Add helm network policies back (#11940)

* Re-add back network policies. From commit: dc9a073 * Create network policies conditionally
smartcontractkit · Feb 5, 2024 · 8b17f45 · 8b17f45
1 parent 08c37db
commit 8b17f45
Show file tree

Hide file tree

Showing 7 changed files with 165 additions and 0 deletions.
diff --git a/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-db
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $.Release.Name }}-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow all node pods to access the database pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow all runner pods to access the database pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 5432
+{{- end }}
diff --git a/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-node
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $.Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow all ingress traffic between the node pods and from runner pod.
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ $.Release.Name }}
+      - podSelector:
+          matchLabels:
+            app: runner
+{{- end }}
diff --git a/charts/chainlink-cluster/templates/geth-networkpolicy.yaml b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-geth
+spec:
+  podSelector:
+    matchLabels:
+      app: geth
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow http and websocket connections from the node pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow http and websocket connections from the runner pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 8544
+        - protocol: TCP
+          port: 8546
+{{- end }}
diff --git a/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-mockserver
+spec:
+  podSelector:
+    matchLabels:
+      app: mockserver
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow http traffic from the node pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow http traffic from the runner pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 1080
+{{- end }}
diff --git a/charts/chainlink-cluster/templates/networkpolicy-default.yaml b/charts/chainlink-cluster/templates/networkpolicy-default.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default
+spec:
+  podSelector:
+    matchLabels: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+  {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }}
+  # Using a comma separated list to make it easy to pass in with:
+  # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...`
+  {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }}
+    - from:
+      {{- range $cidr := $cidrs }}
+      - ipBlock:
+          cidr: {{ $cidr | quote }}
+      {{- end }}
+  {{- else }}
+    # Deny all ingress if no rules are specified. Rules can still be specified in other templates.
+    - {}
+  {{- end }}
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: "{{ $.Release.Namespace }}"
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+{{- end }}
diff --git a/charts/chainlink-cluster/templates/runner-networkpolicy.yaml b/charts/chainlink-cluster/templates/runner-networkpolicy.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-runner
+spec:
+  podSelector:
+    matchLabels:
+      app: runner
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow all ingress traffic between the node pods and from runner pod.
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ $.Release.Name }}
+      - podSelector:
+          matchLabels:
+            app: runner
+{{- end }}
diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml
@@ -284,6 +284,9 @@ nodeSelector:
 tolerations:
 affinity:
 
+networkPolicies:
+  enabled: true
+
 # Configure the default network policy.
 networkPolicyDefault:
   ingress: