C3UevmFZtUmltUWslatENOFSNaH9rs0kFHeoIjwVhmydAMUQlY2rCpitQRlBpBamu/KlJmwMCErGHrNsgJQi1lBtfaXFXrXX0ow6YNz82LSih9/wc4jalYTYXz66HlWSAZLfCkZLsLMfLRTxqTUPdBcA//s+N2+7Uw+Tn5fniLz7XmQUaa6Z4YcaXU7pDfC8+0VvIyH7xeXD2/urXvT/2hOQNOoigHPL+2EIZwtTQiw65NoaeWbRLCIB4ZVjAcG4Eqeb+a3AGdJ6QMs7Cp/kx+wc0Wa1OKgSUtUAl0fhfUKsjrgg6x2JKYyC4hhNpOVX+GIxGDs+i4Wc1ZbUWpGC9Q2p852xTmrmthXVs5qWz3Fsn6Us7RNc1Zl5YwUN70uOWt9AfpPIl1+5fpX+YwLFZShlZqfpGZVacNv875G3c1qHZuqmiVxJMkql/VIraqablnNbWRd97ZiGzH3wIQ1kQmjKUEhhbhelE0vOgwQCZslIWxWCYStPX19mt0N8ezVB4/x5eShcwEkXTFBXXYcfs49J3UDp5PsdNGh7cEocu3ScvqWdeguOg6tDf1q04bDEqpAgmom2879BP8CfGpXOGtJ35tdtaaEBSa/kFlcKFWMsNDWAUHj7mOuL61NQ/6CK+frW85XuDKqVS43kubvaii33Nl262rS19dKdrXS66R1Ty1uIjTH9LpaJRreCfIUuYfegFR31dK2gsGrFRj8pt3Pehm8IRh8ZI/QmBrs7J/YN+M2dQzJVv+u+BY4V4xxv4/iG+tX+IQfev7LneR7ChhQPXSozCajuN+c9x6bDvoUFElfmRQ1VjRTH/uJlgeu53Ei6LlDP2FsVJGIyo8TBbo29DrsBA1ejrcKoqIPlgCKCoqbmZpkp02V8SUtbxaXjovIg304RsvAZIGeQtNsHy44efzPuJAuAUeWN7RduYwYgmwvjqiumguI2O7zHBwAxJ3Tg4HHaMmpcwEeWUTbGTymAA9NB3CcvL3fj+Y/AkzpJtXhoqTzBY6kzFd1yS7XzlCy1sS3PKM3g7jvufbhe5HGFbr5tx/L+LT36UXtb/NP9t3loScglfMdCWPbb4CTbLLjAPnRyB2Qo2Sf+NRBgYdnNCEF2Dkis4DhNsL4XVoXHgxWgNvOl31Jm3c8ywbrP+cuCp7Puq3p0wv+reCrh8uOhF/TdWEf0gKk7MJEUJNEmSs1Z3FWrpqW5EOIXdXnUtWJvQ1RZd90f4sGJtuI++7L+599lcQVzd8W6utMaLNCvaqer8G3LNucWWza8zX4L3IMbqEVPd+/aINKtS2y+7wgXum5YvzcPC6GKHK/YH++VGI4rFdN1wXHDdBL1ooJjtJ+0jaheQdBQUYbS2IldLj4b6AUy8U/Vekn/wM= \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/openshift/templates/knp/knp-env-non-pr.yaml b/openshift/templates/knp/knp-env-non-pr.yaml deleted file mode 100644 index 4d511845..00000000 --- a/openshift/templates/knp/knp-env-non-pr.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: template.openshift.io/v1 -kind: Template -labels: - template: cthub-network-policy -metadata: - name: cthub-network-policy -parameters: - - name: ENVIRONMENT - displayName: null - description: such as dev, test or prod - required: true -objects: - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-minio-accepts-nagios - spec: - ## Allow minio to accept communication from nagios - podSelector: - matchLabels: - app: cthub-minio-${ENVIRONMENT} - ingress: - - from: - - podSelector: - matchLabels: - app: nagios - ports: - - protocol: TCP - port: 9000 \ No newline at end of file diff --git a/openshift/templates/knp/knp-env-pr.yaml b/openshift/templates/knp/knp-env-pr.yaml deleted file mode 100644 index c6da19ba..00000000 --- a/openshift/templates/knp/knp-env-pr.yaml +++ /dev/null @@ -1,192 +0,0 @@ ---- -apiVersion: template.openshift.io/v1 -kind: Template -labels: - template: cthub-network-policy -metadata: - name: cthub-network-policy -parameters: - - name: SUFFIX - displayName: null - description: sample is -dev-97 - required: true - - name: ENVIRONMENT - displayName: null - description: such as dev, test or prod - required: true -objects: - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-backend-accepts-frontend${SUFFIX} - spec: - ## Allow backend to accept communication from frontend - podSelector: - matchLabels: - name: cthub-backend${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - name: cthub-frontend${SUFFIX} - ports: - - protocol: TCP - port: 8080 - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-patroni-accepts-backend${SUFFIX} - spec: - ## Allow patroni to accept communications from backend - podSelector: - matchLabels: - cluster-name: patroni${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - name: cthub-backend${SUFFIX} - ports: - - protocol: TCP - port: 5432 - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-minio-accepts-backend${SUFFIX} - spec: - ## Allow minio to accept communication from backend - podSelector: - matchLabels: - app: cthub-minio-${ENVIRONMENT} - ingress: - - from: - - podSelector: - matchLabels: - name: cthub-backend${SUFFIX} - ports: - - protocol: TCP - port: 9000 - ## Other Network Policies - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-patroni-accepts-backendmid${SUFFIX} - spec: - ## Allow patroni to accept communications from backend mid lifecycle pod - podSelector: - matchLabels: - cluster-name: patroni${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - openshift.io/deployer-pod.type: hook-mid - ports: - - protocol: TCP - port: 5432 - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-patroni-accepts-patroni-itself${SUFFIX} - spec: - ## Allow patroni to accept communications from other patroni pods - podSelector: - matchLabels: - cluster-name: patroni${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - cluster-name: patroni${SUFFIX} - ports: - - protocol: TCP - port: 5432 - - protocol: TCP - port: 8008 - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-patroni-accepts-backup-container${SUFFIX} - spec: - ## Allow patroni to accept communications from backup container - podSelector: - matchLabels: - cluster-name: patroni${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - name: patroni-backup - ports: - - protocol: TCP - port: 5432 - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-patroni-accepts-nagios${SUFFIX} - spec: - ## Allow patroni to accept communications from nagios - podSelector: - matchLabels: - cluster-name: patroni${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - app: nagios - ports: - - protocol: TCP - port: 5432 - - protocol: TCP - port: 8008 - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-patroni-accepts-schemaspy${SUFFIX} - spec: - ## Allow patroni to accept communications from schemaspy - podSelector: - matchLabels: - cluster-name: patroni${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - name: schemaspy-public${SUFFIX} - ports: - - protocol: TCP - port: 5432 - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-patroni-accepts-metabase - spec: - ## Allow patroni to accept communications from backup container - podSelector: - matchLabels: - cluster-name: patroni${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - app: metabase - ports: - - protocol: TCP - port: 5432 - - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: allow-backend-accepts-schemaspy${SUFFIX} - spec: - ## Allow backend to accept communication from schemaspy - podSelector: - matchLabels: - name: cthub-backend${SUFFIX} - ingress: - - from: - - podSelector: - matchLabels: - name: schemaspy-public${SUFFIX} - ports: - - protocol: TCP - port: 8080 \ No newline at end of file diff --git a/openshift/templates/knp/knp-quick-start.yaml b/openshift/templates/knp/knp-quick-start.yaml index e7a97a6b..7e121cb0 100644 --- a/openshift/templates/knp/knp-quick-start.yaml +++ b/openshift/templates/knp/knp-quick-start.yaml @@ -15,16 +15,6 @@ parameters: description: the namespace prefix required: true objects: - - kind: NetworkPolicy - apiVersion: networking.k8s.io/v1 - metadata: - name: deny-by-default - spec: - # The default posture for a security first namespace is to - # deny all traffic. If not added this rule will be added - # by Platform Services during environment cut-over. - podSelector: {} - ingress: [] - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: