From 028a88e9f2e83354c7d93bb0ae3249a1c073534e Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 27 Aug 2024 13:58:07 +0200 Subject: [PATCH 1/3] add more restiction for networkpolicies --- charts/vaas/templates/gateway/_helpers.tpl | 2 +- .../vaas/templates/gateway/networkpolicy.yaml | 32 ++++++++++++++++--- charts/vaas/templates/gdscan/_helpers.tpl | 2 +- .../vaas/templates/gdscan/networkpolicy.yaml | 5 ++- 4 files changed, 33 insertions(+), 8 deletions(-) diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl index b1a6817..d5091bf 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -2,7 +2,7 @@ Expand the name of the chart. */}} {{- define "gateway.name" -}} -{{- default .Chart.Name .Values.gateway.nameOverride | trunc 63 | trimSuffix "-" }} +{{- default "gateway" .Values.gateway.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* diff --git a/charts/vaas/templates/gateway/networkpolicy.yaml b/charts/vaas/templates/gateway/networkpolicy.yaml index b540ce3..6f03c8e 100644 --- a/charts/vaas/templates/gateway/networkpolicy.yaml +++ b/charts/vaas/templates/gateway/networkpolicy.yaml @@ -14,16 +14,38 @@ spec: - Egress ingress: - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: gateway ports: - - port: 8080 # Http + - port: 8080 # Upload - port: 9090 # Websocket egress: - to: ports: - port: 443 # VerdictRequestForUrl - port: 80 # VerdictRequestForUrl - - port: 6379 # Redis - - port: 8080 # GdScan - - port: 53 # DNS - protocol: UDP + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: redis + ports: + - port: 6379 + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: gdscan + - podSelector: + matchLabels: + app.kubernetes.io/name: mini-identity-provider + ports: + - port: 8080 + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP {{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/gdscan/_helpers.tpl b/charts/vaas/templates/gdscan/_helpers.tpl index 49200da..95314ce 100644 --- a/charts/vaas/templates/gdscan/_helpers.tpl +++ b/charts/vaas/templates/gdscan/_helpers.tpl @@ -2,7 +2,7 @@ Expand the name of the chart. */}} {{- define "gdscan.name" -}} -{{- default .Chart.Name .Values.gdscan.nameOverride | trunc 63 | trimSuffix "-" }} +{{- default "gdscan" .Values.gdscan.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* diff --git a/charts/vaas/templates/gdscan/networkpolicy.yaml b/charts/vaas/templates/gdscan/networkpolicy.yaml index 6710025..5334573 100644 --- a/charts/vaas/templates/gdscan/networkpolicy.yaml +++ b/charts/vaas/templates/gdscan/networkpolicy.yaml @@ -13,6 +13,9 @@ spec: - Ingress ingress: - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: gdscan ports: - - port: 8080 # Http + - port: 8080 # Upload {{- end }} \ No newline at end of file From 92f9f298531dc360e728d8c245c213f49a66c7ec Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 27 Aug 2024 13:58:31 +0200 Subject: [PATCH 2/3] increase chart version --- charts/vaas/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index 6df01a0..a235df9 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vaas -version: 2.0.2 +version: 2.1.0 description: Deployment of a Verdict-as-a-Service on-premise instance maintainers: - name: G DATA CyberDefense AG From a36a1e32ff8faab0988f34bb937837314b272f0d Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Tue, 27 Aug 2024 15:02:01 +0200 Subject: [PATCH 3/3] fix incorrect restriction --- charts/vaas/templates/gateway/networkpolicy.yaml | 3 --- charts/vaas/templates/gdscan/networkpolicy.yaml | 2 +- helm.sh | 3 +-- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/charts/vaas/templates/gateway/networkpolicy.yaml b/charts/vaas/templates/gateway/networkpolicy.yaml index 6f03c8e..74b998b 100644 --- a/charts/vaas/templates/gateway/networkpolicy.yaml +++ b/charts/vaas/templates/gateway/networkpolicy.yaml @@ -14,9 +14,6 @@ spec: - Egress ingress: - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: gateway ports: - port: 8080 # Upload - port: 9090 # Websocket diff --git a/charts/vaas/templates/gdscan/networkpolicy.yaml b/charts/vaas/templates/gdscan/networkpolicy.yaml index 5334573..e6d9357 100644 --- a/charts/vaas/templates/gdscan/networkpolicy.yaml +++ b/charts/vaas/templates/gdscan/networkpolicy.yaml @@ -15,7 +15,7 @@ spec: - from: - podSelector: matchLabels: - app.kubernetes.io/name: gdscan + app.kubernetes.io/name: gateway ports: - port: 8080 # Upload {{- end }} \ No newline at end of file diff --git a/helm.sh b/helm.sh index f69ae44..2e49f7f 100755 --- a/helm.sh +++ b/helm.sh @@ -13,5 +13,4 @@ VALUES_FILE=$1 helm dep up charts/vaas helm lint charts/vaas -f $VALUES_FILE helm template charts/vaas -f $VALUES_FILE -helm uninstall vaas -n vaas -helm install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace +helm upgrade --install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace