diff --git a/charts/mok/templates/networkpolicy.yaml b/charts/mok/templates/networkpolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3c8b3a31475a3737def956d6e0f0164274de0a8a
--- /dev/null
+++ b/charts/mok/templates/networkpolicy.yaml
@@ -0,0 +1,67 @@
+{{- if .Values.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "mok.fullname" . }}-dovecot
+ labels:
+ {{- include "mok.labels" . | nindent 4 }}
+ app.kubernetes.io/component: dovecot
+spec:
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ {{- include "mok.selectorLabels" . | nindent 10 }}
+ app.kubernetes.io/component: postfix
+ ports:
+ - port: 24
+ protocol: TCP
+ - port: 12345
+ protocol: TCP
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 110
+ protocol: TCP
+ - port: 143
+ protocol: TCP
+ - port: 993
+ protocol: TCP
+ - port: 995
+ protocol: TCP
+ - port: 4190
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ {{- include "mok.selectorLabels" . | nindent 6 }}
+ app.kubernetes.io/component: dovecot
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "mok.fullname" . }}-postfix
+ labels:
+ {{- include "mok.labels" . | nindent 4 }}
+ app.kubernetes.io/component: postfix
+spec:
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 25
+ protocol: TCP
+ - port: 465
+ protocol: TCP
+ - port: 587
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ {{- include "mok.selectorLabels" . | nindent 6 }}
+ app.kubernetes.io/component: postfix
+{{- end }}
diff --git a/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap b/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap
new file mode 100644
index 0000000000000000000000000000000000000000..85337acaded284476e7e086f5b72c2f97a75e4df
--- /dev/null
+++ b/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap
@@ -0,0 +1,76 @@
+matches snapshot:
+ 1: |
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ labels:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mok
+ helm.sh/chart: mok-0.1.0
+ name: RELEASE-NAME-mok-dovecot
+ spec:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mok
+ ports:
+ - port: 24
+ protocol: TCP
+ - port: 12345
+ protocol: TCP
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 110
+ protocol: TCP
+ - port: 143
+ protocol: TCP
+ - port: 993
+ protocol: TCP
+ - port: 995
+ protocol: TCP
+ - port: 4190
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mok
+ policyTypes:
+ - Ingress
+ 2: |
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ labels:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mok
+ helm.sh/chart: mok-0.1.0
+ name: RELEASE-NAME-mok-postfix
+ spec:
+ ingress:
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 25
+ protocol: TCP
+ - port: 465
+ protocol: TCP
+ - port: 587
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mok
+ policyTypes:
+ - Ingress
diff --git a/charts/mok/tests/helmlabels_test.yaml b/charts/mok/tests/helmlabels_test.yaml
index d2322d97837cef4093a451ef77638663a9b949cf..cbf438d738d358e46af866d56be7447f78036e0a 100644
--- a/charts/mok/tests/helmlabels_test.yaml
+++ b/charts/mok/tests/helmlabels_test.yaml
@@ -1,6 +1,7 @@
suite: Kubernetes recommendations
templates:
- dovecot.yaml
+ - networkpolicy.yaml
- persistentvolumeclaim.yaml
- postfix.yaml
- secret.yaml
diff --git a/charts/mok/tests/networkpolicies_test.yaml b/charts/mok/tests/networkpolicies_test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e086b306df9e6e79e4a335526652f52b1c118116
--- /dev/null
+++ b/charts/mok/tests/networkpolicies_test.yaml
@@ -0,0 +1,223 @@
+suite: Network Policy
+templates:
+ - networkpolicy.yaml
+tests:
+ - it: allows dovecot's lmtp from postfix
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[0].from[0].podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 24
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - it: allows dovecot's authentication from postfix
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[0].from[0].podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 12345
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - it: allows dovecot's pop3 and pop3s from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[1].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[1].from[0].ipBlock.except
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 110
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 995
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - it: allows dovecot's imap and imaps from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[1].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[1].from[0].ipBlock.except
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 143
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 993
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - it: allows dovecot's sieve from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[1].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[1].from[0].ipBlock.except
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 4190
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+
+ - it: allows postfix's smtp from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[0].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[0].from[0].ipBlock.except
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 25
+ protocol: TCP
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - it: allows postfix's submission and submissions from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[0].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[0].from[0].ipBlock.except
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 465
+ protocol: TCP
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 587
+ protocol: TCP
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - it: matches snapshot
+ asserts:
+ - matchSnapshot: {}
diff --git a/charts/mok/values.yaml b/charts/mok/values.yaml
index 5f66282d3c1322e2a18b659ef216aad90045f149..54b5400a1bd7b2fafcc109d7b2b30f56448ad5af 100644
--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -182,3 +182,6 @@ serviceAccount:
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
+
+networkPolicy:
+ create: true