{{- if .Values.nfc_monitoring.network_policy.enabled -}} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: {{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} app.kubernetes.io/part-of: {{ $.Chart.Name }} app.kubernetes.io/version: {{ $.Chart.Version }} name: {{ .name | replace "_" "-" }} namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }} spec: - name: prometheus policy: egress: # ToDo: add further restrictions to egress. is variable lookup possible to obtain values???? # - {} - to: # Alert Manager - namespaceSelector: matchLabels: kubernetes.io/metadata.name: alerting podSelector: matchLabels: app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/component: alert-router app.kubernetes.io/name: alertmanager ports: - port: 9093 protocol: TCP - to: # Ceph - ipBlock: cidr: 172.16.10.0/24 ports: - port: 9283 protocol: TCP - to: # Grafana - namespaceSelector: matchLabels: kubernetes.io/metadata.name: grafana podSelector: matchLabels: app.kubernetes.io/component: graphing app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/name: grafana ports: - port: 3000 protocol: TCP - to: # Grafana Agent - namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring podSelector: matchLabels: app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/component: exporter app.kubernetes.io/name: grafana-agent ports: - port: 12345 protocol: TCP - to: # Kube DNS - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - port: 53 protocol: TCP - port: 53 protocol: UDP - to: - podSelector: matchLabels: app.kubernetes.io/name: prometheus # namespaceSelector: # matchLabels: # kubernetes.io/metadata.name: monitoiring - namespaceSelector: matchLabels: kubernetes.io/metadata.name: metrics ports: [] - {} # ToDo: Temp rule: Allow All. this rule MUST be removed when egress has been refactored ingress: - from: - podSelector: matchLabels: app.kubernetes.io/name: prometheus # namespaceSelector: # matchLabels: # kubernetes.io/metadata.name: monitoiring - namespaceSelector: matchLabels: kubernetes.io/metadata.name: metrics ports: [] # - port: 8080 # protocol: TCP # - port: 9090 # protocol: TCP # - port: 10901 # protocol: TCP - from: - podSelector: matchLabels: app.kubernetes.io/name: grafana namespaceSelector: matchLabels: kubernetes.io/metadata.name: grafana - podSelector: matchLabels: app.kubernetes.io/name: prometheus-adapter namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring ports: - port: 9090 protocol: TCP - from: [] ports: [] policyTypes: - Egress - Ingress podSelector: matchLabels: {{ toYaml $.Values.nfc_monitoring.prometheus.labels | nindent 6 }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/part-of: {{ $.Chart.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: {{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} app.kubernetes.io/part-of: {{ $.Chart.Name }} app.kubernetes.io/version: {{ $.Chart.Version }} name: {{ .name | replace "_" "-" }} namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }} spec: - name: grafana policy: egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: alerting podSelector: matchLabels: app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/component: alert-router app.kubernetes.io/name: alertmanager ports: - port: 9093 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: logging podSelector: matchLabels: app.kubernetes.io/component: gateway app.kubernetes.io/instance: loki app.kubernetes.io/name: loki ports: - port: 80 # Service Port protocol: TCP - port: 8080 # Pod Port protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring podSelector: matchLabels: app.kubernetes.io/component: prometheus app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/name: prometheus - namespaceSelector: matchLabels: kubernetes.io/metadata.name: metrics podSelector: matchLabels: app.kubernetes.io/component: query-layer app.kubernetes.io/instance: thanos-query app.kubernetes.io/name: thanos-query ports: - port: 9090 protocol: TCP - to: [] # Requires internet access for plugins and dashboard downloading ports: - port: 443 protocol: TCP - to: # Kube DNS - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - port: 53 protocol: TCP - port: 53 protocol: UDP ingress: - from: [] ports: - port: 3000 protocol: TCP policyTypes: - Egress - Ingress podSelector: matchLabels: {{ toYaml $.Values.nfc_monitoring.grafana.labels | nindent 8 }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} app.kubernetes.io/part-of: {{ $.Chart.Name }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: {{ toYaml (get $.Values.nfc_monitoring .name ).labels | nindent 4 }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} app.kubernetes.io/part-of: {{ $.Chart.Name }} app.kubernetes.io/version: {{ $.Chart.Version }} name: {{ .name | replace "_" "-" }} namespace: {{ (get $.Values.nfc_monitoring .name ).namespace }} spec: - name: grafana_agent policy: egress: - to: # Logging - namespaceSelector: matchLabels: kubernetes.io/metadata.name: logging podSelector: matchLabels: app.kubernetes.io/component: gateway app.kubernetes.io/instance: loki app.kubernetes.io/name: loki ports: - port: 80 protocol: TCP - to: # Kube DNS - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - port: 53 protocol: TCP - port: 53 protocol: UDP ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring podSelector: matchLabels: app.kubernetes.io/component: prometheus app.kubernetes.io/name: prometheus ports: - port: 12345 protocol: TCP policyTypes: - Egress - Ingress podSelector: matchLabels: {{ toYaml $.Values.nfc_monitoring.grafana_agent.labels | nindent 8 }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} app.kubernetes.io/part-of: {{ $.Chart.Name }} {{ end }}