Skip to content

Commit

Permalink
feat(woodpecker): add network-polices (#252)
Browse files Browse the repository at this point in the history 
Co-authored-by: WrenIX <[email protected]>
  • Loading branch information
@wrenix
wrenix and WrenIX authored Nov 22, 2024
1 parent eab3cf0 commit 0a02e93
Show file tree
Hide file tree
Showing 9 changed files with 247 additions and 0 deletions.
14 changes: 14 additions & 0 deletions charts/woodpecker/charts/agent/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,20 @@ A Helm chart for the Woodpecker agent

## Values

### NetworkPolicy

| Key | Type | Default | Description |
| ------------------------------ | ------ | -------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
| networkPolicy.egress.apiserver | object | `{"ports":[{"port":6443,"protocol":"TCP"}],"to":[{"ipBlock":{"cidr":"10.43.0.1/32"}}]}` | rule to access Kubernetes APIServer |
| networkPolicy.egress.dns | list | `[{"namespaceSelector":{"matchLabels":{"kubernetes.io/metadata.name":"kube-system"}},"podSelector":{"matchLabels":{"k8s-app":"kube-dns"}}}]` | rule to access DNS |
| networkPolicy.egress.enabled | bool | `true` | activate egress no networkpolicy |
| networkPolicy.egress.extra | list | `[]` | rule to access additional PS: you should not use (the job it-self are other pods) |
| networkPolicy.egress.server | object | `{"ports":[{"port":9000,"protocol":"TCP"}],"to":[{"podSelector":{"matchLabels":{"app.kubernetes.io/name":"server"}}}]}` | rule to access woodpecker-agent |
| networkPolicy.enabled | bool | `false` | deploy networkpolicy |
| networkPolicy.ingress.http | list | `[]` | allow to http ports normaly not needed |

### Other Values

| Key | Type | Default | Description |
| ------------------------------------------- | ------ | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| affinity | object | `{}` | Specifies the affinity |
Expand Down
50 changes: 50 additions & 0 deletions charts/woodpecker/charts/agent/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{{- with .Values.networkPolicy }}
{{- if .enabled }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "woodpecker-agent.fullname" $ }}
labels:
{{- include "woodpecker-agent.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "woodpecker-agent.selectorLabels" $ | nindent 6 }}
policyTypes:
- Ingress
{{- if .egress.enabled }}
- Egress
{{- end }}
ingress:
{{- with .ingress.http }}
- ports:
- port: 3000
protocol: TCP
from:
{{- toYaml . | nindent 8 }}
{{- end }}{{/* end-with .ingress.http */}}

{{- with .egress }}
{{- if .enabled }}
egress:
{{- with .dns }}
- ports:
- port: 53
protocol: UDP
to:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .server }}
- {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .apiserver }}
- {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .extra }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}{{/* end-if egress.enabled */}}
{{- end }}{{/* end-with .egress */}}
{{- end }}
{{- end }}
47 changes: 47 additions & 0 deletions charts/woodpecker/charts/agent/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,53 @@ serviceAccount:
annotations: {}
labels: {}

networkPolicy:
# -- deploy networkpolicy
# @section -- NetworkPolicy
enabled: false
ingress:
# -- allow to http ports
# normaly not needed
# @section -- NetworkPolicy
http: []
egress:
# -- activate egress no networkpolicy
# @section -- NetworkPolicy
enabled: true
# -- rule to access DNS
# @section -- NetworkPolicy
dns:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
# -- rule to access woodpecker-agent
# @section -- NetworkPolicy
server:
ports:
- port: 9000
protocol: TCP
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: server
# -- rule to access Kubernetes APIServer
# @section -- NetworkPolicy
apiserver:
ports:
- port: 6443
protocol: TCP
to:
- ipBlock:
cidr: 10.43.0.1/32

# -- rule to access additional
# PS: you should not use (the job it-self are other pods)
# @section -- NetworkPolicy
extra: []

# -- Add pod annotations for the agent component
podAnnotations: {}

Expand Down
15 changes: 15 additions & 0 deletions charts/woodpecker/charts/server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,21 @@ In the following scenarios, you need to take additional action:

## Values

### NetworkPolicy

| Key | Type | Default | Description |
| ----------------------------- | ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------- |
| networkPolicy.egress.database | list | `[]` | rule to access Database |
| networkPolicy.egress.dns | list | `[{"namespaceSelector":{"matchLabels":{"kubernetes.io/metadata.name":"kube-system"}},"podSelector":{"matchLabels":{"k8s-app":"kube-dns"}}}]` | rule to access DNS |
| networkPolicy.egress.enabled | bool | `true` | activate egress no networkpolicy |
| networkPolicy.egress.extra | list | `[]` | rule to access additional |
| networkPolicy.enabled | bool | `false` | deploy networkpolicy |
| networkPolicy.ingress.grpc | list | `[{"podSelector":{"matchLabels":{"app.kubernetes.io/name":"agent"}}}]` | allow to grpc ports should be your woodpecker-agent |
| networkPolicy.ingress.http | list | `[]` | allow to http ports should be your ingress-controller |
| networkPolicy.ingress.metrics | list | `[{"namespaceSelector":{"matchLabels":{"kubernetes.io/metadata.name":"monitoring"}},"podSelector":{"matchLabels":{"app.kubernetes.io/name":"prometheus"}}}]` | allow to metrics ports should be your prometheus instance |

### Other Values

| Key | Type | Default | Description |
| -------------------------------- | ------ | ----------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| affinity | object | `{}` | Add affinity |
Expand Down
61 changes: 61 additions & 0 deletions charts/woodpecker/charts/server/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{{- with .Values.networkPolicy }}
{{- if .enabled }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "woodpecker-server.fullname" $ }}
labels:
{{- include "woodpecker-server.labels" $ | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "woodpecker-server.selectorLabels" $ | nindent 6 }}
policyTypes:
- Ingress
{{- if .egress.enabled }}
- Egress
{{- end }}
ingress:
{{- with .ingress.http }}
- ports:
- port: 8000
protocol: TCP
from:
{{- toYaml . | nindent 8 }}
{{- end }}{{/* end-with .ingress.http */}}
{{- with .ingress.grpc }}
- ports:
- port: 9000
protocol: TCP
from:
{{- toYaml . | nindent 8 }}
{{- end }}{{/* end-with .ingress.grpc */}}
{{- with .ingress.metrics }}
- ports:
- port: {{ $.Values.metrics.port }}
protocol: TCP
from:
{{- toYaml . | nindent 8 }}
{{- end }}{{/* end-with .ingress.metrics */}}

{{- with .egress }}
{{- if .enabled }}
egress:
{{- with .dns }}
- ports:
- port: 53
protocol: UDP
to:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .database }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .extra }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}{{/* end-if egress.enabled */}}
{{- end }}{{/* end-with .egress */}}
{{- end }}
{{- end }}
49 changes: 49 additions & 0 deletions charts/woodpecker/charts/server/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,55 @@ ingress:
# hosts:
# - chart-example.local

networkPolicy:
# -- deploy networkpolicy
# @section -- NetworkPolicy
enabled: false
ingress:

# -- allow to http ports
# should be your ingress-controller
# @section -- NetworkPolicy
http: []

# -- allow to metrics ports
# should be your prometheus instance
# @section -- NetworkPolicy
metrics:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
app.kubernetes.io/name: prometheus

# -- allow to grpc ports
# should be your woodpecker-agent
# @section -- NetworkPolicy
grpc:
- podSelector:
matchLabels:
app.kubernetes.io/name: agent
egress:
# -- activate egress no networkpolicy
# @section -- NetworkPolicy
enabled: true
# -- rule to access DNS
# @section -- NetworkPolicy
dns:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
# -- rule to access Database
# @section -- NetworkPolicy
database: []
# -- rule to access additional
# @section -- NetworkPolicy
extra: []

# -- Specifies the ressources for the server component
resources:
{}
Expand Down
Empty file added charts/woodpecker/ci/empty-values.yaml
View file
Empty file.
11 changes: 11 additions & 0 deletions charts/woodpecker/ci/networkpolicy-values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
agent:
networkPolicy:
enabled: true
egress:
enabled: true

server:
networkPolicy:
enabled: true
egress:
enabled: true
Binary file removed tmp/woodpecker-1.6.2.tgz
View file
Binary file not shown.

0 comments on commit 0a02e93

Please sign in to comment.