fix(helm): Add port support to ingress netpol

[C4tWithShell]

Description

Change ingress network policy template to allow to set peers as well as ports

[dryrunsecurity]

DryRun Security Summary

The pull request enhances the network security of the DefectDojo application by implementing Kubernetes network policies that provide granular control over ingress and egress traffic, isolate critical application components, and allow for flexible configuration based on deployment environments or use cases.

Expand for full summary

Summary:

The code changes in this pull request are focused on enhancing the network security of the DefectDojo application by implementing Kubernetes network policies. The key changes include:

1. The introduction of more detailed network policy configuration, allowing for granular control over ingress and egress traffic to and from the DefectDojo pods and related components (e.g., Prometheus).
2. The ability to specify source and destination pods, as well as the specific ports that should be allowed or denied, which can help mitigate risks associated with network-based attacks.
3. The creation of a separate network policy for the Django component of the DefectDojo application, demonstrating a security-conscious approach to isolating and protecting critical application components.
4. The use of conditional blocks to configure ingress and egress rules based on the provided values, allowing for more flexibility in adapting the security posture to different deployment environments or use cases.

From an application security perspective, these changes are a positive step towards improving the overall security of the DefectDojo application by reducing the attack surface and implementing the principle of least privilege access. However, it's important to ensure that the network policy rules are configured correctly and cover all necessary traffic flows to avoid disrupting legitimate application functionality.

Files Changed:

1. helm/defectdojo/values.yaml: This file contains the configuration for the network policy rules. The changes introduce the ability to configure more detailed ingress and egress rules, allowing for better control over network traffic to and from the DefectDojo pods.
2. helm/defectdojo/templates/network-policy.yaml: This file defines the actual Kubernetes network policy resources. The changes include conditional blocks for configuring ingress and egress rules, as well as a separate network policy for the Django component of the DefectDojo application.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[kiblik]

I suppose this kind of change might break running deployments. I have no problem make the definition more flexible but can you probably move

    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/instance: {{ .Release.Name }}

to default setting/value?

[C4tWithShell]

I suppose this kind of change might break running deployments. I have no problem make the definition more flexible but can you probably move

    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/instance: {{ .Release.Name }}

to default setting/value?

Right. I changed logic. So it will not affect running deployments

[mtesauro]

Approved