From c82aa6ccfeb2f28e1e0e4fc4fd815e6f8bee3ee2 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 26 Jun 2022 15:32:02 +0200
Subject: [PATCH] feat(mok): Add network policies to helm chart
This patch adds the needed network policies to the helm chart. This
provides a reasonable base-line setup. Currently any customizations
regarding network access would require additional policies. These might
come in place later on.
---
charts/mok/templates/networkpolicy.yaml | 67 ++++++
.../networkpolicies_test.yaml.snap | 76 ++++++
charts/mok/tests/helmlabels_test.yaml | 1 +
charts/mok/tests/networkpolicies_test.yaml | 223 ++++++++++++++++++
charts/mok/values.yaml | 3 +
5 files changed, 370 insertions(+)
create mode 100644 charts/mok/templates/networkpolicy.yaml
create mode 100644 charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap
create mode 100644 charts/mok/tests/networkpolicies_test.yaml
diff --git a/charts/mok/templates/networkpolicy.yaml b/charts/mok/templates/networkpolicy.yaml
new file mode 100644
index 000000000..3c8b3a314
--- /dev/null
+++ b/charts/mok/templates/networkpolicy.yaml
@@ -0,0 +1,67 @@
+{{- if .Values.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "mok.fullname" . }}-dovecot
+ labels:
+ {{- include "mok.labels" . | nindent 4 }}
+ app.kubernetes.io/component: dovecot
+spec:
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ {{- include "mok.selectorLabels" . | nindent 10 }}
+ app.kubernetes.io/component: postfix
+ ports:
+ - port: 24
+ protocol: TCP
+ - port: 12345
+ protocol: TCP
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 110
+ protocol: TCP
+ - port: 143
+ protocol: TCP
+ - port: 993
+ protocol: TCP
+ - port: 995
+ protocol: TCP
+ - port: 4190
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ {{- include "mok.selectorLabels" . | nindent 6 }}
+ app.kubernetes.io/component: dovecot
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "mok.fullname" . }}-postfix
+ labels:
+ {{- include "mok.labels" . | nindent 4 }}
+ app.kubernetes.io/component: postfix
+spec:
+ policyTypes:
+ - Ingress
+ ingress:
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 25
+ protocol: TCP
+ - port: 465
+ protocol: TCP
+ - port: 587
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ {{- include "mok.selectorLabels" . | nindent 6 }}
+ app.kubernetes.io/component: postfix
+{{- end }}
diff --git a/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap b/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap
new file mode 100644
index 000000000..85337acad
--- /dev/null
+++ b/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap
@@ -0,0 +1,76 @@
+matches snapshot:
+ 1: |
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ labels:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mok
+ helm.sh/chart: mok-0.1.0
+ name: RELEASE-NAME-mok-dovecot
+ spec:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mok
+ ports:
+ - port: 24
+ protocol: TCP
+ - port: 12345
+ protocol: TCP
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 110
+ protocol: TCP
+ - port: 143
+ protocol: TCP
+ - port: 993
+ protocol: TCP
+ - port: 995
+ protocol: TCP
+ - port: 4190
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mok
+ policyTypes:
+ - Ingress
+ 2: |
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ labels:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mok
+ helm.sh/chart: mok-0.1.0
+ name: RELEASE-NAME-mok-postfix
+ spec:
+ ingress:
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ ports:
+ - port: 25
+ protocol: TCP
+ - port: 465
+ protocol: TCP
+ - port: 587
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mok
+ policyTypes:
+ - Ingress
diff --git a/charts/mok/tests/helmlabels_test.yaml b/charts/mok/tests/helmlabels_test.yaml
index d2322d978..cbf438d73 100644
--- a/charts/mok/tests/helmlabels_test.yaml
+++ b/charts/mok/tests/helmlabels_test.yaml
@@ -1,6 +1,7 @@
suite: Kubernetes recommendations
templates:
- dovecot.yaml
+ - networkpolicy.yaml
- persistentvolumeclaim.yaml
- postfix.yaml
- secret.yaml
diff --git a/charts/mok/tests/networkpolicies_test.yaml b/charts/mok/tests/networkpolicies_test.yaml
new file mode 100644
index 000000000..e086b306d
--- /dev/null
+++ b/charts/mok/tests/networkpolicies_test.yaml
@@ -0,0 +1,223 @@
+suite: Network Policy
+templates:
+ - networkpolicy.yaml
+tests:
+ - it: allows dovecot's lmtp from postfix
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[0].from[0].podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 24
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - it: allows dovecot's authentication from postfix
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[0].from[0].podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 12345
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - it: allows dovecot's pop3 and pop3s from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[1].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[1].from[0].ipBlock.except
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 110
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 995
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - it: allows dovecot's imap and imaps from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[1].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[1].from[0].ipBlock.except
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 143
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 993
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - it: allows dovecot's sieve from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[1].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[1].from[0].ipBlock.except
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[1].ports
+ content:
+ port: 4190
+ protocol: TCP
+ documentIndex: 0
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: dovecot
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 0
+ template: networkpolicy.yaml
+
+ - it: allows postfix's smtp from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[0].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[0].from[0].ipBlock.except
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 25
+ protocol: TCP
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - it: allows postfix's submission and submissions from everywhere
+ release:
+ name: "test-suite"
+ asserts:
+ - equal:
+ path: spec.ingress[0].from[0].ipBlock.cidr
+ value: 0.0.0.0/0
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - isEmpty:
+ path: spec.ingress[0].from[0].ipBlock.except
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 465
+ protocol: TCP
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - contains:
+ path: spec.ingress[0].ports
+ content:
+ port: 587
+ protocol: TCP
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - equal:
+ path: spec.podSelector.matchLabels
+ value:
+ app.kubernetes.io/component: postfix
+ app.kubernetes.io/instance: test-suite
+ app.kubernetes.io/name: mok
+ documentIndex: 1
+ template: networkpolicy.yaml
+ - it: matches snapshot
+ asserts:
+ - matchSnapshot: {}
diff --git a/charts/mok/values.yaml b/charts/mok/values.yaml
index 5f66282d3..54b5400a1 100644
--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -182,3 +182,6 @@ serviceAccount:
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
+
+networkPolicy:
+ create: true
--
GitLab