feat: network policy

sergelogvinov · Jan 4, 2025 · 1a89acd · 1a89acd
1 parent a8e7028
commit 1a89acd
Show file tree

Hide file tree

Showing 6 changed files with 109 additions and 3 deletions.
diff --git a/charts/link-common/Chart.yaml b/charts/link-common/Chart.yaml
@@ -15,7 +15,7 @@ maintainers:
     url: https://github.com/sergelogvinov
 #
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.6
+version: 0.4.0
 #
 # renovate: datasource=docker depName=ghcr.io/sergelogvinov/haproxy
 appVersion: "2.8.6-alpine3.19"
diff --git a/charts/link-common/README.md b/charts/link-common/README.md
@@ -1,6 +1,6 @@
 # link-common
 
-![Version: 0.3.6](https://img.shields.io/badge/Version-0.3.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.8.6-alpine3.19](https://img.shields.io/badge/AppVersion-2.8.6--alpine3.19-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.8.6-alpine3.19](https://img.shields.io/badge/AppVersion-2.8.6--alpine3.19-informational?style=flat-square)
 
 Simple vpn-p2p-link service
 
@@ -81,11 +81,18 @@ wireguard:
 | wireguard.wireguardPort | string | `nil` | WireGuard incoming port. uses as container hostPort. |
 | wireguard.wireguardKey | string | `""` | WireGuard private key. ref: https://www.wireguard.com/quickstart/   wg genkey | tee privatekey | wg pubkey > publickey |
 | wireguard.peers | object | `{}` |  |
-| wireguard.metrics.enabled | bool | `true` |  |
+| wireguard.metrics.enabled | bool | `true` | Enable link metrics |
 | wireguard.metrics.image.repository | string | `"mindflavor/prometheus-wireguard-exporter"` |  |
 | wireguard.metrics.image.pullPolicy | string | `"IfNotPresent"` |  |
 | wireguard.metrics.image.tag | string | `"3.6.6"` |  |
 | resources | object | `{"limits":{"cpu":"100m","memory":"64Mi"},"requests":{"cpu":"50m","memory":"32Mi"}}` | Resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
+| networkPolicy.enabled | bool | `false` | Enable creation of NetworkPolicy resources ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ |
+| networkPolicy.allowExternal | bool | `false` | Allow traffic from outside |
+| networkPolicy.ingressNSMatchLabels | object | `{}` | Labels to match to allow traffic from other namespaces. |
+| networkPolicy.ingressNSPodMatchLabels | object | `{}` | Pod labels to match to allow traffic from other namespaces |
+| networkPolicy.metrics | object | `{"ingressNSMatchLabels":{},"ingressNSPodMatchLabels":{"app.kubernetes.io/component":"monitoring","app.kubernetes.io/name":"vmagent"}}` | NetworkPolicy for metrics. |
+| networkPolicy.metrics.ingressNSMatchLabels | object | `{}` | Allowed from pods in namespaces that match the specified labels example: kubernetes.io/metadata.name: monitoring |
+| networkPolicy.metrics.ingressNSPodMatchLabels | object | `{"app.kubernetes.io/component":"monitoring","app.kubernetes.io/name":"vmagent"}` | Allowed from pods that match the specified labels |
 | nodeSelector | object | `{}` | Node labels for pod assignment. ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | tolerations | list | `[]` | Tolerations for pod assignment. ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
 | affinity | object | `{}` | Affinity for pod assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
diff --git a/charts/link-common/ci/values.yaml b/charts/link-common/ci/values.yaml
@@ -0,0 +1,5 @@
+wireguard:
+  enabled: true
+
+networkPolicy:
+  enabled: true
diff --git a/charts/link-common/templates/networkpolicy.yaml b/charts/link-common/templates/networkpolicy.yaml
@@ -0,0 +1,65 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "link-common.fullname" . }}
+  labels:
+    {{- include "link-common.labels" . | nindent 4 }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "link-common.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  ingress:
+    {{- if .Values.wireguard.enabled }}
+    - ports:
+        - port: 51820
+          protocol: UDP
+    {{- end }}
+    {{- if .Values.service.ports }}
+    - ports:
+        {{- range $key, $value := .Values.service.ports }}
+        - port: {{ .port }}
+        {{- end }}
+      {{- if not .Values.networkPolicy.allowExternal }}
+      from:
+        {{- if or .Values.networkPolicy.ingressNSMatchLabels .Values.networkPolicy.ingressNSPodMatchLabels }}
+        - namespaceSelector:
+            matchLabels:
+              {{- if .Values.networkPolicy.ingressNSMatchLabels }}
+              {{- .Values.networkPolicy.ingressNSMatchLabels | nindent 16 }}
+              {{ else }}
+                {}
+              {{- end }}
+          {{- with .Values.networkPolicy.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- toYaml . | nindent 16 }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.wireguard.metrics.enabled }}
+    # Allow scrapes for metrics
+    - ports:
+        - port: 9586
+          protocol: TCP
+      {{- if or .Values.networkPolicy.metrics.ingressNSMatchLabels .Values.networkPolicy.metrics.ingressNSPodMatchLabels }}
+      from:
+        - namespaceSelector:
+            matchLabels:
+              {{- if .Values.networkPolicy.metrics.ingressNSMatchLabels }}
+              {{- .Values.networkPolicy.metrics.ingressNSMatchLabels | nindent 16 }}
+              {{ else }}
+                {}
+              {{- end }}
+          {{- with .Values.networkPolicy.metrics.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- toYaml . | nindent 16 }}
+          {{- end }}
+      {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/charts/link-common/templates/service.yaml b/charts/link-common/templates/service.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.service.ports }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -26,3 +27,4 @@ spec:
     {{- end }}
   selector:
     {{- include "link-common.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/link-common/values.yaml b/charts/link-common/values.yaml
@@ -97,7 +97,9 @@ wireguard:
     #   allowedIps: 172.30.1.11/32
 
   metrics:
+    # -- Enable link metrics
     enabled: true
+
     image:
       repository: mindflavor/prometheus-wireguard-exporter
       pullPolicy: IfNotPresent
@@ -113,6 +115,31 @@ resources:
     cpu: 50m
     memory: 32Mi
 
+networkPolicy:
+  # -- Enable creation of NetworkPolicy resources
+  # ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  enabled: false
+
+  # -- Allow traffic from outside
+  allowExternal: false
+
+  # -- Labels to match to allow traffic from other namespaces.
+  ingressNSMatchLabels: {}
+
+  # -- Pod labels to match to allow traffic from other namespaces
+  ingressNSPodMatchLabels: {}
+
+  # -- NetworkPolicy for metrics.
+  metrics:
+    # -- Allowed from pods in namespaces that match the specified labels
+    # example: kubernetes.io/metadata.name: monitoring
+    ingressNSMatchLabels: {}
+
+    # -- Allowed from pods that match the specified labels
+    ingressNSPodMatchLabels:
+      app.kubernetes.io/name: vmagent
+      app.kubernetes.io/component: monitoring
+
 # -- Node labels for pod assignment.
 # ref: https://kubernetes.io/docs/user-guide/node-selection/
 nodeSelector: {}