github.com/verrazzano/verrazzano@v1.7.0/platform-operator/helm_config/charts/verrazzano-network-policies/templates/networkpolicy.yaml (about) 1 # Copyright (c) 2021, 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 {{- if .Values.authproxy.enabled }} 5 # Network policy for Verrazzano API Proxy 6 # Ingress: allow nginx-ingress-controller to connect to port 8775 7 # allow connect from Prometheus to scrape Envoy stats on port 15090 8 # Egress: allow all 9 apiVersion: networking.k8s.io/v1 10 kind: NetworkPolicy 11 metadata: 12 name: verrazzano-authproxy 13 namespace: {{ .Release.Namespace }} 14 spec: 15 podSelector: 16 matchLabels: 17 app: verrazzano-authproxy 18 policyTypes: 19 - Ingress 20 ingress: 21 - from: 22 - namespaceSelector: 23 matchLabels: 24 verrazzano.io/namespace: {{ .Values.ingressNGINX.namespace }} 25 podSelector: 26 matchLabels: 27 app.kubernetes.io/instance: ingress-controller 28 ports: 29 - protocol: TCP 30 port: 8775 31 - protocol: TCP 32 port: 8776 33 - protocol: TCP 34 port: 8777 35 - from: 36 - namespaceSelector: 37 matchLabels: 38 verrazzano.io/namespace: verrazzano-system 39 podSelector: 40 matchLabels: 41 app: fluentd 42 {{- if .Values.fluentOperator.enabled }} 43 - namespaceSelector: 44 matchLabels: 45 verrazzano.io/namespace: {{ .Values.namespace }} 46 podSelector: 47 matchLabels: 48 app.kubernetes.io/name: fluent-bit 49 {{- end }} 50 ports: 51 - protocol: TCP 52 port: 8775 53 54 {{- if .Values.jaegerOperator.enabled }} 55 - from: 56 - namespaceSelector: 57 matchLabels: 58 verrazzano.io/namespace: {{ .Values.jaegerOperator.namespace }} 59 podSelector: 60 matchLabels: 61 app: jaeger 62 ports: 63 - protocol: TCP 64 port: 8775 65 {{- end }} 66 - from: 67 - namespaceSelector: 68 matchLabels: 69 verrazzano.io/namespace: verrazzano-monitoring 70 podSelector: 71 matchLabels: 72 app.kubernetes.io/name: prometheus 73 ports: 74 - port: 15090 75 protocol: TCP 76 - port: 9113 77 protocol: TCP 78 {{- end }} 79 {{- if .Values.console.enabled }} 80 --- 81 # Network policy for Verrazzano console 82 # Ingress: allow nginx-ingress-controller to connect to port 8000 83 # allow connect from Prometheus to scrape Envoy stats on port 15090 84 # Egress: allow all 85 apiVersion: networking.k8s.io/v1 86 kind: NetworkPolicy 87 metadata: 88 name: verrazzano-console 89 namespace: {{ .Release.Namespace }} 90 spec: 91 podSelector: 92 matchLabels: 93 app: verrazzano-console 94 policyTypes: 95 - Ingress 96 ingress: 97 - from: 98 - namespaceSelector: 99 matchLabels: 100 verrazzano.io/namespace: verrazzano-system 101 podSelector: 102 matchLabels: 103 app: verrazzano-authproxy 104 ports: 105 - protocol: TCP 106 port: 8000 107 - from: 108 - namespaceSelector: 109 matchLabels: 110 verrazzano.io/namespace: verrazzano-monitoring 111 podSelector: 112 matchLabels: 113 app.kubernetes.io/name: prometheus 114 ports: 115 - port: 15090 116 protocol: TCP 117 {{- end }} 118 {{- if .Values.applicationOperator.enabled }} 119 --- 120 # Network policy for Verrazzano application operator 121 # Ingress: allow access from Kubernetes API server for webhook port 9443 122 # Egress: allow all 123 apiVersion: networking.k8s.io/v1 124 kind: NetworkPolicy 125 metadata: 126 name: verrazzano-application-operator 127 namespace: {{ .Release.Namespace }} 128 spec: 129 podSelector: 130 matchLabels: 131 app: verrazzano-application-operator 132 policyTypes: 133 - Ingress 134 ingress: 135 - ports: 136 - port: 9443 137 protocol: TCP 138 - from: 139 - namespaceSelector: 140 matchLabels: 141 verrazzano.io/namespace: verrazzano-monitoring 142 podSelector: 143 matchLabels: 144 app.kubernetes.io/name: prometheus 145 ports: 146 - port: 9100 147 protocol: TCP 148 {{- end }} 149 {{- if .Values.oam.enabled }} 150 --- 151 # Network policy for Verrazzano application operator webhook 152 # Ingress: allow access from Kubernetes API server for webhook port 9443 153 # Egress: allow all 154 apiVersion: networking.k8s.io/v1 155 kind: NetworkPolicy 156 metadata: 157 name: verrazzano-application-operator-webhook 158 namespace: {{ .Release.Namespace }} 159 spec: 160 podSelector: 161 matchLabels: 162 app: verrazzano-application-operator-webhook 163 policyTypes: 164 - Ingress 165 ingress: 166 - ports: 167 - port: 9443 168 protocol: TCP 169 - from: 170 - namespaceSelector: 171 matchLabels: 172 verrazzano.io/namespace: verrazzano-monitoring 173 podSelector: 174 matchLabels: 175 app.kubernetes.io/name: prometheus 176 ports: 177 - port: 9100 178 protocol: TCP 179 --- 180 # Network policy for OAM Kubernetes Runtime operator 181 # Ingress: deny all 182 # Egress: allow all 183 apiVersion: networking.k8s.io/v1 184 kind: NetworkPolicy 185 metadata: 186 name: oam-kubernetes-runtime 187 namespace: {{ .Release.Namespace }} 188 spec: 189 podSelector: 190 matchLabels: 191 app.kubernetes.io/name: oam-kubernetes-runtime 192 policyTypes: 193 - Ingress 194 {{- end }} 195 {{- if .Values.jaegerOperator.enabled }} 196 --- 197 # Network policy for Jaeger Collector 198 # Ingress: allow access to connect to Jaeger Collector ports 9411 and 14250 199 # allow access from Prometheus to scrape Jaeger Collector metrics on port ports 14269 200 # allow access from Prometheus to scrape Envoy stats on port 15090 201 # Egress: allow all 202 apiVersion: networking.k8s.io/v1 203 kind: NetworkPolicy 204 metadata: 205 name: jaeger-collector 206 namespace: {{ .Values.jaegerOperator.namespace }} 207 spec: 208 podSelector: 209 matchLabels: 210 app: jaeger 211 app.kubernetes.io/component: collector 212 app.kubernetes.io/managed-by: jaeger-operator 213 policyTypes: 214 - Ingress 215 ingress: 216 - ports: 217 - port: 9411 218 protocol: TCP 219 - port: 14250 220 protocol: TCP 221 - from: 222 - namespaceSelector: 223 matchLabels: 224 verrazzano.io/namespace: verrazzano-monitoring 225 podSelector: 226 matchLabels: 227 app.kubernetes.io/name: prometheus 228 ports: 229 - port: 14269 230 protocol: TCP 231 - port: 15090 232 protocol: TCP 233 --- 234 # Network policy for Jaeger Query 235 # Ingress: allow access from Prometheus to scrape Jaeger Query metrics on port ports 14271 and 16687 236 # allow access from Prometheus to scrape Envoy stats on port 15090 237 # allow access from verrazzano-authproxy to Jaeger UI on port 16686 238 # Egress: allow all 239 apiVersion: networking.k8s.io/v1 240 kind: NetworkPolicy 241 metadata: 242 name: jaeger-query 243 namespace: {{ .Values.jaegerOperator.namespace }} 244 spec: 245 podSelector: 246 matchLabels: 247 app: jaeger 248 app.kubernetes.io/component: query 249 app.kubernetes.io/managed-by: jaeger-operator 250 policyTypes: 251 - Ingress 252 ingress: 253 - from: 254 - namespaceSelector: 255 matchLabels: 256 verrazzano.io/namespace: verrazzano-monitoring 257 podSelector: 258 matchLabels: 259 app.kubernetes.io/name: prometheus 260 ports: 261 - port: 16687 262 protocol: TCP 263 - port: 14271 264 protocol: TCP 265 - port: 15090 266 protocol: TCP 267 - from: 268 - namespaceSelector: 269 matchLabels: 270 verrazzano.io/namespace: verrazzano-system 271 podSelector: 272 matchLabels: 273 app: verrazzano-authproxy 274 ports: 275 - port: 16686 276 protocol: TCP 277 {{- end }} 278 {{- if .Values.clusterOperator.enabled }} 279 --- 280 # Network policy for Verrazzano cluster operator 281 # Ingress: allow access from Prometheus to scrape metrics on port 9100 282 # Egress: allow all 283 apiVersion: networking.k8s.io/v1 284 kind: NetworkPolicy 285 metadata: 286 name: verrazzano-cluster-operator 287 namespace: {{ .Release.Namespace }} 288 spec: 289 podSelector: 290 matchLabels: 291 app: verrazzano-cluster-operator 292 policyTypes: 293 - Ingress 294 ingress: 295 - from: 296 - namespaceSelector: 297 matchLabels: 298 verrazzano.io/namespace: verrazzano-monitoring 299 podSelector: 300 matchLabels: 301 app.kubernetes.io/name: prometheus 302 ports: 303 - port: 9100 304 protocol: TCP 305 --- 306 # Network policy for Verrazzano cluster operator webhooks 307 # Ingress: allow access to API port, allow metrics scraping by Prometheus on port 9100 308 # Egress: allow all 309 apiVersion: networking.k8s.io/v1 310 kind: NetworkPolicy 311 metadata: 312 name: verrazzano-cluster-operator-webhook 313 namespace: {{ .Release.Namespace }} 314 spec: 315 podSelector: 316 matchLabels: 317 app: verrazzano-cluster-operator-webhook 318 policyTypes: 319 - Ingress 320 ingress: 321 - ports: 322 - port: 9443 323 protocol: TCP 324 - from: 325 - namespaceSelector: 326 matchLabels: 327 verrazzano.io/namespace: verrazzano-monitoring 328 podSelector: 329 matchLabels: 330 app.kubernetes.io/name: prometheus 331 ports: 332 - port: 9100 333 protocol: TCP 334 {{- end }}