diff --git a/values.yaml b/values.yaml index 7321423..36f2b1b 100644 --- a/values.yaml +++ b/values.yaml @@ -373,6 +373,129 @@ nfc_monitoring: # - Define 'podSelector' as this is alreaady included using the selector labels policies: +### SoF Network Policy: Prometheus ### + + - name: prometheus + policy: + egress: # ToDo: add further restrictions to egress. is variable lookup possible to obtain values???? + # - {} + - to: # Alert Manager + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: alerting + podSelector: + matchLabels: + app.kubernetes.io/instance: main + app.kubernetes.io/component: alert-router + app.kubernetes.io/name: alertmanager + ports: + - port: 9093 + protocol: TCP + + - to: # Ceph + - ipBlock: + cidr: 172.16.10.0/24 + ports: + - port: 9283 + protocol: TCP + + - to: # Grafana + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: grafana + podSelector: + matchLabels: + app.kubernetes.io/component: graphing + app.kubernetes.io/instance: k8s + app.kubernetes.io/name: grafana + ports: + - port: 3000 + protocol: TCP + + - to: # Grafana Agent + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/instance: k8s + app.kubernetes.io/component: exporter + app.kubernetes.io/name: grafana-agent + ports: + - port: 12345 + protocol: TCP + + - to: # Kube DNS + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + # namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: monitoiring + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: metrics + ports: [] + + - {} # ToDo: Temp rule: Allow All. this rule MUST be removed when egress has been refactored + + ingress: + + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + # namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: monitoiring + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: metrics + ports: [] + # - port: 8080 + # protocol: TCP + # - port: 9090 + # protocol: TCP + # - port: 10901 + # protocol: TCP + + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: grafana + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: grafana + - podSelector: + matchLabels: + app.kubernetes.io/name: prometheus-adapter + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + ports: + - port: 9090 + protocol: TCP + + - from: [] + ports: [] + + policyTypes: + - Egress + - Ingress + loki_instance: image: