Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bitnami/memcached] Network policy review #25906

Merged
merged 1 commit into from
May 17, 2024
Merged

[bitnami/memcached] Network policy review #25906

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion bitnami/memcached/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ maintainers:
name: memcached
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/memcached
version: 7.0.6
version: 7.1.0
42 changes: 22 additions & 20 deletions bitnami/memcached/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,26 +237,28 @@ If you encounter errors when working with persistent volumes, refer to our [trou

### Traffic Exposure parameters

| Name | Description | Value |
| --------------------------------------- | --------------------------------------------------------------------------------------- | ----------- |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.memcached` | Memcached service port | `11211` |
| `service.nodePorts.memcached` | Node port for Memcached | `""` |
| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `service.clusterIP` | Memcached service Cluster IP | `""` |
| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` |
| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` |
| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` |
| `service.annotations` | Additional custom annotations for Memcached service | `{}` |
| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| Name | Description | Value |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ----------- |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.memcached` | Memcached service port | `11211` |
| `service.nodePorts.memcached` | Node port for Memcached | `""` |
| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `service.clusterIP` | Memcached service Cluster IP | `""` |
| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` |
| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` |
| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` |
| `service.annotations` | Additional custom annotations for Memcached service | `{}` |
| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` |

### Other Parameters

Expand Down
20 changes: 10 additions & 10 deletions bitnami/memcached/templates/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,22 +49,22 @@ spec:
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.addExternalClientAccess }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- end }}
{{- if .Values.networkPolicy.ingressPodMatchLabels }}
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
Expand Down
13 changes: 11 additions & 2 deletions bitnami/memcached/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,9 @@ networkPolicy:
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
##
addExternalClientAccess: true
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
Expand Down Expand Up @@ -517,8 +520,14 @@ networkPolicy:
## - frontend
##
extraEgress: []
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
## e.g:
## ingressPodMatchLabels:
## my-client: "true"
#
ingressPodMatchLabels: {}
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
Expand Down
Loading