Skip to content

Commit

Permalink
[bitnami/prometheus] Network policy review
Browse files Browse the repository at this point in the history 
Apply the same changes made in PR bitnami#25519 to the Prometheus chart

Signed-off-by: Ben Foster <[email protected]>
  • Loading branch information
@bpfoster
bpfoster committed May 15, 2024
1 parent 1ee381b commit e63742a
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 29 deletions.
2 changes: 1 addition & 1 deletion bitnami/prometheus/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,4 @@ sources:
- https://github.com/bitnami/containers/tree/main/bitnami/prometheus
- https://github.com/prometheus/prometheus
- https://github.com/prometheus-community/helm-charts
version: 1.0.12
version: 1.2.0
12 changes: 8 additions & 4 deletions bitnami/prometheus/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -433,10 +433,12 @@ server:
| `alertmanager.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `alertmanager.networkPolicy.allowExternal` | Don't require alertmanager label for connections | `true` |
| `alertmanager.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `alertmanager.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` |
| `alertmanager.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `alertmanager.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `alertmanager.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `alertmanager.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `alertmanager.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `alertmanager.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `alertmanager.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `alertmanager.service.type` | Alertmanager service type | `LoadBalancer` |
| `alertmanager.service.ports.http` | Alertmanager service HTTP port | `80` |
| `alertmanager.service.ports.cluster` | Alertmanager cluster HA port | `9094` |
Expand Down Expand Up @@ -640,10 +642,12 @@ server:
| `server.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `server.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `server.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `server.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` |
| `server.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `server.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `server.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `server.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `server.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `server.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `server.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` |
| `server.service.type` | Prometheus service type | `LoadBalancer` |
| `server.service.ports.http` | Prometheus service HTTP port | `80` |
| `server.service.nodePorts.http` | Node port for HTTP | `""` |
Expand Down
20 changes: 10 additions & 10 deletions bitnami/prometheus/templates/alertmanager/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,21 +46,21 @@ spec:
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.addExternalClientAccess }}
- podSelector:
matchLabels:
{{ template "prometheus.alertmanager.fullname" . }}-client: "true"
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- end }}
{{- if .Values.networkPolicy.ingressPodMatchLabels }}
- podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- if .Values.alertmanager.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.alertmanager.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }}
{{- if .Values.alertmanager.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.alertmanager.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
Expand Down
20 changes: 10 additions & 10 deletions bitnami/prometheus/templates/server/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,21 +51,21 @@ spec:
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.addExternalClientAccess }}
- podSelector:
matchLabels:
{{ template "prometheus.server.fullname" . }}-client: "true"
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- end }}
{{- if .Values.networkPolicy.ingressPodMatchLabels }}
- podSelector:
matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- if .Values.server.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.server.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }}
{{- if .Values.server.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.server.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
Expand Down
26 changes: 22 additions & 4 deletions bitnami/prometheus/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -520,6 +520,9 @@ alertmanager:
## @param alertmanager.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param alertmanager.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
##
addExternalClientAccess: true
## @param alertmanager.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
Expand Down Expand Up @@ -553,8 +556,14 @@ alertmanager:
## - frontend
##
extraEgress: []
## @param alertmanager.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param alertmanager.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
## @param alertmanager.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
## e.g:
## ingressPodMatchLabels:
## my-client: "true"
#
ingressPodMatchLabels: {}
## @param alertmanager.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
## @param alertmanager.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
Expand Down Expand Up @@ -1476,6 +1485,9 @@ server:
## @param server.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param server.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
##
addExternalClientAccess: true
## @param server.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
Expand Down Expand Up @@ -1509,8 +1521,14 @@ server:
## - frontend
##
extraEgress: []
## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
## @param server.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
## e.g:
## ingressPodMatchLabels:
## my-client: "true"
#
ingressPodMatchLabels: {}
## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
Expand Down

0 comments on commit e63742a

Please sign in to comment.