Skip to content
Snippets Groups Projects
Verified Commit aaad3b3f authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

fix(loki): Drop egress policy to simplify setup

Using ingress and egress network policies as caused various issues in
the past few days. Dropping the egress policies entirely by moving the
network policies from the helm chart to manually crafted network
policies might makes things more complicated to upgrade but easier to
maintain in general.
parent 8a40b745
No related branches found
No related tags found
No related merge requests found
......@@ -62,28 +62,7 @@ data:
grafanaAgent:
installOperator: false
networkPolicy:
enabled: true
metrics:
namespaceSelector:
matchLabels:
monitoring.shivering-isles.com/network-access-required: "true"
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ingress:
namespaceSelector:
matchLabels:
ingress.shivering-isles.com/network-access-required: "true"
alertmanager:
namespaceSelector:
matchLabels:
monitoring.shivering-isles.com/network-access-required: "true"
podSelector:
matchLabels:
app.kubernetes.io/name: alertmanager
externalStorage:
ports:
- 9000
enabled: false
minio:
enabled: true
mode: standalone
......@@ -118,15 +97,60 @@ spec:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-job
name: allow-ingress-to-loki
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
ingress.shivering-isles.com/network-access-required: "true"
ports:
- port: http
protocol: TCP
podSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- gateway
matchLabels:
app.kubernetes.io/instance: loki
app.kubernetes.io/name: loki
policyTypes:
- Egress
egress:
- {}
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-loki-metrics
namespace: loki-system
spec:
ingress:
- ports:
- port: http-metrics
protocol: TCP
podSelector:
matchLabels:
app: minio-job
app.kubernetes.io/instance: loki
app.kubernetes.io/name: loki
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-loki-minio
namespace: loki-system
spec:
ingress:
- ports:
- port: 9000
protocol: TCP
podSelector:
matchLabels:
release: loki
policyTypes:
- Ingress
---
apiVersion: v1
kind: ConfigMap
......
......@@ -41,14 +41,7 @@ data:
serviceMonitor:
enabled: true
networkPolicy:
enabled: true
metrics:
namespaceSelector:
matchLabels:
monitoring.shivering-isles.com/network-access-required: "true"
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus
enabled: false
# Required for journald collection
containerSecurityContext:
privileged: true
......@@ -95,3 +88,18 @@ data:
- name: machine-id
mountPath: /etc/machine-id
readOnly: true
---
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-monitoring-promtail
spec:
ingress:
- ports:
- port: http-metrics
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/instance: promtail
app.kubernetes.io/name: promtail
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment