add networkpolicy for job and add possibility to define egress ports (#20951)

2025-07-14 11:21:52 -04:00 · 2025-06-08 18:14:18 +02:00 · 2025-06-08 18:14:18 +02:00 · 21409f112d
commit 21409f112d
parent 417c8648f0
2 changed files with 84 additions and 10 deletions
--- a/helm/minio/templates/networkpolicy.yaml
+++ b/helm/minio/templates/networkpolicy.yaml
@ -16,11 +16,51 @@ spec:
  ingress:
    - ports:
        - port: {{ .Values.minioAPIPort }}
+          protocol: TCP
        - port: {{ .Values.minioConsolePort }}
+          protocol: TCP
      {{- if not .Values.networkPolicy.allowExternal }}
      from:
        - podSelector:
            matchLabels:
              {{ template "minio.name" . }}-client: "true"
      {{- end }}
+  {{- if .Values.networkPolicy.egress.enabled }}
+  egress:
+    - ports:
+        {{ .Values.networkPolicy.egress.ports | toJson }}
+      {{- with .Values.networkPolicy.egress.to }}
+      to:
+        {{- toYaml . | nindent 12 }}
+      {{- end }}
+  {{- end }}
+---
+kind: NetworkPolicy
+apiVersion: {{ template "minio.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ template "minio.fullname" . }}-post-job
+  labels:
+    app: {{ template "minio.name" . }}-post-job
+    chart: {{ template "minio.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "minio.name" . }}-job
+      release: {{ .Release.Name }}
+  egress:
+    - ports:
+        - port: {{ .Values.minioAPIPort }}
+          protocol: TCP
+        - port: {{ .Values.minioConsolePort }}
+          protocol: TCP
+    {{- if .Values.networkPolicy.egress.enabled }}
+    - ports:
+        {{ .Values.networkPolicy.egress.ports | toJson }}
+      {{- with .Values.networkPolicy.egress.to }}
+      to:
+        {{- toYaml . | nindent 12 }}
+      {{- end }}
+    {{- end }}
 {{- end }}
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@ -200,9 +200,11 @@ service:
 ingress:
  enabled: false
  ingressClassName: ~
-  labels: {}
+  labels:
+    {}
    # node-role.kubernetes.io/ingress: platform
-  annotations: {}
+  annotations:
+    {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    # kubernetes.io/ingress.allow-http: "false"
@ -241,9 +243,11 @@ consoleService:
 consoleIngress:
  enabled: false
  ingressClassName: ~
-  labels: {}
+  labels:
+    {}
    # node-role.kubernetes.io/ingress: platform
-  annotations: {}
+  annotations:
+    {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    # kubernetes.io/ingress.allow-http: "false"
@ -391,7 +395,8 @@ makeUserJob:

 ## List of service accounts to be created after minio install
 ##
-svcaccts: []
+svcaccts:
+  []
  ## accessKey, secretKey and parent user to be assigned to the service accounts
  ## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts
  # - accessKey: console-svcacct
@ -430,7 +435,8 @@ makeServiceAccountJob:

 ## List of buckets to be created after minio install
 ##
-buckets: []
+buckets:
+  []
  #   # Name of the bucket
  # - name: bucket1
  #   # Policy to be set on the
@ -479,13 +485,15 @@ customCommandJob:
    requests:
      memory: 128Mi
  ## Additional volumes to add to the post-job.
-  extraVolumes: []
+  extraVolumes:
+    []
    # - name: extra-policies
    #   configMap:
    #     name: my-extra-policies-cm
  ## Additional volumeMounts to add to the custom commands container when
  ## running the post-job.
-  extraVolumeMounts: []
+  extraVolumeMounts:
+    []
    # - name: extra-policies
    #   mountPath: /mnt/extras/
  # Command to run after the main command on exit
@ -542,10 +550,35 @@ networkPolicy:
  # Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
  # or Cilium Network Policies (flavor: cilium)
  flavor: kubernetes
+  # allows external access to the minio api
  allowExternal: true
+  ## @params networkPolicy.egress configuration of the egress traffic
+  egress:
+    ## @param networkPolicy.egress.enabled When enabled, an egress network policy will be
+    ## created allowing minio to connect to external data sources from kubernetes cluster.
+    ##
+    enabled: false
+    ## @param networkPolicy.egress.ports Add individual ports to be allowed by the egress
+    ## Add ports to the egress by specifying - port: <port number>
+    ## E.X.
+    ## - port: 80
+    ## - port: 443
+    ## - port: 53
+    ##   protocol: UDP
+    ##
+    ports: []
+    ## @param networkPolicy.egress.to Allow egress traffic to specific destinations
+    ## Add destinations to the egress by specifying - ipBlock: <CIDR>
+    ## E.X.
+    ## to:
+    ##  - namespaceSelector:
+    ##    matchExpressions:
+    ##    - {key: role, operator: In, values: [minio]}
+    ##
+    to: []
  # only when using flavor: cilium
  egressEntities:
-   - kube-apiserver
+    - kube-apiserver

 ## PodDisruptionBudget settings
 ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
@ -573,7 +606,8 @@ metrics:
    # for node metrics
    relabelConfigs: {}
    # for cluster metrics
-    relabelConfigsCluster: {}
+    relabelConfigsCluster:
+      {}
      # metricRelabelings:
      #   - regex: (server|pod)
      #     action: labeldrop