feat: add additional ciliumNetworkPolicies in loki helm chart for world egress for read, write and backend (#12066)

Signed-off-by: QuantumEnigmaa <thibaud@giantswarm.io> Co-authored-by: Michel Hollands <42814411+MichelHollands@users.noreply.github.com>
1 year ago · c1084a144a
parent b0478e61c8
commit c1084a144a
6 changed files with 73 additions and 2 deletions
--- a/docs/sources/setup/install/helm/reference.md
+++ b/docs/sources/setup/install/helm/reference.md
@ -3120,6 +3120,24 @@ null
 			<td><pre lang="json">
 null
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>networkPolicy.egressKubeApiserver.enabled</td>
+			<td>bool</td>
+			<td>Enable additional cilium egress rules to kube-apiserver for backend.</td>
+			<td><pre lang="json">
+false
+</pre>
+</td>
+		</tr>
+		<tr>
+			<td>networkPolicy.egressWorld.enabled</td>
+			<td>bool</td>
+			<td>Enable additional cilium egress rules to external world for write, read and backend.</td>
+			<td><pre lang="json">
+false
+</pre>
 </td>
 		</tr>
 		<tr>
--- a/production/helm/loki/CHANGELOG.md
+++ b/production/helm/loki/CHANGELOG.md
@ -13,6 +13,10 @@ Entries should include a reference to the pull request that introduced the chang

 [//]: # (<AUTOMATED_UPDATES_LOCATOR> : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.)

+## 5.43.4
+
+- [ENHANCEMENT] Add `ciliumnetworkpolicies` with egress to world for write, read and backend.
+
 ## 5.43.3

 - [ENHANCEMENT] Added missing default values to support ServerSideApply
--- a/production/helm/loki/Chart.yaml
+++ b/production/helm/loki/Chart.yaml
@ -3,7 +3,7 @@ name: loki
 description: Helm chart for Grafana Loki in simple, scalable mode
 type: application
 appVersion: 2.9.4
-version: 5.43.3
+version: 5.43.4
 home: https://grafana.github.io/helm-charts
 sources:
  - https://github.com/grafana/loki
--- a/production/helm/loki/README.md
+++ b/production/helm/loki/README.md
@ -1,6 +1,6 @@
 # loki

-![Version: 5.43.3](https://img.shields.io/badge/Version-5.43.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.4](https://img.shields.io/badge/AppVersion-2.9.4-informational?style=flat-square)
+![Version: 5.43.4](https://img.shields.io/badge/Version-5.43.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.4](https://img.shields.io/badge/AppVersion-2.9.4-informational?style=flat-square)

 Helm chart for Grafana Loki in simple, scalable mode

--- a/production/helm/loki/templates/ciliumnetworkpolicy.yaml
+++ b/production/helm/loki/templates/ciliumnetworkpolicy.yaml
@ -158,6 +158,49 @@ spec:
  {{- end }}
 {{- end }}

+{{- if .Values.networkPolicy.egressWorld.enabled }}
+{{- $global := . }}
+{{- $componentsList := list "read" "write" "backend" }}
+{{- range $component := $componentsList }}
+{{- with $global }}
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-{{ $component }}-world-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- if eq $component "read" }}
+      {{- include "loki.readSelectorLabels" . | nindent 6 }}
+      {{- else if eq $component "write" }}
+      {{- include "loki.writeSelectorLabels" . | nindent 6 }}
+      {{- else }}
+      {{- include "loki.backendSelectorLabels" . | nindent 6 }}
+      {{- end }}
+  egress:
+  - toEntities:
+    - world
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.networkPolicy.egressKubeApiserver.enabled }}
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-backend-kubeapiserver-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.backendSelectorLabels" . | nindent 6 }}
+  egress:
+  - toEntities:
+    - kube-apiserver
+{{- end }}
+
 {{- end }}

 {{- if and .Values.networkPolicy.discovery.port (eq .Values.networkPolicy.flavor "cilium") }}
--- a/production/helm/loki/values.yaml
+++ b/production/helm/loki/values.yaml
@ -1522,6 +1522,12 @@ networkPolicy:
    podSelector: {}
    # -- Specifies the namespace the discovery Pods are running in
    namespaceSelector: {}
+  egressWorld:
+    # -- Enable additional cilium egress rules to external world for write, read and backend.
+    enabled: false
+  egressKubeApiserver:
+    # -- Enable additional cilium egress rules to kube-apiserver for backend.
+    enabled: false
 # -------------------------------------
 # Configuration for `minio` child chart
 # -------------------------------------