Skip to content

Commit

Permalink
Create network policies for helm chart (#11653)
Browse files Browse the repository at this point in the history 
* Create network policies for helm chart

* Add network policy for runner
  • Loading branch information
@chainchad
chainchad authored Dec 22, 2023
1 parent 3661f48 commit d483612
Show file tree
Hide file tree
Showing 5 changed files with 151 additions and 0 deletions.
27 changes: 27 additions & 0 deletions charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-db
spec:
podSelector:
matchLabels:
app: {{ $.Release.Name }}-db
policyTypes:
- Ingress
ingress:
# Allow all node pods to access the database pods.
- from:
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
ports:
- protocol: TCP
port: 5432
# Allow all runner pods to access the database pods.
- from:
- podSelector:
matchLabels:
app: runner
ports:
- protocol: TCP
port: 5432
57 changes: 57 additions & 0 deletions charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-node
spec:
podSelector:
matchLabels:
app: {{ $.Release.Name }}
policyTypes:
- Ingress
- Egress
ingress:
# Allow all ingress traffic between the node pods and from runner pod.
- from:
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
- from:
- podSelector:
matchLabels:
app: runner
egress:
# Allow all egress traffic between the node pods and to runner pod.
- to:
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
- to:
- podSelector:
matchLabels:
app: runner
# Allow all node pods to access the database pods.
- to:
- podSelector:
matchLabels:
app: {{ $.Release.Name }}-db
ports:
- protocol: TCP
port: 5432
# Allow all node pods to access the geth pods.
- to:
- podSelector:
matchLabels:
app: geth
ports:
- protocol: TCP
port: 8544
- protocol: TCP
port: 8546
# Allow all node pods to access the mockserver pods.
- to:
- podSelector:
matchLabels:
app: mockserver
ports:
- protocol: TCP
port: 1080
31 changes: 31 additions & 0 deletions charts/chainlink-cluster/templates/geth-networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-geth
spec:
podSelector:
matchLabels:
app: geth
policyTypes:
- Ingress
ingress:
# Allow http and websocket connections from the node pods.
- from:
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
ports:
- protocol: TCP
port: 8544
- protocol: TCP
port: 8546
# Allow http and websocket connections from the runner pods.
- from:
- podSelector:
matchLabels:
app: runner
ports:
- protocol: TCP
port: 8544
- protocol: TCP
port: 8546
27 changes: 27 additions & 0 deletions charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $.Release.Name }}-mockserver
spec:
podSelector:
matchLabels:
app: mockserver
policyTypes:
- Ingress
ingress:
# Allow http traffic from the node pods.
- from:
- podSelector:
matchLabels:
app: {{ $.Release.Name }}
ports:
- protocol: TCP
port: 1080
# Allow http traffic from the runner pods.
- from:
- podSelector:
matchLabels:
app: runner
ports:
- protocol: TCP
port: 1080
9 changes: 9 additions & 0 deletions charts/chainlink-cluster/templates/networkpolicy-default-deny.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress

0 comments on commit d483612

Please sign in to comment.