diff --git a/charts/common/templates/_cni.tpl b/charts/common/templates/_cni.tpl new file mode 100644 index 0000000000..297195d933 --- /dev/null +++ b/charts/common/templates/_cni.tpl @@ -0,0 +1,11 @@ +{{- define "common.networkPolicy.type" -}} + {{- if eq .Values.global.networkPolicy.type "auto" -}} + {{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumNetworkPolicy" -}} + cilium + {{- else -}} + native + {{- end -}} + {{- else -}} + {{- .Values.global.networkPolicy.type -}} + {{- end -}} +{{- end -}} diff --git a/charts/common/templates/_networkpolicy.tpl b/charts/common/templates/_networkpolicy.tpl new file mode 100644 index 0000000000..842e229a31 --- /dev/null +++ b/charts/common/templates/_networkpolicy.tpl @@ -0,0 +1,26 @@ +{{- define "common.networkPolicy.identity.kube-apiserver" -}} + {{- $identities := list -}} + {{- $kubeSystemNamespace := "kube-system" -}} + {{- $konnectivityName := "konnectivity-agent" -}} + {{- if lookup "apps/v1" "DaemonSet" $kubeSystemNamespace $konnectivityName -}} + {{- $identities = append $identities (dict "endpoint" (dict + "namespace" $kubeSystemNamespace + "pod" (dict + "k8s-app" $konnectivityName + ) + "serviceAccount" $konnectivityName + )) + -}} + {{- else -}} + {{- $identities = append $identities (dict "endpoint" (dict + "namespace" $kubeSystemNamespace + "pod" (dict + "tier" "control-plane" + "component" "kube-apiserver" + ) + )) + -}} + {{- $identities = append $identities (dict "entity" "kube-apiserver") -}} + {{- end -}} + {{- toYaml $identities -}} +{{- end -}} diff --git a/charts/common/templates/_networkpolicyrules.tpl b/charts/common/templates/_networkpolicyrules.tpl new file mode 100644 index 0000000000..2d67c6ec0f --- /dev/null +++ b/charts/common/templates/_networkpolicyrules.tpl @@ -0,0 +1,52 @@ +{{- define "common.networkPolicy.rule.from.kube-apiserver" -}} + {{- $useCilium := eq .cilium true -}} + {{- $identities := include "common.networkPolicy.identity.kube-apiserver" (dict) | fromYamlArray -}} + {{- $rules := list -}} + {{- $ports := list -}} + {{/* Process ports from input, handling both a single as well as a list of protocols */}} + {{- if hasKey . "ports" -}} + {{- range $port, $protocols := (.ports | default (list)) -}} + {{- $_protocols := $protocols -}} + {{- if kindIs "string" $protocols -}} + {{- $_protocols = list $protocols -}} + {{- end -}} + {{- range $protocol := $_protocols -}} + {{- $ports = append $ports (dict "port" $port "protocol" $protocol) -}} + {{- end }} + {{- end -}} + {{- end -}} + {{/* Create rules for each identity based on network policy type */}} + {{- range $identity := $identities -}} + {{- $rule := dict -}} + {{- $endpoint := $identity.endpoint -}} + {{/* For cilium use entity or endpoint based rules */}} + {{- if $useCilium -}} + {{- if hasKey $identity "entity" -}} + {{- $rule = dict "fromEntities" (list $identity.entity) -}} + {{- else -}} + {{- $matchLabels := dict "io.kubernetes.pod.namespace" $endpoint.namespace -}} + {{- if hasKey $endpoint "serviceAccount" -}} + {{- $matchLabels = set $matchLabels "io.cilium.k8s.policy.serviceaccount" $endpoint.serviceAccount -}} + {{- else -}} + {{- $matchLabels = mustMerge $matchLabels $endpoint.pod -}} + {{- end -}} + {{- $rule = dict "fromEndpoints" (list (dict "matchLabels" $matchLabels)) -}} + {{- end -}} + {{- if $ports }} + {{- $rule = set $rule "toPorts" (list (dict "ports" $ports)) -}} + {{- end -}} + {{/* For native k8s use namespace- and podSelector */}} + {{- else -}} + {{- $from := dict "namespaceSelector" (dict "matchLabels" (dict "kubernetes.io/metadata.name" $endpoint.namespace)) -}} + {{- $from = set $from "podSelector" (dict "matchLabels" $endpoint.pod) -}} + {{- $rule = set $rule "from" (list $from) -}} + {{- if $ports -}} + {{- $rule = set $rule "ports" $ports -}} + {{- end -}} + {{- end -}} + + {{- $rules = append $rules $rule -}} + {{- end -}} + + {{- toYaml ($rules | default (dict)) -}} +{{- end -}}