Merge pull request #70 from GDATASoftwareAG/68-network-policies-are-a…

…ctually-dont-block-anything add more restriction for egress ingress network policy
GDATASoftwareAG · Aug 27, 2024 · 733221e · 733221e
2 parents 8be7066 + a36a1e3
commit 733221e
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 11 deletions.
diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 2.0.2
+version: 2.1.0
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG

diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl
@@ -2,7 +2,7 @@
 Expand the name of the chart.
 */}}
 {{- define "gateway.name" -}}
-{{- default .Chart.Name .Values.gateway.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- default "gateway" .Values.gateway.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*

diff --git a/charts/vaas/templates/gateway/networkpolicy.yaml b/charts/vaas/templates/gateway/networkpolicy.yaml
@@ -15,15 +15,34 @@ spec:
   ingress:
     - from:
       ports:
-        - port: 8080 # Http
+        - port: 8080 # Upload
         - port: 9090 # Websocket
   egress:
     - to:
       ports:
         - port: 443 # VerdictRequestForUrl
         - port: 80  # VerdictRequestForUrl
-        - port: 6379 # Redis
-        - port: 8080 # GdScan
-        - port: 53 # DNS
-          protocol: UDP
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: redis
+      ports:
+        - port: 6379
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: gdscan
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mini-identity-provider              
+      ports:
+        - port: 8080
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP     
 {{- end }}
diff --git a/charts/vaas/templates/gdscan/_helpers.tpl b/charts/vaas/templates/gdscan/_helpers.tpl
@@ -2,7 +2,7 @@
 Expand the name of the chart.
 */}}
 {{- define "gdscan.name" -}}
-{{- default .Chart.Name .Values.gdscan.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- default "gdscan" .Values.gdscan.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*

diff --git a/charts/vaas/templates/gdscan/networkpolicy.yaml b/charts/vaas/templates/gdscan/networkpolicy.yaml
@@ -13,6 +13,9 @@ spec:
   - Ingress
   ingress:
     - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: gateway
       ports:
-        - port: 8080 # Http
+        - port: 8080 # Upload
 {{- end }}
diff --git a/helm.sh b/helm.sh
@@ -13,5 +13,4 @@ VALUES_FILE=$1
 helm dep up charts/vaas
 helm lint charts/vaas -f $VALUES_FILE
 helm template charts/vaas -f $VALUES_FILE
-helm uninstall vaas -n vaas
-helm install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace
+helm upgrade --install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace