fix: remove 0.0.0.0/0 ipblock from network policies (#11321) (#11322)

* fix: remove 0.0.0.0/0 ipblock from network policies #11321 Signed-off-by: Filip Nikolic <oss.filipn@gmail.com> * chore: add postfinance to the list of users Signed-off-by: Filip Nikolic <oss.filipn@gmail.com> Signed-off-by: Filip Nikolic <oss.filipn@gmail.com>
argoproj · Nov 19, 2022 · 812664c · 812664c
1 parent 299af21
commit 812664c
Show file tree

Hide file tree

Showing 9 changed files with 74 additions and 105 deletions.
diff --git a/USERS.md b/USERS.md
@@ -169,6 +169,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
 1. [Polarpoint.io](https://polarpoint.io)
+1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)

diff --git a/manifests/base/redis/argocd-redis-network-policy.yaml b/manifests/base/redis/argocd-redis-network-policy.yaml
@@ -10,27 +10,22 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-repo-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-application-controller
-      ports:
-        - protocol: TCP
-          port: 6379
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - protocol: TCP
+      port: 6379
   egress:
-    - to:
-      - ipBlock:
-          cidr: 0.0.0.0/0
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP 
-
-
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml
@@ -10544,9 +10544,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

diff --git a/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml b/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml
@@ -10,36 +10,33 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-repo-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-application-controller
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
   egress:
-    - to:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
-    - to:
-      - ipBlock:
-          cidr: 0.0.0.0/0
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
diff --git a/manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml b/manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml
@@ -10,33 +10,30 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha-haproxy
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha-haproxy
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
   egress:
-    - to:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
-    - to:
-      - ipBlock:
-          cidr: 0.0.0.0/0
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml
@@ -12546,9 +12546,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:
@@ -12592,9 +12589,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml
@@ -2968,9 +2968,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:
@@ -3014,9 +3011,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

diff --git a/manifests/install.yaml b/manifests/install.yaml
@@ -11361,9 +11361,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml
@@ -1783,9 +1783,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector: