Skip to content

Commit

Permalink
feat(helm): Add a network policy for the controller manager (#2514)
Browse files Browse the repository at this point in the history 
Allows communication in network locked down clusters.  This is especially useful to allow the init container of the gatekeeper-update-namespace-label job to communicate with the pods behind the gatekeeper-webhook-service service.

Signed-off-by: Kyle Michel <kyle.michel@ontariosystems.com>

Signed-off-by: Kyle Michel <kyle.michel@ontariosystems.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
  • Loading branch information
@krmichelos @ritazh
krmichelos and ritazh committed Jan 13, 2023
1 parent 80d6346 commit ac8612d
Show file tree
Hide file tree
Showing 6 changed files with 76 additions and 0 deletions.
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` |
| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` |
| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} |
| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |
Expand Down
30 changes: 30 additions & 0 deletions cmd/build/helmify/static/templates/gatekeeper-controller-manager-network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{{- if .Values.controllerManager.networkPolicy.enabled -}}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
release: '{{ .Release.Name }}'
{{- with .Values.controllerManager.networkPolicy.ingress }}
{{- toYaml . | nindent 4 }}
{{- end }}
podSelector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
{{- end -}}
6 changes: 6 additions & 0 deletions cmd/build/helmify/static/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,12 @@ controllerManager:
supplementalGroups:
- 999
extraRules: []
networkPolicy:
enabled: false
ingress: { }
# - from:
# - ipBlock:
# cidr: 0.0.0.0/0
audit:
hostNetwork: false
dnsPolicy: ClusterFirst
Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` |
| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` |
| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} |
| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |
Expand Down
30 changes: 30 additions & 0 deletions ...est_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{{- if .Values.controllerManager.networkPolicy.enabled -}}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
release: '{{ .Release.Name }}'
{{- with .Values.controllerManager.networkPolicy.ingress }}
{{- toYaml . | nindent 4 }}
{{- end }}
podSelector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
{{- end -}}
6 changes: 6 additions & 0 deletions manifest_staging/charts/gatekeeper/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,12 @@ controllerManager:
supplementalGroups:
- 999
extraRules: []
networkPolicy:
enabled: false
ingress: { }
# - from:
# - ipBlock:
# cidr: 0.0.0.0/0
audit:
hostNetwork: false
dnsPolicy: ClusterFirst
Expand Down

0 comments on commit ac8612d

Please sign in to comment.