From e8e5072a186fe472be4a17742a4e1c04a7caed14 Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Mon, 23 Sep 2019 15:06:37 -0500
Subject: [PATCH] Apply network policy to all services
The base network policy framework currently applies only to some
OpenStack services' charts but not others. This patch set applies the
same base network policies framework to all services.
Change-Id: I786c68057f6742a79a33f78db6e3bba8b99cf1b8
Signed-off-by: Tin Lam <tin@irrational.io>
---
aodh/templates/network_policy.yaml | 18 ++++++++++++++++++
aodh/values.yaml | 8 ++++++++
ceilometer/values.yaml | 2 ++
congress/values.yaml | 2 ++
ironic/values.yaml | 2 ++
magnum/values.yaml | 21 +++------------------
mistral/values.yaml | 21 +++------------------
panko/templates/network_policy.yaml | 18 ++++++++++++++++++
panko/values.yaml | 8 ++++++++
senlin/values.yaml | 2 ++
10 files changed, 66 insertions(+), 36 deletions(-)
create mode 100644 aodh/templates/network_policy.yaml
create mode 100644 panko/templates/network_policy.yaml
diff --git a/aodh/templates/network_policy.yaml b/aodh/templates/network_policy.yaml
new file mode 100644
index 0000000000..e8692ef753
--- /dev/null
+++ b/aodh/templates/network_policy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $opts := dict "envAll" . "name" "application" "label" "aodh" -}}
+{{ $opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/aodh/values.yaml b/aodh/values.yaml
index 65147b016a..b1dce22060 100644
--- a/aodh/values.yaml
+++ b/aodh/values.yaml
@@ -693,6 +693,13 @@ endpoints:
metrics:
default: 24220
+network_policy:
+ aodh:
+ ingress:
+ - {}
+ egress:
+ - {}
+
manifests:
configmap_bin: true
configmap_etc: true
@@ -711,6 +718,7 @@ manifests:
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
+ network_policy: false
pdb_api: true
pod_aodh_test: true
secret_db: true
diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml
index 44dda74d8e..0e0ddfe08d 100644
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@@ -2101,6 +2101,8 @@ network_policy:
ceilometer:
ingress:
- {}
+ egress:
+ - {}
manifests:
configmap_bin: true
diff --git a/congress/values.yaml b/congress/values.yaml
index d70f569469..66272a6203 100644
--- a/congress/values.yaml
+++ b/congress/values.yaml
@@ -350,6 +350,8 @@ network_policy:
congress:
ingress:
- {}
+ egress:
+ - {}
conf:
congress:
diff --git a/ironic/values.yaml b/ironic/values.yaml
index d9c4d840ef..8372d41d81 100644
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@@ -697,6 +697,8 @@ network_policy:
ironic:
ingress:
- {}
+ egress:
+ - {}
manifests:
configmap_bin: true
diff --git a/magnum/values.yaml b/magnum/values.yaml
index 8031e31ee0..a0979c1a3c 100644
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@@ -622,24 +622,9 @@ pod:
network_policy:
magnum:
ingress:
- - from:
- - podSelector:
- matchLabels:
- application: magnum
- - podSelector:
- matchLabels:
- application: horizon
- - podSelector:
- matchLabels:
- application: ingress
- - podSelector:
- matchLabels:
- application: heat
- ports:
- - protocol: TCP
- port: 80
- - protocol: TCP
- port: 9511
+ - {}
+ egress:
+ - {}
manifests:
configmap_bin: true
diff --git a/mistral/values.yaml b/mistral/values.yaml
index a12c2af2ea..b2d8aa0f23 100644
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@@ -701,24 +701,9 @@ pod:
network_policy:
mistral:
ingress:
- - from:
- - podSelector:
- matchLabels:
- application: mistral
- - podSelector:
- matchLabels:
- application: horizon
- - podSelector:
- matchLabels:
- application: ingress
- - podSelector:
- matchLabels:
- application: heat
- ports:
- - protocol: TCP
- port: 80
- - protocol: TCP
- port: 8989
+ - {}
+ egress:
+ - {}
manifests:
configmap_bin: true
diff --git a/panko/templates/network_policy.yaml b/panko/templates/network_policy.yaml
new file mode 100644
index 0000000000..a972bcdbae
--- /dev/null
+++ b/panko/templates/network_policy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $opts := dict "envAll" . "name" "application" "label" "panko" -}}
+{{ $opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/panko/values.yaml b/panko/values.yaml
index de75c0dc90..57fb519090 100644
--- a/panko/values.yaml
+++ b/panko/values.yaml
@@ -454,6 +454,13 @@ endpoints:
metrics:
default: 24220
+network_policy:
+ panko:
+ ingress:
+ - {}
+ egress:
+ - {}
+
pod:
security_context:
panko:
@@ -606,6 +613,7 @@ manifests:
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
+ network_policy: false
pdb_api: true
pod_rally_test: true
secret_db: true
diff --git a/senlin/values.yaml b/senlin/values.yaml
index 586e5d68ae..ead1edb3c5 100644
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@@ -658,6 +658,8 @@ network_policy:
senlin:
ingress:
- {}
+ egress:
+ - {}
manifests:
configmap_bin: true