Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network policy template #62

Merged
merged 18 commits into from Oct 21, 2023
Merged

Network policy template #62

merged 18 commits into from Oct 21, 2023

Conversation

clux
Copy link
Member

@clux clux commented Oct 20, 2023
edited

Hardest part of this was actually the apiserver access egress...

I started out with:

    - namespaceSelector:
        matchLabels:
          name: default

which works in many places, but not all, so now we have this complicated endpoint query, that's fed into helm:

          apiserver="$(kubectl get endpoints kubernetes -ojson | jq '.subsets[0].addresses[0].ip' -r)"
          helm template charts/doc-controller \
            --set version=latest \
            --set networkPolicy.enabled=true \
            --set networkPolicy.apiserver.0=${apiserver}/32

which is fine, but we don't want first-comers to have to deal with all of that garbage so in values.yaml there's a wide-open egress default for where the endpoint is:

networkPolicy:
  apiserver:
  - "0.0.0.0/0" # extremely wide-open egress on ports 443 + 6443

hopefully, that is a decent enough starting point that doesn't discourage networkpolicies, but also doesn't front-load all the mysticism..

@clux
Network policy template
0de1b40 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
fixup so that it can be installed by default
c319b3f 
Signed-off-by: clux <sszynrae@gmail.com>
@clux clux marked this pull request as ready for review October 20, 2023 22:34
@clux
not sure this will work, but give it a go
71acbe9 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
go full crazy on this
180878a 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
debug :(
35586d1 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
port by ref?
7a94dc6 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
another test
0fe438f 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
double check weirdness
98ac079 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
finalizers rbac?
1c33ae8 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
right, update is a verb
bd5d59b 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
yeah, include the service account :|
aa813f0 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
no one should need to deal with this
8036d3e 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
final hide kubernetesPort (just do the two normal ones)
0a3b5e8 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
more defensiveness
8db9232 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
include protocol
e4b37c9 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
..leave default wide open so we can at least leave netpol on
fa38a99 
people who know how to do this can scope it

Signed-off-by: clux <sszynrae@gmail.com>
@clux
undo defensive verbs
390b2ef 
Signed-off-by: clux <sszynrae@gmail.com>
@clux
gen
9767c58 
Signed-off-by: clux <sszynrae@gmail.com>
@clux clux merged commit b863bbd into main Oct 21, 2023
7 checks passed
@clux clux deleted the netpol branch October 21, 2023 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@clux