[fix] add exception for the platform in network policy (#2007)

* [fix] add exception for the platform in network policy * removed netPol tests because kind doesn't enforce them
loft-sh · Aug 2, 2024 · 5b3275a · 5b3275a
1 parent d4b9b4a
commit 5b3275a
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 8 deletions.
diff --git a/chart/templates/networkpolicy.yaml b/chart/templates/networkpolicy.yaml
@@ -95,7 +95,7 @@ spec:
           podSelector:
             matchLabels:
               k8s-app: kube-dns
-        {{- if .Values.policies.networkPolicy.platformEnabled }}
+        {{- if .Values.policies.networkPolicy.outgoingConnections.platform }}
         - podSelector:
             matchLabels:
               app: loft

diff --git a/chart/values.schema.json b/chart/values.schema.json
@@ -1839,9 +1839,6 @@
           "type": "boolean",
           "description": "Enabled defines if the network policy should be deployed by vCluster."
         },
-        "platformEnabled": {
-          "type": "boolean"
-        },
         "fallbackDns": {
           "type": "string"
         },
@@ -1949,6 +1946,10 @@
         "ipBlock": {
           "$ref": "#/$defs/IPBlock",
           "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed\nto the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs\nthat should not be included within this rule."
+        },
+        "platform": {
+          "type": "boolean",
+          "description": "Platform enables egress access towards loft platform"
         }
       },
       "additionalProperties": false,

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -734,11 +734,12 @@ policies:
   networkPolicy:
     # Enabled defines if the network policy should be deployed by vCluster.
     enabled: false
-    platformEnabled: false
     labels: {}
     annotations: {}
     fallbackDns: 8.8.8.8
     outgoingConnections:
+      # Platform enables egress access towards loft platform
+      platform: true
       # IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
       # to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
       # that should not be included within this rule.

diff --git a/config/config.go b/config/config.go
@@ -1386,8 +1386,7 @@ type LimitRange struct {
 
 type NetworkPolicy struct {
 	// Enabled defines if the network policy should be deployed by vCluster.
-	Enabled         bool `json:"enabled,omitempty"`
-	PlatformEnabled bool `json:"platformEnabled,omitempty"`
+	Enabled bool `json:"enabled,omitempty"`
 
 	FallbackDNS         string              `json:"fallbackDns,omitempty"`
 	OutgoingConnections OutgoingConnections `json:"outgoingConnections,omitempty"`
@@ -1400,6 +1399,9 @@ type OutgoingConnections struct {
 	// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
 	// that should not be included within this rule.
 	IPBlock IPBlock `json:"ipBlock,omitempty"`
+
+	// Platform enables egress access towards loft platform
+	Platform bool `json:"platform,omitempty"`
 }
 
 type IPBlock struct {

diff --git a/config/values.yaml b/config/values.yaml
@@ -443,11 +443,11 @@ policies:
 
   networkPolicy:
     enabled: false
-    platformEnabled: false
     labels: {}
     annotations: {}
     fallbackDns: 8.8.8.8
     outgoingConnections:
+      platform: true
       ipBlock:
         cidr: 0.0.0.0/0
         except: