From 00c61440be6ad054335bb6f4a1e70c629a23fe6f Mon Sep 17 00:00:00 2001 From: "omri.s" Date: Tue, 8 Oct 2024 18:23:07 +0300 Subject: [PATCH] Support creating separate network policies for ingress and egress --- intents-operator/README.md | 3 ++- intents-operator/templates/intents-operator-deployment.yaml | 6 +++++- intents-operator/values.yaml | 6 ++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/intents-operator/README.md b/intents-operator/README.md index 98428c82..3d9f57a0 100644 --- a/intents-operator/README.md +++ b/intents-operator/README.md @@ -42,7 +42,8 @@ | `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always`. Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` | | `operator.resources` | Resources override. | | | `operator.enableDatabasePolicyCreation` | Whether the operator should create database policies according to ClientIntents | `true` | -| `operator.enableEgressNetworkPolicyCreation` | **experimental** - Enables experimental support for egress network policies (coming soon!) | `false` | +| `operator.enableEgressNetworkPolicyCreation` | Enables support for egress network policies | `false` | +| `operator.separateNetpolsForIngressAndEgress` | If set to true, the operator will create separate network policies for ingress and egress traffic. | `false` | | `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` | | `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil)` | | `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` | diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml index 1155f5db..9709c3f3 100644 --- a/intents-operator/templates/intents-operator-deployment.yaml +++ b/intents-operator/templates/intents-operator-deployment.yaml @@ -200,7 +200,11 @@ spec: value: "false" {{- end }} {{- if eq true .Values.operator.enableEgressNetworkPolicyCreation }} - - name: OTTERIZE_EXP_ENABLE_EGRESS_NETWORK_POLICIES + - name: OTTERIZE_ENABLE_EGRESS_NETWORK_POLICIES + value: "true" + {{- end }} + {{- if eq true .Values.operator.separateNetpolsForIngressAndEgress }} + - name: OTTERIZE_SEPARATE_NETPOLS_FOR_INGRESS_AND_EGRESS value: "true" {{- end }} {{- if .Values.global.aws.rolesAnywhere.enabled }} diff --git a/intents-operator/values.yaml b/intents-operator/values.yaml index 1f3017bd..06bb95f8 100644 --- a/intents-operator/values.yaml +++ b/intents-operator/values.yaml @@ -50,7 +50,13 @@ operator: allowExternalTraffic: ifBlockedByOtterize enableIstioPolicyCreation: true enableDatabasePolicyCreation: true + + # If set to true, the operator will create network policies for egress traffic. enableEgressNetworkPolicyCreation: false + + # If set to true, the operator will create separate network policies for ingress and egress traffic. + # (Only available with enableEgressNetworkPolicyCreation set to true) + separateNetpolsForIngressAndEgress: false ingressControllerAWSALBExempt: false extraEnvVars: