From d483612b409e8659f68051214070363788dca950 Mon Sep 17 00:00:00 2001 From: chainchad <96362174+chainchad@users.noreply.github.com> Date: Fri, 22 Dec 2023 14:01:47 -0500 Subject: [PATCH] Create network policies for helm chart (#11653) * Create network policies for helm chart * Add network policy for runner --- .../templates/chainlink-db-networkpolicy.yaml | 27 +++++++++ .../chainlink-node-networkpolicy.yaml | 57 +++++++++++++++++++ .../templates/geth-networkpolicy.yaml | 31 ++++++++++ .../templates/mockserver-networkpolicy.yaml | 27 +++++++++ .../templates/networkpolicy-default-deny.yaml | 9 +++ 5 files changed, 151 insertions(+) create mode 100644 charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml create mode 100644 charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml create mode 100644 charts/chainlink-cluster/templates/geth-networkpolicy.yaml create mode 100644 charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml create mode 100644 charts/chainlink-cluster/templates/networkpolicy-default-deny.yaml diff --git a/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml new file mode 100644 index 00000000000..bd989e8732b --- /dev/null +++ b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $.Release.Name }}-db +spec: + podSelector: + matchLabels: + app: {{ $.Release.Name }}-db + policyTypes: + - Ingress + ingress: + # Allow all node pods to access the database pods. + - from: + - podSelector: + matchLabels: + app: {{ $.Release.Name }} + ports: + - protocol: TCP + port: 5432 + # Allow all runner pods to access the database pods. + - from: + - podSelector: + matchLabels: + app: runner + ports: + - protocol: TCP + port: 5432 diff --git a/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml new file mode 100644 index 00000000000..8ae02d7a46e --- /dev/null +++ b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml @@ -0,0 +1,57 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $.Release.Name }}-node +spec: + podSelector: + matchLabels: + app: {{ $.Release.Name }} + policyTypes: + - Ingress + - Egress + ingress: + # Allow all ingress traffic between the node pods and from runner pod. + - from: + - podSelector: + matchLabels: + app: {{ $.Release.Name }} + - from: + - podSelector: + matchLabels: + app: runner + egress: + # Allow all egress traffic between the node pods and to runner pod. + - to: + - podSelector: + matchLabels: + app: {{ $.Release.Name }} + - to: + - podSelector: + matchLabels: + app: runner + # Allow all node pods to access the database pods. + - to: + - podSelector: + matchLabels: + app: {{ $.Release.Name }}-db + ports: + - protocol: TCP + port: 5432 + # Allow all node pods to access the geth pods. + - to: + - podSelector: + matchLabels: + app: geth + ports: + - protocol: TCP + port: 8544 + - protocol: TCP + port: 8546 + # Allow all node pods to access the mockserver pods. + - to: + - podSelector: + matchLabels: + app: mockserver + ports: + - protocol: TCP + port: 1080 diff --git a/charts/chainlink-cluster/templates/geth-networkpolicy.yaml b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml new file mode 100644 index 00000000000..87d6ac1c535 --- /dev/null +++ b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $.Release.Name }}-geth +spec: + podSelector: + matchLabels: + app: geth + policyTypes: + - Ingress + ingress: + # Allow http and websocket connections from the node pods. + - from: + - podSelector: + matchLabels: + app: {{ $.Release.Name }} + ports: + - protocol: TCP + port: 8544 + - protocol: TCP + port: 8546 + # Allow http and websocket connections from the runner pods. + - from: + - podSelector: + matchLabels: + app: runner + ports: + - protocol: TCP + port: 8544 + - protocol: TCP + port: 8546 diff --git a/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml new file mode 100644 index 00000000000..f5c56c79690 --- /dev/null +++ b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $.Release.Name }}-mockserver +spec: + podSelector: + matchLabels: + app: mockserver + policyTypes: + - Ingress + ingress: + # Allow http traffic from the node pods. + - from: + - podSelector: + matchLabels: + app: {{ $.Release.Name }} + ports: + - protocol: TCP + port: 1080 + # Allow http traffic from the runner pods. + - from: + - podSelector: + matchLabels: + app: runner + ports: + - protocol: TCP + port: 1080 diff --git a/charts/chainlink-cluster/templates/networkpolicy-default-deny.yaml b/charts/chainlink-cluster/templates/networkpolicy-default-deny.yaml new file mode 100644 index 00000000000..69f1da2e0b5 --- /dev/null +++ b/charts/chainlink-cluster/templates/networkpolicy-default-deny.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress