From edffb13f00e140335ff84efef94f5a8c41d1bf87 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 23 Sep 2024 15:34:28 +0200 Subject: [PATCH] aws-ce-grafana-backend: allow namespace local grafana instances access --- .../templates/netpol.yaml | 47 +++++++++++++++++++ .../aws-ce-grafana-backend/values.schema.yaml | 21 +++++++++ .../aws-ce-grafana-backend/values.yaml | 9 ++++ 3 files changed, 77 insertions(+) create mode 100644 helm-charts/aws-ce-grafana-backend/templates/netpol.yaml diff --git a/helm-charts/aws-ce-grafana-backend/templates/netpol.yaml b/helm-charts/aws-ce-grafana-backend/templates/netpol.yaml new file mode 100644 index 0000000000..24faf6d677 --- /dev/null +++ b/helm-charts/aws-ce-grafana-backend/templates/netpol.yaml @@ -0,0 +1,47 @@ +{{- if .Values.networkPolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "aws-ce-grafana-backend.webserver.fullname" . }} + labels: + {{- include "aws-ce-grafana-backend.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "aws-ce-grafana-backend.selectorLabels" . | nindent 6 }} + policyTypes: + # Only constrain ingress for simplicy, allow any egress + - Ingress + + # IMPORTANT: + # + # NetworkPolicy's ingress "from" and egress "to" rule specifications require + # great attention to detail. A quick summary is: + # + # 1. You can provide "from"/"to" rules that provide access either ports or a + # subset of ports. + # 2. You can for each "from"/"to" rule provide any number of + # "sources"/"destinations" of four different kinds. + # - podSelector - targets pods with a certain label in the same namespace as the NetworkPolicy + # - namespaceSelector - targets all pods running in namespaces with a certain label + # - namespaceSelector and podSelector - targets pods with a certain label running in namespaces with a certain label + # - ipBlock - targets network traffic from/to a set of IP address ranges + # + # Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors + # + ingress: + # Allow Grafana instances in the local namespace, as recognized by a label, + # to access the http port + {{- if .Values.networkPolicy.ingressAllowRules.localGrafanaInstances }} + - ports: + - port: http + from: + - podSelector: + matchLabels: + app.kubernetes.io/name: grafana + {{- end }} + + {{- with .Values.networkPolicy.ingress }} + {{- . | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm-charts/aws-ce-grafana-backend/values.schema.yaml b/helm-charts/aws-ce-grafana-backend/values.schema.yaml index 70760363ca..7367e59d2d 100644 --- a/helm-charts/aws-ce-grafana-backend/values.schema.yaml +++ b/helm-charts/aws-ce-grafana-backend/values.schema.yaml @@ -25,6 +25,7 @@ required: - serviceAccount - service - ingress + - networkPolicy properties: # Flag to conditionally install the chart # --------------------------------------------------------------------------- @@ -151,3 +152,23 @@ properties: enum: [Prefix, Exact, ImplementationSpecific] tls: type: array + + # NetworkPolicy resource + # --------------------------------------------------------------------------- + # + networkPolicy: + type: object + additionalProperties: false + properties: + enabled: + type: boolean + ingress: + type: array + ingressAllowRules: + type: object + additionalProperties: false + required: + - localGrafanaInstances + properties: + localGrafanaInstances: + type: boolean diff --git a/helm-charts/aws-ce-grafana-backend/values.yaml b/helm-charts/aws-ce-grafana-backend/values.yaml index 25eadf8459..876dc42aa2 100644 --- a/helm-charts/aws-ce-grafana-backend/values.yaml +++ b/helm-charts/aws-ce-grafana-backend/values.yaml @@ -71,3 +71,12 @@ ingress: pathSuffix: pathType: Prefix tls: [] + +# NetworkPolicy resource +# ----------------------------------------------------------------------------- +# +networkPolicy: + enabled: true + ingress: [] + ingressAllowRules: + localGrafanaInstances: true