From 0cce90e74eb10ea4d15721d2b337cf10c974e428 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 29 Jan 2024 01:15:20 +0100
Subject: [PATCH] chore(shared): Switch network policies to matchExpressions
This patch moves from labelSelectors to matchExpressions since they are
immune to kustomize commonLabels, which prevents them from being
overwritten by accident.
References:
https://github.com/kubernetes-sigs/kustomize/issues/157
https://github.com/kubernetes-sigs/kustomize/issues/1009
---
.../networkpolicies/allow-from-database.yaml | 21 +++++++++++++------
.../networkpolicies/allow-from-ingress.yaml | 2 ++
.../allow-from-kube-system.yaml | 2 --
.../allow-from-monitoring.yaml | 9 ++++++--
shared/networkpolicies/allow-from-redis.yaml | 14 +++++++++----
shared/networkpolicies/allow-to-database.yaml | 14 +++++++++----
shared/networkpolicies/allow-to-kubedns.yaml | 19 ++++++++++-------
.../networkpolicies/allow-to-mailbox-org.yaml | 9 ++++++--
.../networkpolicies/allow-to-public-web.yaml | 16 ++++++++++----
9 files changed, 75 insertions(+), 31 deletions(-)
diff --git a/shared/networkpolicies/allow-from-database.yaml b/shared/networkpolicies/allow-from-database.yaml
index 3720a749a..e10a83f8a 100644
--- a/shared/networkpolicies/allow-from-database.yaml
+++ b/shared/networkpolicies/allow-from-database.yaml
@@ -11,8 +11,11 @@ spec:
matchLabels:
database.shivering-isles.com/network-access-required: "true"
podSelector:
- matchLabels:
- app.kubernetes.io/name: postgres-operator
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - postgres-operator
ports:
- port: 8008
protocol: TCP
@@ -25,13 +28,19 @@ spec:
matchLabels:
monitoring.shivering-isles.com/network-access-required: "true"
podSelector:
- matchLabels:
- app.kubernetes.io/name: prometheus
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - prometheus
ports:
- port: 9187
protocol: TCP
- port: 8008
protocol: TCP
podSelector:
- matchLabels:
- application: spilo
+ matchExpressions:
+ - key: application
+ operator: In
+ values:
+ - spilo
diff --git a/shared/networkpolicies/allow-from-ingress.yaml b/shared/networkpolicies/allow-from-ingress.yaml
index afa5b0a75..0a0aaa1a1 100644
--- a/shared/networkpolicies/allow-from-ingress.yaml
+++ b/shared/networkpolicies/allow-from-ingress.yaml
@@ -9,3 +9,5 @@ spec:
- namespaceSelector:
matchLabels:
ingress.shivering-isles.com/network-access-required: "true"
+ podSelector:
+ matchLabels: {}
\ No newline at end of file
diff --git a/shared/networkpolicies/allow-from-kube-system.yaml b/shared/networkpolicies/allow-from-kube-system.yaml
index 663d92dcd..476ceaee0 100644
--- a/shared/networkpolicies/allow-from-kube-system.yaml
+++ b/shared/networkpolicies/allow-from-kube-system.yaml
@@ -9,8 +9,6 @@ spec:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
- podSelector:
- matchLabels: {}
- from:
- ipBlock:
cidr: 192.168.100.0/24 # Kubernetes hosts
diff --git a/shared/networkpolicies/allow-from-monitoring.yaml b/shared/networkpolicies/allow-from-monitoring.yaml
index ec8e45902..e083bdf31 100644
--- a/shared/networkpolicies/allow-from-monitoring.yaml
+++ b/shared/networkpolicies/allow-from-monitoring.yaml
@@ -11,5 +11,10 @@ spec:
matchLabels:
monitoring.shivering-isles.com/network-access-required: "true"
podSelector:
- matchLabels:
- app.kubernetes.io/name: prometheus
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - prometheus
+ podSelector:
+ matchLabels: {}
\ No newline at end of file
diff --git a/shared/networkpolicies/allow-from-redis.yaml b/shared/networkpolicies/allow-from-redis.yaml
index 1a6a03984..df5fe15e3 100644
--- a/shared/networkpolicies/allow-from-redis.yaml
+++ b/shared/networkpolicies/allow-from-redis.yaml
@@ -12,13 +12,19 @@ spec:
matchLabels:
redis.shivering-isles.com/network-access-required: "true"
podSelector:
- matchLabels:
- app.kubernetes.io/name: redis-operator
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - redis-operator
ports:
- port: 26379
protocol: TCP
- port: 6379
protocol: TCP
podSelector:
- matchLabels:
- app.kubernetes.io/part-of: redis-failover
+ matchExpressions:
+ - key: app.kubernetes.io/part-of
+ operator: In
+ values:
+ - redis-failover
diff --git a/shared/networkpolicies/allow-to-database.yaml b/shared/networkpolicies/allow-to-database.yaml
index 53a142d6c..8e86c16cd 100644
--- a/shared/networkpolicies/allow-to-database.yaml
+++ b/shared/networkpolicies/allow-to-database.yaml
@@ -18,10 +18,16 @@ spec:
port: 9000
- to:
- podSelector:
- matchLabels:
- application: spilo
+ matchExpressions:
+ - key: application
+ operator: In
+ values:
+ - spilo
podSelector:
- matchLabels:
- application: spilo
+ matchExpressions:
+ - key: application
+ operator: In
+ values:
+ - spilo
policyTypes:
- Egress
diff --git a/shared/networkpolicies/allow-to-kubedns.yaml b/shared/networkpolicies/allow-to-kubedns.yaml
index 0edb8bfb4..3b8d0e8d8 100644
--- a/shared/networkpolicies/allow-to-kubedns.yaml
+++ b/shared/networkpolicies/allow-to-kubedns.yaml
@@ -6,16 +6,21 @@ metadata:
spec:
egress:
- to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: kube-system
- podSelector:
- matchLabels:
- k8s-app: kube-dns
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchExpressions:
+ - key: k8s-app
+ operator: In
+ values:
+ - kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
policyTypes:
- - Egress
\ No newline at end of file
+ - Egress
+ podSelector:
+ matchLabels: {}
\ No newline at end of file
diff --git a/shared/networkpolicies/allow-to-mailbox-org.yaml b/shared/networkpolicies/allow-to-mailbox-org.yaml
index f302e1d83..6741df6ab 100644
--- a/shared/networkpolicies/allow-to-mailbox-org.yaml
+++ b/shared/networkpolicies/allow-to-mailbox-org.yaml
@@ -18,12 +18,17 @@ spec:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
- matchLabels:
- k8s-app: kube-dns
+ matchExpressions:
+ - key: k8s-app
+ operator: In
+ values:
+ - kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
+ podSelector:
+ matchLabels: {}
policyTypes:
- Egress
diff --git a/shared/networkpolicies/allow-to-public-web.yaml b/shared/networkpolicies/allow-to-public-web.yaml
index b1f260c72..1a0793758 100644
--- a/shared/networkpolicies/allow-to-public-web.yaml
+++ b/shared/networkpolicies/allow-to-public-web.yaml
@@ -10,8 +10,11 @@ spec:
matchLabels:
kubernetes.io/metadata.name: nginx-system
podSelector:
- matchLabels:
- app.kubernetes.io/name: haproxy
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - haproxy
ports:
- protocol: TCP
port: 80
@@ -36,12 +39,17 @@ spec:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
- matchLabels:
- k8s-app: kube-dns
+ matchExpressions:
+ - key: k8s-app
+ operator: In
+ values:
+ - kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
+ podSelector:
+ matchLabels: {}
policyTypes:
- Egress
\ No newline at end of file
--
GitLab