Skip to content

Commit 1efea17

Browse files
mjudeikismjudeikis
committed
helm: Add NetworkPolicy support
Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
1 parent e82c72c commit 1efea17

4 files changed

Lines changed: 72 additions & 0 deletions

File tree

deploy/charts/cert-manager/README.template.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,9 @@ The following table lists the configurable parameters of the cert-manager chart
145145
| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | |
146146
| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` |
147147
| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` |
148+
| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` |
149+
| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
150+
| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
148151
| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` |
149152
| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` |
150153
| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` |

deploy/charts/cert-manager/templates/networkpolicy-egress.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
{{- if .Values.webhook.networkPolicy.enabled }}
2+
apiVersion: networking.k8s.io/v1
3+
kind: NetworkPolicy
4+
metadata:
5+
name: {{ template "webhook.fullname" . }}-allow-egress
6+
namespace: {{ include "cert-manager.namespace" . }}
7+
spec:
8+
egress:
9+
{{- with .Values.webhook.networkPolicy.egress }}
10+
{{- toYaml . | nindent 2 }}
11+
{{- end }}
12+
podSelector:
13+
matchLabels:
14+
app: {{ include "webhook.name" . }}
15+
app.kubernetes.io/name: {{ include "webhook.name" . }}
16+
app.kubernetes.io/instance: {{ .Release.Name }}
17+
app.kubernetes.io/component: "webhook"
18+
{{- with .Values.webhook.podLabels }}
19+
{{- toYaml . | nindent 6 }}
20+
{{- end }}
21+
policyTypes:
22+
- Egress
23+
{{- end }}

deploy/charts/cert-manager/templates/networkpolicy-webhooks.yaml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
{{- if .Values.webhook.networkPolicy.enabled }}
2+
3+
apiVersion: networking.k8s.io/v1
4+
kind: NetworkPolicy
5+
metadata:
6+
name: {{ template "webhook.fullname" . }}-allow-ingress
7+
namespace: {{ include "cert-manager.namespace" . }}
8+
spec:
9+
ingress:
10+
{{- with .Values.webhook.networkPolicy.ingress }}
11+
{{- toYaml . | nindent 2 }}
12+
{{- end }}
13+
podSelector:
14+
matchLabels:
15+
app: {{ include "webhook.name" . }}
16+
app.kubernetes.io/name: {{ include "webhook.name" . }}
17+
app.kubernetes.io/instance: {{ .Release.Name }}
18+
app.kubernetes.io/component: "webhook"
19+
{{- with .Values.webhook.podLabels }}
20+
{{- toYaml . | nindent 6 }}
21+
{{- end }}
22+
policyTypes:
23+
- Ingress
24+
25+
{{- end }}

deploy/charts/cert-manager/values.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -380,6 +380,27 @@ webhook:
380380
url: {}
381381
# host:
382382

383+
# Enables default network policies for webhooks.
384+
networkPolicy:
385+
enabled: false
386+
ingress:
387+
- from:
388+
- ipBlock:
389+
cidr: 0.0.0.0/0
390+
egress:
391+
- ports:
392+
- port: 80
393+
protocol: TCP
394+
- port: 443
395+
protocol: TCP
396+
- port: 53
397+
protocol: TCP
398+
- port: 53
399+
protocol: UDP
400+
to:
401+
- ipBlock:
402+
cidr: 0.0.0.0/0
403+
383404
cainjector:
384405
enabled: true
385406
replicaCount: 1

0 commit comments

Comments
 (0)