From 24d1f834d928332a39a3f0b7e1bf804d43c30a07 Mon Sep 17 00:00:00 2001 From: Gabriele Pennacchia Date: Mon, 21 Jul 2025 15:02:40 +0200 Subject: [PATCH 1/5] feat: add NetworkPolicy template --- .../templates/controller-networkpolicy.yaml | 23 +++++++++++++++++++ charts/nginx-ingress/values.yaml | 20 ++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 charts/nginx-ingress/templates/controller-networkpolicy.yaml diff --git a/charts/nginx-ingress/templates/controller-networkpolicy.yaml b/charts/nginx-ingress/templates/controller-networkpolicy.yaml new file mode 100644 index 0000000000..31080e266c --- /dev/null +++ b/charts/nginx-ingress/templates/controller-networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "nginx-ingress.fullname" . }}-network-policy + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: + podSelector: + {{- toYaml .Values.networkPolicy.podSelector | nindent 4 }} + policyTypes: + {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }} + + {{- if has "Ingress" .Values.networkPolicy.policyTypes }} + ingress: + {{- toYaml .Values.networkPolicy.ingress | nindent 4 }} + {{- end }} + + {{- if has "Egress" .Values.networkPolicy.policyTypes }} + egress: + {{- toYaml .Values.networkPolicy.egress | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 8693a0517c..61c1cc8113 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -766,3 +766,23 @@ nginxAgent: processorBufferSize: 50000 ## The name of a custom ConfigMap to use instead of the one provided by default customConfigMap: "" + +# Default values for nginx-ingress with optional NetworkPolicy +networkPolicy: + enabled: false # Set to true to enable the NetworkPolicy + policyTypes: # Types of policy to create + - Ingress + - Egress + podSelector: {} # Label selector for pods (defaults to ingress controller pods) + ingress: # Ingress rules + - from: [] # List of peer selectors (e.g. namespaces, pods) + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + egress: # Egress rules + - to: [] # List of peer selectors + ports: + - protocol: UDP + port: 53 From abffb78844dd59b12a4a66a05b45f2e34ea0ad8b Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Fri, 12 Sep 2025 15:17:11 +0100 Subject: [PATCH 2/5] add helm template and test Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> --- charts/nginx-ingress/values.schema.json | 72 +++ charts/nginx-ingress/values.yaml | 27 +- charts/tests/__snapshots__/helmunit_test.snap | 489 ++++++++++++++++++ charts/tests/helmunit_test.go | 5 + charts/tests/testdata/network-policy.yaml | 37 ++ 5 files changed, 622 insertions(+), 8 deletions(-) create mode 100644 charts/tests/testdata/network-policy.yaml diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index b6f0ba5f32..707ca34b41 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -2681,6 +2681,78 @@ ] } } + }, + "networkPolicy": { + "type": "object", + "default": { + "enabled": false + }, + "title": "Configuration for NetworkPolicy", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable NetworkPolicy", + "examples": [ + false, + true + ] + }, + "policyTypes": { + "type": "array", + "default": [ + "Ingress", + "Egress" + ], + "title": "Types of policy to create", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/policyTypes" + }, + "podSelector": { + "type": "object", + "default": {}, + "title": "Label selector for pods (defaults to ingress controller pods)", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + }, + "ingress": { + "type": "array", + "default": [ + { + "from": [], + "ports": [ + { + "protocol": "TCP", + "port": 80 + }, + { + "protocol": "TCP", + "port": 443 + } + ] + } + ], + "title": "Ingress rules", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/ingress" + }, + "egress": { + "type": "array", + "default": [ + { + "to": [], + "ports": [ + { + "protocol": "UDP", + "port": 53 + } + ] + } + ], + "title": "Egress rules", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/egress" + } + } } }, "examples": [ diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 61c1cc8113..4c0e04b720 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -767,22 +767,33 @@ nginxAgent: ## The name of a custom ConfigMap to use instead of the one provided by default customConfigMap: "" -# Default values for nginx-ingress with optional NetworkPolicy +## Configure Kubernetes NetworkPolicy for the ingress controller pods networkPolicy: - enabled: false # Set to true to enable the NetworkPolicy - policyTypes: # Types of policy to create + ## Enable creation of a NetworkPolicy resource for the ingress controller pods + enabled: false + + ## List of NetworkPolicy types to apply (Ingress, Egress, or both) + policyTypes: - Ingress - Egress - podSelector: {} # Label selector for pods (defaults to ingress controller pods) - ingress: # Ingress rules - - from: [] # List of peer selectors (e.g. namespaces, pods) + + ## Label selector for pods the NetworkPolicy applies to (defaults to ingress controller pods) + podSelector: + matchLabels: + app.kubernetes.io/name: nginx-ingress + + ## List of ingress rules for allowed sources and ports + ingress: + - from: [] ports: - protocol: TCP port: 80 - protocol: TCP port: 443 - egress: # Egress rules - - to: [] # List of peer selectors + + ## List of egress rules for allowed destinations and ports + egress: + - to: [] ports: - protocol: UDP port: 53 diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap index 3d91c099a9..ec50e18c35 100755 --- a/charts/tests/__snapshots__/helmunit_test.snap +++ b/charts/tests/__snapshots__/helmunit_test.snap @@ -6650,6 +6650,495 @@ metadata: app.kubernetes.io/managed-by: Helm --- +[TestHelmNICTemplate/networkPolicy - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-networkpolicy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: network-policy-nginx-ingress-network-policy + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +spec: + podSelector: + app: nginx-ingress + matchLabels: + app: nginx-ingress + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + name: production + - podSelector: + matchLabels: + role: frontend + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + egress: + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: + matchLabels: + name: kube-system + - ports: + - port: 443 + protocol: TCP + to: [] +/-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: network-policy-nginx-ingress + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: network-policy-nginx-ingress + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +data: + {} +/-/-/-/ +# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: network-policy-nginx-ingress-leader-election + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: network-policy-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + - statefulsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +/-/-/-/ +# Source: nginx-ingress/templates/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: network-policy-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +subjects: +- kind: ServiceAccount + name: network-policy-nginx-ingress + namespace: default +roleRef: + kind: ClusterRole + name: network-policy-nginx-ingress + apiGroup: rbac.authorization.k8s.io +/-/-/-/ +# Source: nginx-ingress/templates/controller-role.yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: network-policy-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm + namespace: default +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - network-policy-nginx-ingress-leader-election + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +/-/-/-/ +# Source: nginx-ingress/templates/controller-rolebinding.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: network-policy-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: network-policy-nginx-ingress +subjects: +- kind: ServiceAccount + name: network-policy-nginx-ingress + namespace: default +/-/-/-/ +# Source: nginx-ingress/templates/controller-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: network-policy-nginx-ingress-controller + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +spec: + externalTrafficPolicy: Local + type: LoadBalancer + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + nodePort: + - port: 443 + targetPort: 443 + protocol: TCP + name: https + nodePort: + selector: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy +/-/-/-/ +# Source: nginx-ingress/templates/controller-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: network-policy-nginx-ingress-controller + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + template: + metadata: + labels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9113" + prometheus.io/scheme: "http" + spec: + volumes: [] + serviceAccountName: network-policy-nginx-ingress + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 30 + hostNetwork: false + dnsPolicy: ClusterFirst + containers: + - image: nginx/nginx-ingress:5.3.0 + name: nginx-ingress + imagePullPolicy: "IfNotPresent" + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: prometheus + containerPort: 9113 + - name: readiness-port + containerPort: 8081 + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: 0 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + volumeMounts: [] + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + args: + + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/network-policy-nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -log-level=info + - -log-format=glog + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=network-policy-nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=network-policy-nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + - -ssl-dynamic-reload=true + - -enable-telemetry-reporting=true + - -weight-changes-dynamic-reload=false +/-/-/-/ +# Source: nginx-ingress/templates/controller-ingress-class.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: nginx + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +spec: + controller: nginx.org/ingress-controller +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +/-/-/-/ +# Source: nginx-ingress/templates/controller-lease.yaml +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: network-policy-nginx-ingress-leader-election + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +--- + [TestHelmNICTemplate/ossAgentV3 - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml diff --git a/charts/tests/helmunit_test.go b/charts/tests/helmunit_test.go index dd459e7820..a660c1fcf2 100644 --- a/charts/tests/helmunit_test.go +++ b/charts/tests/helmunit_test.go @@ -166,6 +166,11 @@ func TestHelmNICTemplate(t *testing.T) { releaseName: "startupstatus", namespace: "default", }, + "networkPolicy": { + valuesFile: "testdata/network-policy.yaml", + releaseName: "network-policy", + namespace: "default", + }, } // Path to the helm chart we will test diff --git a/charts/tests/testdata/network-policy.yaml b/charts/tests/testdata/network-policy.yaml new file mode 100644 index 0000000000..a178eca141 --- /dev/null +++ b/charts/tests/testdata/network-policy.yaml @@ -0,0 +1,37 @@ +controller: + name: controller + kind: deployment + +networkPolicy: + enabled: true + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + app: nginx-ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + name: production + - podSelector: + matchLabels: + role: frontend + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + egress: + - to: + - namespaceSelector: + matchLabels: + name: kube-system + ports: + - protocol: UDP + port: 53 + - to: [] + ports: + - protocol: TCP + port: 443 \ No newline at end of file From 36ee3fc409112e55df7d756b8d12c80d8ee48d66 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 17 Sep 2025 17:07:26 +0000 Subject: [PATCH 3/5] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- charts/tests/testdata/network-policy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/tests/testdata/network-policy.yaml b/charts/tests/testdata/network-policy.yaml index a178eca141..0c1f520e89 100644 --- a/charts/tests/testdata/network-policy.yaml +++ b/charts/tests/testdata/network-policy.yaml @@ -34,4 +34,4 @@ networkPolicy: - to: [] ports: - protocol: TCP - port: 443 \ No newline at end of file + port: 443 From c93af1d1e2ba2b81985837d690cdbcd9ff7b2efc Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Thu, 18 Sep 2025 14:05:20 +0100 Subject: [PATCH 4/5] update tests Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> --- charts/nginx-ingress/values.yaml | 9 +-- charts/tests/__snapshots__/helmunit_test.snap | 40 ++++++++++++-- charts/tests/testdata/network-policy.yaml | 55 ++++++++++++++----- 3 files changed, 79 insertions(+), 25 deletions(-) diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 4c0e04b720..95c74e5372 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -777,10 +777,11 @@ networkPolicy: - Ingress - Egress - ## Label selector for pods the NetworkPolicy applies to (defaults to ingress controller pods) - podSelector: - matchLabels: - app.kubernetes.io/name: nginx-ingress + ## Label selector for pods the NetworkPolicy applies to (defaults to all pods in the same namespace) + podSelector: {} + ## matchLabels: + ## app.kubernetes.io/name: nginx-ingress + ## app.kubernetes.io/instance: nginx-ingress ## List of ingress rules for allowed sources and ports ingress: diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap index ec50e18c35..ae500a217c 100755 --- a/charts/tests/__snapshots__/helmunit_test.snap +++ b/charts/tests/__snapshots__/helmunit_test.snap @@ -6665,29 +6665,42 @@ metadata: app.kubernetes.io/managed-by: Helm spec: podSelector: - app: nginx-ingress matchLabels: - app: nginx-ingress + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress policyTypes: - Ingress - Egress ingress: + - from: [] + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP - from: - namespaceSelector: matchLabels: - name: production + name: monitoring - podSelector: matchLabels: - role: frontend + app: prometheus ports: - - port: 80 + - port: 8081 protocol: TCP - - port: 443 + - from: + - namespaceSelector: + matchLabels: + name: nginx-ingress + ports: + - port: 8080 protocol: TCP egress: - ports: - port: 53 protocol: UDP + - port: 53 + protocol: TCP to: - namespaceSelector: matchLabels: @@ -6695,7 +6708,22 @@ spec: - ports: - port: 443 protocol: TCP + - port: 6443 + protocol: TCP to: [] + - ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9000 + protocol: TCP + to: + - podSelector: {} /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 diff --git a/charts/tests/testdata/network-policy.yaml b/charts/tests/testdata/network-policy.yaml index 0c1f520e89..acd7009a01 100644 --- a/charts/tests/testdata/network-policy.yaml +++ b/charts/tests/testdata/network-policy.yaml @@ -1,7 +1,3 @@ -controller: - name: controller - kind: deployment - networkPolicy: enabled: true policyTypes: @@ -9,29 +5,58 @@ networkPolicy: - Egress podSelector: matchLabels: - app: nginx-ingress + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: nginx-ingress ingress: + - from: [] + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP - from: - namespaceSelector: matchLabels: - name: production + name: monitoring - podSelector: matchLabels: - role: frontend + app: prometheus ports: - - protocol: TCP - port: 80 - - protocol: TCP - port: 443 + - port: 8081 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + name: nginx-ingress + ports: + - port: 8080 + protocol: TCP egress: - to: - namespaceSelector: matchLabels: name: kube-system ports: - - protocol: UDP - port: 53 + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP - to: [] ports: - - protocol: TCP - port: 443 + - port: 443 + protocol: TCP + - port: 6443 + protocol: TCP + - to: + - podSelector: {} + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9000 + protocol: TCP \ No newline at end of file From 838ef0cd73a5b77c435632abf0bbc26d69bb5cd8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 18 Sep 2025 13:06:54 +0000 Subject: [PATCH 5/5] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- charts/tests/testdata/network-policy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/tests/testdata/network-policy.yaml b/charts/tests/testdata/network-policy.yaml index acd7009a01..2ae779def6 100644 --- a/charts/tests/testdata/network-policy.yaml +++ b/charts/tests/testdata/network-policy.yaml @@ -59,4 +59,4 @@ networkPolicy: - port: 8443 protocol: TCP - port: 9000 - protocol: TCP \ No newline at end of file + protocol: TCP