首页 探索 帮助
登录
tum
/
soc
关注 1
点赞 0
派生 0
代码 工单管理 0 合并请求 0 提交历史 35 版本发布 0 Wiki

暂无描述

分支: main
分支列表 标签列表
soc
/
Shuffle
/
functions
/
kubernetes
/
charts
/
shuffle
/
templates
/
backend
/
backend-netw...

backend-network-policy.yaml 2.6KB
永久链接 文件历史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. {{- if .Values.backend.networkPolicy.enabled }}
    2. 

  2. kind: NetworkPolicy
    3. 

  3. apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
    4. 

  4. metadata:
    5. 

  5.   name: {{ template "shuffle.backend.name" . }}
    6. 

  6.   namespace: {{ include "common.names.namespace" . | quote }}
    7. 

  7.   labels: {{- include "shuffle.backend.labels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    8. 

  8.   {{- if .Values.commonAnnotations }}
    9. 

  9.   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
    10. 

  10.   {{- end }}
    11. 

  11. spec:
    12. 

  12.   {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backend.podLabels .Values.commonLabels ) "context" . ) }}
    13. 

  13.   podSelector:
    14. 

  14.     matchLabels: {{- include "shuffle.backend.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
    15. 

  15.   policyTypes:
    16. 

  16.     - Ingress
    17. 

  17.     - Egress
    18. 

  18.   egress:
    19. 

  19.     {{- if .Values.backend.networkPolicy.allowExternalEgress }}
    20. 

  20.     - {}
    21. 

  21.     {{- else }}
    22. 

  22.     # Allow DNS resolution with an in-cluster DNS server
    23. 

  23.     - ports:
    24. 

  24.         - port: 53
    25. 

  25.           protocol: UDP
    26. 

  26.         - port: 53
    27. 

  27.           protocol: TCP
    28. 

  28.       to:
    29. 

  29.         - namespaceSelector:
    30. 

  30.             matchLabels:
    31. 

  31.               kubernetes.io/metadata.name: kube-system
    32. 

  32.     {{- if .Values.backend.networkPolicy.extraEgress }}
    33. 

  33.     {{- include "common.tplvalues.render" ( dict "value" .Values.backend.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
    34. 

  34.     {{- end }}
    35. 

  35.     {{- end }}
    36. 

  36.   ingress:
    37. 

  37.     - ports:
    38. 

  38.         - port: {{ .Values.backend.containerPorts.http }}
    39. 

  39.           protocol: TCP
    40. 

  40.       {{- if not .Values.backend.networkPolicy.allowExternal }}
    41. 

  41.       from:
    42. 

  42.         # Allow traffic from orborus
    43. 

  43.         - namespaceSelector:
    44. 

  44.             matchLabels:
    45. 

  45.               kubernetes.io/metadata.name: {{ .Release.Namespace }}
    46. 

  46.           podSelector:
    47. 

  47.             matchLabels: {{ include "shuffle.orborus.matchLabels" . | nindent 14 }}
    48. 

  48. 

  49.         # Allow traffic from workers
    50. 

  50.         - namespaceSelector:
    51. 

  51.             matchLabels:
    52. 

  52.               kubernetes.io/metadata.name: {{ .Release.Namespace }}
    53. 

  53.           podSelector:
    54. 

  54.             matchLabels: {{ include "shuffle.worker.matchLabels" . | nindent 14 }}
    55. 

  55. 

  56.         # Allow traffic from apps
    57. 

  57.         - namespaceSelector:
    58. 

  58.             matchLabels:
    59. 

  59.               kubernetes.io/metadata.name: {{ .Release.Namespace }}
    60. 

  60.           podSelector:
    61. 

  61.             matchLabels: {{ include "shuffle.app.matchLabels" . | nindent 14 }}
    62. 

  62.       {{- end }}
    63. 

  63.     {{- if .Values.backend.networkPolicy.extraIngress }}
    64. 

  64.     {{- include "common.tplvalues.render" ( dict "value" .Values.backend.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
    65. 

  65.     {{- end }}
    66. 

  66. {{- end }}
    67. 

  67.