feat(woodpecker): add network-polices #252
Conversation
wrenix
force-pushed
the
feat/network-policy
branch
3 times, most recently
from
6cf5ead
to
bdf32b7
Compare
|
works for me, after fill: egress (must explicide enabled after networkpolicy ist enabled):
ingress:
|
There was a problem hiding this comment.
Would you mind adding some basic tests for the new resources? See the existing tests and https://github.com/helm-unittest/helm-unittest.
Besides, could add some words why/when networkPolicy is needed? I've never had any need yet to configure it in many years using k8s, so I'm curious 🙂️
|
I do not know, how to explain it. Network Policies are firewall rules for pods. Of couse you could run a Applications without restriction of networkPolicies/firewall rules ... It is just in case that somebody create into a container/pod to shild the network-access to other pods. (Or if your pod has a public ipv6 Adresse from the interner). There as example:
|
wrenix
force-pushed
the
feat/network-policy
branch
from
bdf32b7
to
aca83bf
Compare
|
Thanks for the explanation, very interesting. I've heard a bit about this approach before but never saw it in action so far. Makes a lot of sense. Let's see how it goes in practice and if this will cause any issues. Will also run in on my instance for a while before we release it. |
|
Be carefull on egress, there i have adjusted the values (here are values of running a release with name codeberg, beside another): agent:
replicaCount: 1
env:
WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
WOODPECKER_MAX_WORKFLOWS: 4
WOODPECKER_BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP: true
WOODPECKER_BACKEND_K8S_POD_LABELS: |
{
"app.kubernetes.io/instance": "woodpecker",
"app.kubernetes.io/name": "job"
}
networkPolicy:
enabled: true
egress:
enabled: true
server:
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: server
app.kubernetes.io/instance: codeberg
dns:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
apiserver:
ports:
- port: 6443
protocol: TCP
to:
- ipBlock:
# See endpoint of the Server in the default namespace (not the service-ip)
cidr: public.IP.of.API.server/32
server:
metrics:
enabled: true
prometheus:
podmonitor:
enabled: true
labels:
prometheus: "default"
rules:
enabled: true
labels:
prometheus: "default"
grafana:
dashboards:
enabled: true
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: ingress-redirect-https@kubernetescrd
networkPolicy:
enabled: true
ingress:
http:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress
podSelector:
matchLabels:
app.kubernetes.io/instance: traefik-ingress
app.kubernetes.io/name: traefik
metrics:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
podSelector:
matchLabels:
prometheus: kube-prometheus-stack-prometheus
grpc:
- podSelector:
matchLabels:
app.kubernetes.io/name: agent
app.kubernetes.io/instance: codeberg
egress:
enabled: true
dns:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
database:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: shared-postgresql
podSelector:
matchLabels:
app.kubernetes.io/instance: postgresql
app.kubernetes.io/name: postgresql
|
No description provided.