MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-03-30 17:23:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

Helm: add cilium networkpolicy (#18650)

Browse Source 
Signed-off-by: QuantumEnigmaa <thibaud@giantswarm.io>
This commit is contained in:
Zirko 2024-01-24 08:27:57 +01:00 committed by GitHub
parent f78d677ab6
commit 82739574b5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
helm/minio/README.md
View File

@ -112,6 +112,8 @@ the DefaultDeny namespace annotation. Note: this will enforce policy for *all* p
kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
``` ```
When using `Cilium` as a CNI in your cluster, please edit the `flavor` field to `cilium`.
With NetworkPolicy enabled, traffic will be limited to just port 9000. With NetworkPolicy enabled, traffic will be limited to just port 9000.
For more precise policy, set `networkPolicy.allowExternal=true`. This will For more precise policy, set `networkPolicy.allowExternal=true`. This will

33
helm/minio/templates/ciliumnetworkpolicy.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
kind: CiliumNetworkPolicy
apiVersion: cilium.io/v2
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
endpointSelector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
ingress:
- toPorts:
- ports:
- port: {{ .Values.minioAPIPort }}
protocol: TCP
- port: {{ .Values.minioConsolePort }}
protocol: TCP
{{- if not .Values.networkPolicy.allowExternal }}
fromEndpoints:
- matchLabels:
{{ template "minio.name" . }}-client: "true"
{{- end }}
egress:
{{- range $entity := .Values.networkPolicy.egressEntities }}
- toEntities:
- {{ $entity }}
{{- end }}
{{- end }}

2
helm/minio/templates/networkpolicy.yaml
View File

@ -1,4 +1,4 @@
{{- if .Values.networkPolicy.enabled }} {{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
kind: NetworkPolicy kind: NetworkPolicy
apiVersion: {{ template "minio.networkPolicy.apiVersion" . }} apiVersion: {{ template "minio.networkPolicy.apiVersion" . }}
metadata: metadata:

6
helm/minio/values.yaml
View File

@ -498,7 +498,13 @@ oidc:
networkPolicy: networkPolicy:
enabled: false enabled: false
# Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
# or Cilium Network Policies (flavor: cilium)
flavor: kubernetes
allowExternal: true allowExternal: true
# only when using flavor: cilium
egressEntities:
- kube-apiserver
## PodDisruptionBudget settings ## PodDisruptionBudget settings
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/