Home Explore Help
Sign In
cecf
/
deploy
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
deploy
/
ch
/
charts
/
zookeeper
/
templates
/
networkpolicy.yaml

networkpolicy.yaml 3.6 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. {{- /*
    2. 

  2. Copyright Broadcom, Inc. All Rights Reserved.
    3. 

  3. SPDX-License-Identifier: APACHE-2.0
    4. 

  4. */}}
    5. 

  5. 

  6. {{- if .Values.networkPolicy.enabled }}
    7. 

  7. kind: NetworkPolicy
    8. 

  8. apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
    9. 

  9. metadata:
    10. 

  10.   name: {{ include "common.names.fullname" . }}
    11. 

  11.   namespace: {{ template "zookeeper.namespace" . }}
    12. 

  12.   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    13. 

  13.   {{- if .Values.commonAnnotations }}
    14. 

  14.   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
    15. 

  15.   {{- end }}
    16. 

  16. spec:
    17. 

  17.   {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
    18. 

  18.   podSelector:
    19. 

  19.     matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
    20. 

  20.   policyTypes:
    21. 

  21.     - Ingress
    22. 

  22.     - Egress
    23. 

  23.   {{- if .Values.networkPolicy.allowExternalEgress }}
    24. 

  24.   egress:
    25. 

  25.     - {}
    26. 

  26.   {{- else }}
    27. 

  27.   egress:
    28. 

  28.     # Allow dns resolution
    29. 

  29.     - ports:
    30. 

  30.         - port: 53
    31. 

  31.           protocol: UDP
    32. 

  32.         - port: 53
    33. 

  33.           protocol: TCP
    34. 

  34.     # Allow internal communications between nodes
    35. 

  35.     - ports:
    36. 

  36.         - port: {{ .Values.containerPorts.follower }}
    37. 

  37.         - port: {{ .Values.containerPorts.election }}
    38. 

  38.       to:
    39. 

  39.         - podSelector:
    40. 

  40.             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
    41. 

  41.     {{- if .Values.networkPolicy.extraEgress }}
    42. 

  42.     {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
    43. 

  43.     {{- end }}
    44. 

  44.   {{- end }}
    45. 

  45.   ingress:
    46. 

  46.     # Allow inbound connections to ZooKeeper
    47. 

  47.     - ports:
    48. 

  48.         - port: {{ .Values.containerPorts.client }}
    49. 

  49.         {{- if .Values.metrics.enabled }}
    50. 

  50.         - port: {{ coalesce .Values.metrics.containerPort .Values.containerPorts.metrics }}
    51. 

  51.         {{- end }}
    52. 

  52.       {{- if not .Values.networkPolicy.allowExternal }}
    53. 

  53.       from:
    54. 

  54.         - podSelector:
    55. 

  55.             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
    56. 

  56.         - podSelector:
    57. 

  57.             matchLabels:
    58. 

  58.               {{ include "common.names.fullname" . }}-client: "true"
    59. 

  59.         - podSelector:
    60. 

  60.             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
    61. 

  61.         {{- if .Values.networkPolicy.ingressNSMatchLabels }}
    62. 

  62.         - namespaceSelector:
    63. 

  63.             matchLabels:
    64. 

  64.               {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
    65. 

  65.               {{ $key | quote }}: {{ $value | quote }}
    66. 

  66.               {{- end }}
    67. 

  67.           {{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
    68. 

  68.           podSelector:
    69. 

  69.             matchLabels:
    70. 

  70.               {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
    71. 

  71.               {{ $key | quote }}: {{ $value | quote }}
    72. 

  72.               {{- end }}
    73. 

  73.           {{- end }}
    74. 

  74.         {{- end }}
    75. 

  75.       {{- end }}
    76. 

  76.     # Allow internal communications between nodes
    77. 

  77.     - ports:
    78. 

  78.         - port: {{ .Values.containerPorts.follower }}
    79. 

  79.         - port: {{ .Values.containerPorts.election }}
    80. 

  80.       from:
    81. 

  81.         - podSelector:
    82. 

  82.             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
    83. 

  83.     {{- if .Values.networkPolicy.extraIngress }}
    84. 

  84.     {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
    85. 

  85.     {{- end }}
    86. 

  86. {{- end }}
    87.