feat: add support NetworkPolicy

maksim-paskal · Nov 21, 2024 · 3a8fda9 · 3a8fda9
1 parent 94f5601
commit 3a8fda9
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -332,4 +332,17 @@ helm upgrade aks-node-termination-handler \
 aks-node-termination-handler/aks-node-termination-handler \
 --set priorityClassName=system-node-critical \
 --set hostNetwork=true
+```
+
+## NetworkPolicy support
+
+To limit what the workload can communicate with, Networkpolicy can be added via `--set networkPolicy.enabled=true`. To only allow egress communication towards required endpoints, supply the control plane IP address via  `--set networkPolicy.controlPlaneIP=10.11.12.13`. Additional egress rules can be added via `--set networkPolicy.additionalEgressRules=[]`, see the chart-provided `values.yaml` file for examples.
+
+```bash
+helm upgrade aks-node-termination-handler \
+--install \
+--namespace kube-system \
+aks-node-termination-handler/aks-node-termination-handler \
+--set networkPolicy.enabled=true \
+--set networkPolicy.controlPlaneIP=10.11.12.2
 ```
diff --git a/charts/aks-node-termination-handler/Chart.yaml b/charts/aks-node-termination-handler/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 icon: https://helm.sh/img/helm.svg
 name: aks-node-termination-handler
-version: 1.1.6
+version: 1.1.7
 description: Gracefully handle Azure Virtual Machines shutdown within Kubernetes
 maintainers:
 - name: maksim-paskal  # Maksim Paskal

diff --git a/charts/aks-node-termination-handler/templates/networkpolicy.yaml b/charts/aks-node-termination-handler/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{ if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  egress:
+  - ports:
+    - port: 80
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: 169.254.169.254/32
+  - ports:
+    - port: 443
+      protocol: TCP
+{{- if .Values.networkPolicy.controlPlaneIP }}
+    to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicy.controlPlaneIP }}/32
+{{- end }}
+{{- if .Values.networkPolicy.additionalEgressRules }}
+{{ toYaml .Values.networkPolicy.additionalEgressRules | indent 2 }}
+{{- end }}
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+    to:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 17923
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+{{ end }}
diff --git a/charts/aks-node-termination-handler/values.yaml b/charts/aks-node-termination-handler/values.yaml
@@ -27,6 +27,17 @@ configMap:
 extraVolumes: []
 extraVolumeMounts: []
 
+networkPolicy:
+  enabled: false
+  # controlPlaneIP: "123.X.X.X" # If not provided, network policy will allow all access to port 443/tcp
+  # additionalEgressRules:
+  # - ports:
+  #   - port: 443
+  #     protocol: TCP
+  #   to:
+  #   - ipBlock:
+  #       cidr: 124.X.X.X/24
+
 metrics:
   addAnnotations: true