From 7708c7b03b95e9fd756b1ccd6a0dcb06f569a540 Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Wed, 15 May 2024 08:27:44 -0400 Subject: [PATCH] [bitnami/memcached] Network policy review Apply the same changes made in PR #25519 to the memcached chart Signed-off-by: Ben Foster --- bitnami/memcached/Chart.yaml | 2 +- bitnami/memcached/README.md | 42 ++++++++++--------- .../memcached/templates/networkpolicy.yaml | 20 ++++----- bitnami/memcached/values.yaml | 13 +++++- 4 files changed, 44 insertions(+), 33 deletions(-) diff --git a/bitnami/memcached/Chart.yaml b/bitnami/memcached/Chart.yaml index bed8bccb1402f6..a8a2698ef97bb7 100644 --- a/bitnami/memcached/Chart.yaml +++ b/bitnami/memcached/Chart.yaml @@ -31,4 +31,4 @@ maintainers: name: memcached sources: - https://github.com/bitnami/charts/tree/main/bitnami/memcached -version: 7.0.6 +version: 7.1.0 diff --git a/bitnami/memcached/README.md b/bitnami/memcached/README.md index 8d26298fa1f28d..b368f2ea02b381 100644 --- a/bitnami/memcached/README.md +++ b/bitnami/memcached/README.md @@ -237,26 +237,28 @@ If you encounter errors when working with persistent volumes, refer to our [trou ### Traffic Exposure parameters -| Name | Description | Value | -| --------------------------------------- | --------------------------------------------------------------------------------------- | ----------- | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.ports.memcached` | Memcached service port | `11211` | -| `service.nodePorts.memcached` | Node port for Memcached | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | Memcached service Cluster IP | `""` | -| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for Memcached service | `{}` | -| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` | -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | -| `networkPolicy.allowExternal` | The Policy model to apply | `true` | -| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ----------- | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.memcached` | Memcached service port | `11211` | +| `service.nodePorts.memcached` | Node port for Memcached | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | Memcached service Cluster IP | `""` | +| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for Memcached service | `{}` | +| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | ### Other Parameters diff --git a/bitnami/memcached/templates/networkpolicy.yaml b/bitnami/memcached/templates/networkpolicy.yaml index b02dc811783f3e..2fba52bd57ee73 100644 --- a/bitnami/memcached/templates/networkpolicy.yaml +++ b/bitnami/memcached/templates/networkpolicy.yaml @@ -49,22 +49,22 @@ spec: {{- if not .Values.networkPolicy.allowExternal }} from: - podSelector: - matchLabels: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.addExternalClientAccess }} + - podSelector: + matchLabels: {{ template "common.names.fullname" . }}-client: "true" + {{- end }} + {{- if .Values.networkPolicy.ingressPodMatchLabels }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/memcached/values.yaml b/bitnami/memcached/values.yaml index 4b0cf90994fb91..8204487aa53268 100644 --- a/bitnami/memcached/values.yaml +++ b/bitnami/memcached/values.yaml @@ -483,6 +483,9 @@ networkPolicy: ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -517,8 +520,14 @@ networkPolicy: ## - frontend ## extraEgress: [] - ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {}