Skip to content

Commit

Permalink
Support creating separate network policies for ingress and egress by …
Browse files Browse the repository at this point in the history 
…setting the value of `intentsOperator.operator.separateNetpolsForIngressAndEgress` to `true` (#251)
  • Loading branch information
@omris94
omris94 authored Oct 9, 2024
1 parent c99be49 commit 3192e6a
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 2 deletions.
3 changes: 2 additions & 1 deletion intents-operator/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@
| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always`. Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabasePolicyCreation` | Whether the operator should create database policies according to ClientIntents | `true` |
| `operator.enableEgressNetworkPolicyCreation` | **experimental** - Enables experimental support for egress network policies (coming soon!) | `false` |
| `operator.enableEgressNetworkPolicyCreation` | Enables support for egress network policies | `false` |
| `operator.separateNetpolsForIngressAndEgress` | If set to true, the operator will create separate network policies for ingress and egress traffic. | `false` |
| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` |
| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil)` |
| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` |
Expand Down
6 changes: 5 additions & 1 deletion intents-operator/templates/intents-operator-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,11 @@ spec:
value: "false"
{{- end }}
{{- if eq true .Values.operator.enableEgressNetworkPolicyCreation }}
- name: OTTERIZE_EXP_ENABLE_EGRESS_NETWORK_POLICIES
- name: OTTERIZE_ENABLE_EGRESS_NETWORK_POLICIES
value: "true"
{{- end }}
{{- if eq true .Values.operator.separateNetpolsForIngressAndEgress }}
- name: OTTERIZE_SEPARATE_NETPOLS_FOR_INGRESS_AND_EGRESS
value: "true"
{{- end }}
{{- if .Values.global.aws.rolesAnywhere.enabled }}
Expand Down
6 changes: 6 additions & 0 deletions intents-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,13 @@ operator:
allowExternalTraffic: ifBlockedByOtterize
enableIstioPolicyCreation: true
enableDatabasePolicyCreation: true

# If set to true, the operator will create network policies for egress traffic.
enableEgressNetworkPolicyCreation: false

# If set to true, the operator will create separate network policies for ingress and egress traffic.
# (Only available with enableEgressNetworkPolicyCreation set to true)
separateNetpolsForIngressAndEgress: false
ingressControllerAWSALBExempt: false
extraEnvVars:

Expand Down

0 comments on commit 3192e6a

Please sign in to comment.