@ -1,5 +1,5 @@
|
||||
|
||||
{{ range .Values.nfc_monitoring.network_policy.policies }}
|
||||
{{- if .Values.nfc_monitoring.network_policy.enabled -}}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
@ -13,10 +13,301 @@ metadata:
|
||||
name: {{ .name | replace "_" "-" }}
|
||||
namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }}
|
||||
spec:
|
||||
{{ toYaml .policy | nindent 2 }}
|
||||
- name: prometheus
|
||||
policy:
|
||||
egress: # ToDo: add further restrictions to egress. is variable lookup possible to obtain values????
|
||||
# - {}
|
||||
- to: # Alert Manager
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: alerting
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/component: alert-router
|
||||
app.kubernetes.io/name: alertmanager
|
||||
ports:
|
||||
- port: 9093
|
||||
protocol: TCP
|
||||
|
||||
- to: # Ceph
|
||||
- ipBlock:
|
||||
cidr: 172.16.10.0/24
|
||||
ports:
|
||||
- port: 9283
|
||||
protocol: TCP
|
||||
|
||||
- to: # Grafana
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: grafana
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: graphing
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/name: grafana
|
||||
ports:
|
||||
- port: 3000
|
||||
protocol: TCP
|
||||
|
||||
- to: # Grafana Agent
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: monitoring
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/component: exporter
|
||||
app.kubernetes.io/name: grafana-agent
|
||||
ports:
|
||||
- port: 12345
|
||||
protocol: TCP
|
||||
|
||||
- to: # Kube DNS
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: kube-system
|
||||
podSelector:
|
||||
matchLabels:
|
||||
k8s-app: kube-dns
|
||||
ports:
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: prometheus
|
||||
# namespaceSelector:
|
||||
# matchLabels:
|
||||
# kubernetes.io/metadata.name: monitoiring
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: metrics
|
||||
ports: []
|
||||
|
||||
- {} # ToDo: Temp rule: Allow All. this rule MUST be removed when egress has been refactored
|
||||
|
||||
ingress:
|
||||
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: prometheus
|
||||
# namespaceSelector:
|
||||
# matchLabels:
|
||||
# kubernetes.io/metadata.name: monitoiring
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: metrics
|
||||
ports: []
|
||||
# - port: 8080
|
||||
# protocol: TCP
|
||||
# - port: 9090
|
||||
# protocol: TCP
|
||||
# - port: 10901
|
||||
# protocol: TCP
|
||||
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: grafana
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: grafana
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: prometheus-adapter
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: monitoring
|
||||
ports:
|
||||
- port: 9090
|
||||
protocol: TCP
|
||||
|
||||
- from: []
|
||||
ports: []
|
||||
|
||||
policyTypes:
|
||||
- Egress
|
||||
- Ingress
|
||||
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 6 }}
|
||||
{{ toYaml $.Values.nfc_monitoring.prometheus.labels | nindent 6 }}
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/part-of: {{ $.Chart.Name }}
|
||||
app.kubernetes.io/managed-by: {{ $.Release.Service }}
|
||||
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels:
|
||||
{{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }}
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ $.Release.Service }}
|
||||
app.kubernetes.io/part-of: {{ $.Chart.Name }}
|
||||
app.kubernetes.io/version: {{ $.Chart.Version }}
|
||||
name: {{ .name | replace "_" "-" }}
|
||||
namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }}
|
||||
spec:
|
||||
- name: grafana
|
||||
policy:
|
||||
egress:
|
||||
|
||||
- to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: alerting
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/component: alert-router
|
||||
app.kubernetes.io/name: alertmanager
|
||||
ports:
|
||||
- port: 9093
|
||||
protocol: TCP
|
||||
|
||||
- to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: logging
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: gateway
|
||||
app.kubernetes.io/instance: loki
|
||||
app.kubernetes.io/name: loki
|
||||
ports:
|
||||
- port: 80 # Service Port
|
||||
protocol: TCP
|
||||
- port: 8080 # Pod Port
|
||||
protocol: TCP
|
||||
|
||||
- to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: monitoring
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: prometheus
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/name: prometheus
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: metrics
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: query-layer
|
||||
app.kubernetes.io/instance: thanos-query
|
||||
app.kubernetes.io/name: thanos-query
|
||||
ports:
|
||||
- port: 9090
|
||||
protocol: TCP
|
||||
|
||||
- to: [] # Requires internet access for plugins and dashboard downloading
|
||||
ports:
|
||||
- port: 443
|
||||
protocol: TCP
|
||||
|
||||
- to: # Kube DNS
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: kube-system
|
||||
podSelector:
|
||||
matchLabels:
|
||||
k8s-app: kube-dns
|
||||
ports:
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
|
||||
ingress:
|
||||
|
||||
- from: []
|
||||
ports:
|
||||
- port: 3000
|
||||
protocol: TCP
|
||||
policyTypes:
|
||||
- Egress
|
||||
- Ingress
|
||||
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{ toYaml $.Values.nfc_monitoring.grafana.labels | nindent 8 }}
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ $.Release.Service }}
|
||||
app.kubernetes.io/part-of: {{ $.Chart.Name }}
|
||||
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels:
|
||||
{{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }}
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ $.Release.Service }}
|
||||
app.kubernetes.io/part-of: {{ $.Chart.Name }}
|
||||
app.kubernetes.io/version: {{ $.Chart.Version }}
|
||||
name: {{ .name | replace "_" "-" }}
|
||||
namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }}
|
||||
spec:
|
||||
- name: grafana_agent
|
||||
policy:
|
||||
egress:
|
||||
|
||||
- to: # Logging
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: logging
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: gateway
|
||||
app.kubernetes.io/instance: loki
|
||||
app.kubernetes.io/name: loki
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
|
||||
- to: # Kube DNS
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: kube-system
|
||||
podSelector:
|
||||
matchLabels:
|
||||
k8s-app: kube-dns
|
||||
ports:
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
|
||||
ingress:
|
||||
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: monitoring
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: prometheus
|
||||
app.kubernetes.io/name: prometheus
|
||||
ports:
|
||||
- port: 12345
|
||||
protocol: TCP
|
||||
|
||||
policyTypes:
|
||||
- Egress
|
||||
- Ingress
|
||||
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{ toYaml $.Values.nfc_monitoring.grafana_agent.labels | nindent 8 }}
|
||||
app.kubernetes.io/instance: {{ $.Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ $.Release.Service }}
|
||||
app.kubernetes.io/part-of: {{ $.Chart.Name }}
|
||||
|
||||
{{ end }}
|
||||
|
||||
Reference in New Issue
Block a user