feat: Add possibility to create custom Network Policies for project p…

…ods (#331)
FlowFuse · Feb 29, 2024 · 228c7d9 · 228c7d9
2 parents 983e944 + 5826a71
commit 228c7d9
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 32 deletions.
diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md
@@ -30,12 +30,15 @@ For other values please refer to the documentation below.
  - `forge.localPostrgresql` Deploy a PostgreSQL v14 Database into Kubernetes cluster (default `true`)
  - `forge.cloudProvider` currently only accepts `aws` but will include more as needed (default not set)
  - `forge.projectSelector` a collection of labels and values to filter nodes that Project Pods will run on (default `role: projects`)
+ - `forge.projectNamespace` namespace Project Pods will run in (default `flowforge`)
+ - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`.
+ - `forge.projectNetworkPolicy.enabled` specified if [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) should be created for project pods ( default `false`)
+ - `forge.projectNetworkPolicy.ingress` a list of ingress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied on project pods ( default `[]`)
+ - `forge.projectNetworkPolicy.egress` a list of egress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied in project pods ( default `[]`)
  - `forge.managementSelector` a collection of labels and values to filter nodes the Forge App will run on (default `role: management`)
  - `forge.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the core application pod
- - `forge.projectNamespace` namespace Project Pods will run in (default `flowforge`)
  - `forge.license` FlowForge EE license string (optional, default not set)
  - `forge.branding` Object holding branding inserts (default not set)
- - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`.
  - `forge.clusterRole.name` custom name for the ClusterRole (default `create-pod`)
  - `forge.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the core application container
  - `forge.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application pod

diff --git a/helm/flowforge/templates/network-policy.yaml b/helm/flowforge/templates/network-policy.yaml
@@ -1,29 +1,4 @@
-{{- if not .Values.forge.localPostgresql }}
-{{- if .Values.forge.cloudProvider }}
-{{- if eq .Values.forge.cloudProvider "aws" }}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: flowforge-database-policy
-  namespace: {{ .Release.Namespace }}
-  labels:
-  {{- include "forge.labels" . | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-      nodered: "true"
-      role: projects
-  policyTypes:
-  - Egress
-  egress:
-  - to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
-        except:
-        - 10.0.0.0/24
-{{- end }}
-{{- end }}
-{{- else }}
+{{- if .Values.forge.localPostgresql }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

diff --git a/helm/flowforge/templates/projects-networkpolicy.yaml b/helm/flowforge/templates/projects-networkpolicy.yaml
@@ -0,0 +1,35 @@
+{{- if (((.Values.forge).projectNetworkPolicy).enabled) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: flowfuse-projects-policy
+  namespace: {{ .Values.forge.projectNamespace }}
+  labels:
+    {{- include "forge.labels" . | nindent 4 }}
+    {{- with .Values.forge.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  policyTypes:
+    {{- if .Values.forge.projectNetworkPolicy.ingress }}
+    - Ingress
+    {{- end }}
+    {{- if .Values.forge.projectNetworkPolicy.egress }}
+    - Egress
+    {{- end }}
+  podSelector:
+    matchLabels:
+      nodered: true
+  {{- if .Values.forge.projectNetworkPolicy.egress }}
+  egress:
+    {{- with .Values.forge.projectNetworkPolicy.egress }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.forge.projectNetworkPolicy.ingress }}
+  ingress:
+    {{- with .Values.forge.projectNetworkPolicy.ingress }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json
@@ -94,6 +94,20 @@
                 "projectSelector": {
                     "type": "object"
                 },
+                "projectNetworkPolicy": {
+                    "type": "object",
+                    "properties": {
+                        "egress": {
+                            "type": "array"
+                        },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "ingress": {
+                            "type": "array"
+                        }
+                    }
+                },
                 "projectDeploymentTolerations": {
                     "type": "array",
                     "items": {

diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml
@@ -5,10 +5,8 @@ forge:
   projectSelector:
     role: projects
   projectDeploymentTolerations: []
-  #    - key: purpose
-  #      operator: Equal
-  #      value: flowforge-projects
-  #      effect: NoSchedule
+  projectNetworkPolicy:
+    enabled: false
   managementSelector:
     role: management
   telemetry: