[VC-48226]: document default NetworkPolicy and example values#1911
Conversation
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
I have tested this new version of the helm values here:
9869747 to
4a2cd01
Compare
| # Example: Internal DNS (Bind) server | ||
| - ports: | ||
| - port: 8053 | ||
| protocol: UDP | ||
| - port: 8053 | ||
| protocol: TCP | ||
| to: | ||
| - namespaceSelector: | ||
| matchLabels: | ||
| kubernetes.io/metadata.name: bind |
There was a problem hiding this comment.
Our E2E test bind server actually has a ClusterIP Service which maps port 53 to targetPort 8053,
but the kindnet NetworkPolicy implementation seems to ignore the service port. Maybe Calico works the same, based on this comment:
4a2cd01 to
bd7b6cf
Compare
bd7b6cf to
6086219
Compare
|
Rebasing on release-next because this refers to features which will only be available in the upcoming cert-manager 1.20 release, |
6086219 to
9717403
Compare
9717403 to
8e4eabf
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds documentation for the new NetworkPolicy feature in cert-manager 1.20, which allows users to create NetworkPolicy resources for cert-manager deployments via the Helm chart.
Changes:
- Added NetworkPolicy section to release notes explaining the new feature
- Documented default NetworkPolicy behavior and provided guidance on customizing rules
- Added example Helm values demonstrating how to enable NetworkPolicy for each component
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| content/docs/releases/release-notes/release-notes-1.20.md | Added "Network Policy" major theme with brief description and link to best practices |
| content/docs/installation/best-practice.md | Added comprehensive NetworkPolicy documentation including defaults, example Helm values, and security recommendations |
| public/docs/installation/best-practice/values.best-practice.yaml | Added NetworkPolicy configuration for controller, webhook, and cainjector components with example egress rules |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
public/docs/installation/best-practice/values.best-practice.yaml
Outdated
Show resolved
Hide resolved
acb3aeb to
2047a18
Compare
| protocol: UDP | ||
| # ACME HTTP01 self-checks | ||
| - port: 80 | ||
| protocol: TCP |
There was a problem hiding this comment.
Do we normally repeat the chart defaults? Can we link to the defaults instead, or remove this duplication?
There was a problem hiding this comment.
As the Helm template is currently written, the defaults get overwritten by any egress rules you specify in the values.
And I think that makes sense because the defaults are too permissive for most.
The problem is that I'm trying to use this documentation to test the defaults...perhaps that's a mistake.
There was a problem hiding this comment.
No, I think using the documentation to test the defaults is a brilliant idea! 👏 But I don't understand why we have to repeat the defaults here, if the purpose is to test the defaults. Isn't the egress element here identical to the default?
There was a problem hiding this comment.
I've tried to make it clearer.
…s rules - Document default NetworkPolicy behavior and recommend restricting rules - Add example Helm values for enabling networkPolicy per component - Update public best-practice YAML to enable networkPolicy keys Signed-off-by: Richard Wall <richard.wall@cyberark.com>
2047a18 to
315b301
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: erikgb The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
8336efc
into
cert-manager:release-next
Preview:
Documentation to accompany @jcpunk 's cert-manager/cert-manager#8370
Changes
Slack Discussion
Testing
I tested the sample Helm values by using them in the best-practice E2E tests in: