From 1a89acdcd40adfbf2df77f1a7dbd140874c86997 Mon Sep 17 00:00:00 2001 From: Serge Logvinov Date: Sat, 4 Jan 2025 10:39:55 +0200 Subject: [PATCH] feat: network policy --- charts/link-common/Chart.yaml | 2 +- charts/link-common/README.md | 11 +++- charts/link-common/ci/values.yaml | 5 ++ .../link-common/templates/networkpolicy.yaml | 65 +++++++++++++++++++ charts/link-common/templates/service.yaml | 2 + charts/link-common/values.yaml | 27 ++++++++ 6 files changed, 109 insertions(+), 3 deletions(-) create mode 100644 charts/link-common/templates/networkpolicy.yaml diff --git a/charts/link-common/Chart.yaml b/charts/link-common/Chart.yaml index 23927f7..4ce5711 100644 --- a/charts/link-common/Chart.yaml +++ b/charts/link-common/Chart.yaml @@ -15,7 +15,7 @@ maintainers: url: https://github.com/sergelogvinov # # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.6 +version: 0.4.0 # # renovate: datasource=docker depName=ghcr.io/sergelogvinov/haproxy appVersion: "2.8.6-alpine3.19" diff --git a/charts/link-common/README.md b/charts/link-common/README.md index ca5b86b..85f7634 100644 --- a/charts/link-common/README.md +++ b/charts/link-common/README.md @@ -1,6 +1,6 @@ # link-common -![Version: 0.3.6](https://img.shields.io/badge/Version-0.3.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.8.6-alpine3.19](https://img.shields.io/badge/AppVersion-2.8.6--alpine3.19-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.8.6-alpine3.19](https://img.shields.io/badge/AppVersion-2.8.6--alpine3.19-informational?style=flat-square) Simple vpn-p2p-link service @@ -81,11 +81,18 @@ wireguard: | wireguard.wireguardPort | string | `nil` | WireGuard incoming port. uses as container hostPort. | | wireguard.wireguardKey | string | `""` | WireGuard private key. ref: https://www.wireguard.com/quickstart/ wg genkey | tee privatekey | wg pubkey > publickey | | wireguard.peers | object | `{}` | | -| wireguard.metrics.enabled | bool | `true` | | +| wireguard.metrics.enabled | bool | `true` | Enable link metrics | | wireguard.metrics.image.repository | string | `"mindflavor/prometheus-wireguard-exporter"` | | | wireguard.metrics.image.pullPolicy | string | `"IfNotPresent"` | | | wireguard.metrics.image.tag | string | `"3.6.6"` | | | resources | object | `{"limits":{"cpu":"100m","memory":"64Mi"},"requests":{"cpu":"50m","memory":"32Mi"}}` | Resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ | +| networkPolicy.enabled | bool | `false` | Enable creation of NetworkPolicy resources ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ | +| networkPolicy.allowExternal | bool | `false` | Allow traffic from outside | +| networkPolicy.ingressNSMatchLabels | object | `{}` | Labels to match to allow traffic from other namespaces. | +| networkPolicy.ingressNSPodMatchLabels | object | `{}` | Pod labels to match to allow traffic from other namespaces | +| networkPolicy.metrics | object | `{"ingressNSMatchLabels":{},"ingressNSPodMatchLabels":{"app.kubernetes.io/component":"monitoring","app.kubernetes.io/name":"vmagent"}}` | NetworkPolicy for metrics. | +| networkPolicy.metrics.ingressNSMatchLabels | object | `{}` | Allowed from pods in namespaces that match the specified labels example: kubernetes.io/metadata.name: monitoring | +| networkPolicy.metrics.ingressNSPodMatchLabels | object | `{"app.kubernetes.io/component":"monitoring","app.kubernetes.io/name":"vmagent"}` | Allowed from pods that match the specified labels | | nodeSelector | object | `{}` | Node labels for pod assignment. ref: https://kubernetes.io/docs/user-guide/node-selection/ | | tolerations | list | `[]` | Tolerations for pod assignment. ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | | affinity | object | `{}` | Affinity for pod assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | diff --git a/charts/link-common/ci/values.yaml b/charts/link-common/ci/values.yaml index e69de29..0da5b43 100644 --- a/charts/link-common/ci/values.yaml +++ b/charts/link-common/ci/values.yaml @@ -0,0 +1,5 @@ +wireguard: + enabled: true + +networkPolicy: + enabled: true diff --git a/charts/link-common/templates/networkpolicy.yaml b/charts/link-common/templates/networkpolicy.yaml new file mode 100644 index 0000000..46c1874 --- /dev/null +++ b/charts/link-common/templates/networkpolicy.yaml @@ -0,0 +1,65 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "link-common.fullname" . }} + labels: + {{- include "link-common.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "link-common.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + {{- if .Values.wireguard.enabled }} + - ports: + - port: 51820 + protocol: UDP + {{- end }} + {{- if .Values.service.ports }} + - ports: + {{- range $key, $value := .Values.service.ports }} + - port: {{ .port }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + {{- if or .Values.networkPolicy.ingressNSMatchLabels .Values.networkPolicy.ingressNSPodMatchLabels }} + - namespaceSelector: + matchLabels: + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + {{- .Values.networkPolicy.ingressNSMatchLabels | nindent 16 }} + {{ else }} + {} + {{- end }} + {{- with .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- toYaml . | nindent 16 }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.wireguard.metrics.enabled }} + # Allow scrapes for metrics + - ports: + - port: 9586 + protocol: TCP + {{- if or .Values.networkPolicy.metrics.ingressNSMatchLabels .Values.networkPolicy.metrics.ingressNSPodMatchLabels }} + from: + - namespaceSelector: + matchLabels: + {{- if .Values.networkPolicy.metrics.ingressNSMatchLabels }} + {{- .Values.networkPolicy.metrics.ingressNSMatchLabels | nindent 16 }} + {{ else }} + {} + {{- end }} + {{- with .Values.networkPolicy.metrics.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- toYaml . | nindent 16 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/link-common/templates/service.yaml b/charts/link-common/templates/service.yaml index 5437b4a..ad11b5b 100644 --- a/charts/link-common/templates/service.yaml +++ b/charts/link-common/templates/service.yaml @@ -1,3 +1,4 @@ +{{- if .Values.service.ports }} apiVersion: v1 kind: Service metadata: @@ -26,3 +27,4 @@ spec: {{- end }} selector: {{- include "link-common.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/link-common/values.yaml b/charts/link-common/values.yaml index e2a40ab..152df0d 100644 --- a/charts/link-common/values.yaml +++ b/charts/link-common/values.yaml @@ -97,7 +97,9 @@ wireguard: # allowedIps: 172.30.1.11/32 metrics: + # -- Enable link metrics enabled: true + image: repository: mindflavor/prometheus-wireguard-exporter pullPolicy: IfNotPresent @@ -113,6 +115,31 @@ resources: cpu: 50m memory: 32Mi +networkPolicy: + # -- Enable creation of NetworkPolicy resources + # ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + enabled: false + + # -- Allow traffic from outside + allowExternal: false + + # -- Labels to match to allow traffic from other namespaces. + ingressNSMatchLabels: {} + + # -- Pod labels to match to allow traffic from other namespaces + ingressNSPodMatchLabels: {} + + # -- NetworkPolicy for metrics. + metrics: + # -- Allowed from pods in namespaces that match the specified labels + # example: kubernetes.io/metadata.name: monitoring + ingressNSMatchLabels: {} + + # -- Allowed from pods that match the specified labels + ingressNSPodMatchLabels: + app.kubernetes.io/name: vmagent + app.kubernetes.io/component: monitoring + # -- Node labels for pod assignment. # ref: https://kubernetes.io/docs/user-guide/node-selection/ nodeSelector: {}