add generic cost-analyzer network policy template #1013
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
The current cost-analyzer network policy template isn't sufficient for our use case. It's also somewhat non-standard because rather than targeting cost-analzyer pods, it conditionally can target prometheus pods which I haven't seen too often.
From what I gather, the current policy template supports:
For the above, I don't believe you can combine them as well.
We needed to append a few ingress/egress rules to the template and so I wasn't sure where to start with adding to the pre-existing template. My solution in this PR is to add a new template where the rules are generic and the target pods are cost-analyzer specific, leaving the old template for backwards compat purposes.
The general concept was borrowed from https://github.com/ameijer/k8s-as-helm/blob/master/charts/networkpolicy/templates/networkpolicy.yaml -- although I did update the metadata to be specific to this chart.
Changes
cost-analyzer-network-policy-template.yaml
that is disabled by default which dynamically defines ingress/egress rules from values in values.yaml files.values.yaml
Testing
Testing input vars:
Resulting rendered template:
Null port entries in these policies maps to
<any>
in the final policy from my testing which is desired: