Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / ee15ee2ff85bd1ac46d9c199f18ce25dd2086b2e / . / charts / gerrit-replica / templates / netpol.yaml
blob: 72a2bbde32981dfd828022b45e0e8fbb5cbc5587 [file] [log] [blame]
Giorgi Lekveishviliee15ee22024-03-28 12:35:10 +0400[diff] [blame^]1{{ if .Values.networkPolicies.enabled -}}
2kind: NetworkPolicy
3apiVersion: networking.k8s.io/v1
4metadata:
5 name: {{ .Release.Name }}-default-deny-all
6 labels:
7 chart: {{ template "gerrit-replica.chart" . }}
8 heritage: {{ .Release.Service }}
9 release: {{ .Release.Name }}
10 {{- if .Values.additionalLabels }}
11{{ toYaml .Values.additionalLabels | indent 4 }}
12 {{- end }}
13spec:
14 podSelector:
15 matchLabels:
16 chart: {{ template "gerrit-replica.chart" . }}
17 release: {{ .Release.Name }}
18 policyTypes:
19 - Ingress
20 - Egress
21 ingress: []
22 egress: []
23---
24{{ if .Values.networkPolicies.dnsPorts -}}
25apiVersion: networking.k8s.io/v1
26kind: NetworkPolicy
27metadata:
28 name: {{ .Release.Name }}-allow-dns-access
29 labels:
30 chart: {{ template "gerrit-replica.chart" . }}
31 heritage: {{ .Release.Service }}
32 release: {{ .Release.Name }}
33 {{- if .Values.additionalLabels }}
34{{ toYaml .Values.additionalLabels | indent 4 }}
35 {{- end }}
36spec:
37 podSelector:
38 matchLabels:
39 chart: {{ template "gerrit-replica.chart" . }}
40 release: {{ .Release.Name }}
41 policyTypes:
42 - Egress
43 egress:
44 - ports:
45 {{ range .Values.networkPolicies.dnsPorts -}}
46 - port: {{ . }}
47 protocol: UDP
48 - port: {{ . }}
49 protocol: TCP
50 {{ end }}
51{{- end }}
52---
53kind: NetworkPolicy
54apiVersion: networking.k8s.io/v1
55metadata:
56 name: gerrit-replica-allow-external
57 labels:
58 app.kubernetes.io/component: gerrit-replica
59 app.kubernetes.io/instance: {{ .Release.Name }}
60 chart: {{ template "gerrit-replica.chart" . }}
61 heritage: {{ .Release.Service }}
62 release: {{ .Release.Name }}
63 {{- if .Values.additionalLabels }}
64{{ toYaml .Values.additionalLabels | indent 4 }}
65 {{- end }}
66spec:
67 podSelector:
68 matchLabels:
69 chart: {{ template "gerrit-replica.chart" . }}
70 release: {{ .Release.Name }}
71 app.kubernetes.io/component: gerrit-replica
72 app.kubernetes.io/instance: {{ .Release.Name }}
73 ingress:
74 - ports:
75 - port: 8080
76 from: []
77---
78{{ if or .Values.gitBackend.networkPolicy.ingress -}}
79kind: NetworkPolicy
80apiVersion: networking.k8s.io/v1
81metadata:
82 name: git-backend-custom-ingress-policies
83 labels:
84 app.kubernetes.io/component: git-backend
85 app.kubernetes.io/instance: {{ .Release.Name }}
86 chart: {{ template "gerrit-replica.chart" . }}
87 heritage: {{ .Release.Service }}
88 release: {{ .Release.Name }}
89 {{- if .Values.additionalLabels }}
90{{ toYaml .Values.additionalLabels | indent 4 }}
91 {{- end }}
92spec:
93 policyTypes:
94 - Ingress
95 podSelector:
96 matchLabels:
97 chart: {{ template "gerrit-replica.chart" . }}
98 release: {{ .Release.Name }}
99 app.kubernetes.io/component: git-backend
100 app.kubernetes.io/instance: {{ .Release.Name }}
101 ingress:
102{{ toYaml .Values.gitBackend.networkPolicy.ingress | indent 2 }}
103{{- end }}
104---
105{{ if or .Values.gitBackend.networkPolicy.egress -}}
106kind: NetworkPolicy
107apiVersion: networking.k8s.io/v1
108metadata:
109 name: git-backend-custom-egress-policies
110 labels:
111 app.kubernetes.io/component: git-backend
112 app.kubernetes.io/instance: {{ .Release.Name }}
113 chart: {{ template "gerrit-replica.chart" . }}
114 heritage: {{ .Release.Service }}
115 release: {{ .Release.Name }}
116 {{- if .Values.additionalLabels }}
117{{ toYaml .Values.additionalLabels | indent 4 }}
118 {{- end }}
119spec:
120 policyTypes:
121 - Egress
122 podSelector:
123 matchLabels:
124 chart: {{ template "gerrit-replica.chart" . }}
125 release: {{ .Release.Name }}
126 app.kubernetes.io/component: git-backend
127 app.kubernetes.io/instance: {{ .Release.Name }}
128 egress:
129{{ toYaml .Values.gitBackend.networkPolicy.egress | indent 2 }}
130{{- end }}
131---
132{{ if or .Values.gerritReplica.networkPolicy.ingress -}}
133kind: NetworkPolicy
134apiVersion: networking.k8s.io/v1
135metadata:
136 name: gerrit-replica-custom-ingress-policies
137 labels:
138 app.kubernetes.io/component: gerrit-replica
139 app.kubernetes.io/instance: {{ .Release.Name }}
140 chart: {{ template "gerrit-replica.chart" . }}
141 heritage: {{ .Release.Service }}
142 release: {{ .Release.Name }}
143 {{- if .Values.additionalLabels }}
144{{ toYaml .Values.additionalLabels | indent 4 }}
145 {{- end }}
146spec:
147 policyTypes:
148 - Ingress
149 podSelector:
150 matchLabels:
151 chart: {{ template "gerrit-replica.chart" . }}
152 release: {{ .Release.Name }}
153 app.kubernetes.io/component: gerrit-replica
154 app.kubernetes.io/instance: {{ .Release.Name }}
155 ingress:
156{{ toYaml .Values.gerritReplica.networkPolicy.ingress | indent 2 }}
157{{- end }}
158---
159{{ if or .Values.gerritReplica.networkPolicy.egress -}}
160kind: NetworkPolicy
161apiVersion: networking.k8s.io/v1
162metadata:
163 name: gerrit-replica-custom-egress-policies
164 labels:
165 app.kubernetes.io/component: gerrit-replica
166 app.kubernetes.io/instance: {{ .Release.Name }}
167 chart: {{ template "gerrit-replica.chart" . }}
168 heritage: {{ .Release.Service }}
169 release: {{ .Release.Name }}
170 {{- if .Values.additionalLabels }}
171{{ toYaml .Values.additionalLabels | indent 4 }}
172 {{- end }}
173spec:
174 policyTypes:
175 - Egress
176 podSelector:
177 matchLabels:
178 chart: {{ template "gerrit-replica.chart" . }}
179 release: {{ .Release.Name }}
180 app.kubernetes.io/component: gerrit-replica
181 app.kubernetes.io/instance: {{ .Release.Name }}
182 egress:
183{{ toYaml .Values.gerritReplica.networkPolicy.egress | indent 2 }}
184{{- end }}
185---
186{{ if or .Values.istio.enabled -}}
187kind: NetworkPolicy
188apiVersion: networking.k8s.io/v1
189metadata:
190 name: istio-proxy
191 labels:
192 chart: {{ template "gerrit-replica.chart" . }}
193 heritage: {{ .Release.Service }}
194 release: {{ .Release.Name }}
195 {{- if .Values.additionalLabels }}
196{{ toYaml .Values.additionalLabels | indent 4 }}
197 {{- end }}
198spec:
199 policyTypes:
200 - Egress
201 - Ingress
202 podSelector:
203 matchLabels:
204 chart: {{ template "gerrit-replica.chart" . }}
205 release: {{ .Release.Name }}
206 egress:
207 - ports:
208 - protocol: TCP
209 port: 15012
210 ingress:
211 - ports:
212 - protocol: TCP
213 port: 15012
214---
215apiVersion: networking.k8s.io/v1
216kind: NetworkPolicy
217metadata:
218 name: {{ .Release.Name }}-istio-ingress
219 labels:
220 chart: {{ template "gerrit-replica.chart" . }}
221 heritage: {{ .Release.Service }}
222 release: {{ .Release.Name }}
223 {{- if .Values.additionalLabels }}
224{{ toYaml .Values.additionalLabels | indent 4 }}
225 {{- end }}
226spec:
227 podSelector:
228 matchLabels:
229 chart: {{ template "gerrit-replica.chart" . }}
230 release: {{ .Release.Name }}
231 ingress:
232 - ports:
233 - protocol: TCP
234 port: 80
235 {{ if .Values.istio.ssh.enabled }}
236 - protocol: TCP
237 port: {{ .Values.gerritReplica.service.ssh.port }}
238 {{- end }}
239 from:
240 - namespaceSelector:
241 matchLabels:
242 name: istio-system
243 - podSelector:
244 matchLabels:
245 istio: ingressgateway
246
247{{- end }}
248{{- end }}