Support legacy nginx label in network policy

Update helm chart network policy. Signed-off-by: Brandon Wilson <brandon@coil.com>
openfaas · Sep 17, 2020 · 508951c · 508951c
1 parent d21ea2f
commit 508951c
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 4 deletions.
diff --git a/chart/openfaas-cloud/templates/network-policy/ns-openfaas-net-policy.yml b/chart/openfaas-cloud/templates/network-policy/ns-openfaas-net-policy.yml
@@ -18,6 +18,10 @@ spec:
       podSelector:
         matchLabels:
           role: openfaas-system
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: ingress-nginx
     - namespaceSelector: {}
       podSelector:
         matchLabels:

diff --git a/chart/test/newtork_policy_test.go → chart/test/network_policy_test.go b/chart/test/newtork_policy_test.go → chart/test/network_policy_test.go
@@ -35,12 +35,14 @@ func Test_CoreNetworkPolicy_Overrides(t *testing.T) {
 }
 
 func buildCoreNetworkPolicy(coreNamespace, functionNamespace string) YamlSpec {
-	podSelector := make(map[string]string)
+	nginxSelector := make(map[string]string)
+	nginxLegacySelector := make(map[string]string)
 	emptySelector := make(map[string]string)
 	matchLabelsSystem := make(map[string]string)
 	matchLabelsFunction := make(map[string]string)
 
-	podSelector["app"] = "nginx-ingress"
+	nginxSelector["app.kubernetes.io/name"] = "ingress-nginx"
+	nginxLegacySelector["app"] = "nginx-ingress"
 	matchLabelsSystem["role"] = "openfaas-system"
 	matchLabelsFunction["role"] = functionNamespace
 
@@ -72,7 +74,13 @@ func buildCoreNetworkPolicy(coreNamespace, functionNamespace string) YamlSpec {
 					{
 						Namespace: NamespaceSelector{},
 						Pod: MatchLabelSelector{
-							MatchLabels: podSelector,
+							MatchLabels: nginxSelector,
+						},
+					},
+					{
+						Namespace: NamespaceSelector{},
+						Pod: MatchLabelSelector{
+							MatchLabels: nginxLegacySelector,
 						},
 					},
 				},

diff --git a/docs/README.md b/docs/README.md
@@ -230,7 +230,7 @@ kubectl apply -f ./yaml/core
 
 (Optional) Deploy NetworkPolicy. These policies set the following rules:
 * Pods in the `openfaas-fn` namespace only accept traffic from namespaces and pods that have the label `role: openfaas-system`
-* Pods in the `openfaas` namespace only accept traffic from all pods in namespaces with the label `role: openfaas-system`, pods that have the label `role: openfaas-system` in the `openfaas-fn` namespace and finally pods from any namespace that have the label `app: nginx-ingress`(this is to allow traffic from the nginx ingress controller).
+* Pods in the `openfaas` namespace only accept traffic from all pods in namespaces with the label `role: openfaas-system`, pods that have the label `role: openfaas-system` in the `openfaas-fn` namespace and finally pods from any namespace that have the label `app.kubernetes.io/name: ingress-nginx` or `app: nginx-ingress`(this is to allow traffic from the nginx ingress controller).
 
 ```
 kubectl apply -f ./yaml/network-policy

diff --git a/yaml/network-policy/ns-openfaas-net-policy.yml b/yaml/network-policy/ns-openfaas-net-policy.yml
@@ -22,3 +22,7 @@ spec:
       podSelector:
         matchLabels:
           app.kubernetes.io/name: ingress-nginx
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          app: nginx-ingress