New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new network policy for ingress controller webhook #5500
Conversation
@@ -120,13 +122,44 @@ var networkIngressPolicy = v1.NetworkPolicy{ | |||
{ | |||
Protocol: &tcp, | |||
Port: &intstr.IntOrString{ | |||
IntVal: int32(80), | |||
StrVal: "http", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: targeting by name is more correct, as the numeric ports can be set by chart values.
}, | ||
}, | ||
{ | ||
Protocol: &tcp, | ||
Port: &intstr.IntOrString{ | ||
IntVal: int32(443), | ||
StrVal: "https", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: targeting by name is more correct, as the numeric ports can be set by chart values.
{ | ||
Protocol: &tcp, | ||
Port: &intstr.IntOrString{ | ||
StrVal: "webhook", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: targeting by name is more correct, as the numeric ports can be set by chart values.
Unfortunately we can't just add this to the existing netpol, as we document that it is not updated once the namespace annotation has been set. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
3e046fb
to
78178ee
Compare
Proposed Changes
Add new network policy for ingress controller webhook.
The ingress-nginx chart added a validating webhook a while back, but we did not have a policy that allowed access to it. Access was being allowed by the overly broad network policy that we removed in #5318.
Unfortunately we can't just add this to the existing netpol, as we document that it is not updated once the namespace annotation has been set.
Types of Changes
bugfix
Verification
See linked issue
Testing
Linked Issues
User-Facing Change
Further Comments