Skip to content

Commit

Permalink
[bitnami/memcached] Network policy review
Browse files Browse the repository at this point in the history
Apply the same changes made in PR bitnami#25519 to the memcached chart

Signed-off-by: Ben Foster <[email protected]>
  • Loading branch information
bpfoster committed May 16, 2024
1 parent 1ee381b commit 7708c7b
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 33 deletions.
2 changes: 1 addition & 1 deletion bitnami/memcached/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ maintainers:
name: memcached
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/memcached
version: 7.0.6
version: 7.1.0
42 changes: 22 additions & 20 deletions bitnami/memcached/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -237,26 +237,28 @@ If you encounter errors when working with persistent volumes, refer to our [trou

### Traffic Exposure parameters

| Name | Description | Value |
| --------------------------------------- | --------------------------------------------------------------------------------------- | ----------- |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.memcached` | Memcached service port | `11211` |
| `service.nodePorts.memcached` | Node port for Memcached | `""` |
| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `service.clusterIP` | Memcached service Cluster IP | `""` |
| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` |
| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` |
| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` |
| `service.annotations` | Additional custom annotations for Memcached service | `{}` |
| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| Name | Description | Value |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ----------- |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.memcached` | Memcached service port | `11211` |
| `service.nodePorts.memcached` | Node port for Memcached | `""` |
| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `service.clusterIP` | Memcached service Cluster IP | `""` |
| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` |
| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` |
| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` |
| `service.annotations` | Additional custom annotations for Memcached service | `{}` |
| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` |

### Other Parameters

Expand Down
20 changes: 10 additions & 10 deletions bitnami/memcached/templates/networkpolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,22 +49,22 @@ spec:
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.addExternalClientAccess }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- end }}
{{- if .Values.networkPolicy.ingressPodMatchLabels }}
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
Expand Down
13 changes: 11 additions & 2 deletions bitnami/memcached/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,9 @@ networkPolicy:
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
##
addExternalClientAccess: true
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
Expand Down Expand Up @@ -517,8 +520,14 @@ networkPolicy:
## - frontend
##
extraEgress: []
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
## e.g:
## ingressPodMatchLabels:
## my-client: "true"
#
ingressPodMatchLabels: {}
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
Expand Down

0 comments on commit 7708c7b

Please sign in to comment.