Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support creating separate network policies for ingress and egress by setting the value of intentsOperator.operator.separateNetpolsForIngressAndEgress to true #251

Merged
merged 2 commits into from
Oct 9, 2024
Merged

Support creating separate network policies for ingress and egress by setting the value of intentsOperator.operator.separateNetpolsForIngressAndEgress to true #251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
00c6144
Support creating separate network policies for ingress and egress
omris94 Oct 8, 2024
a760249
Merge branch 'main' into omris/support-seperate-netpols-for-ingress-a…
omris94 Oct 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion intents-operator/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@
| `operator.allowExternalTraffic` | `ifBlockedByOtterize`, `off` or `always`. Specify how the operator handles external traffic for Ingress/Service resources: `ifBlockedByOtterize` automatically create network policies to enable internet traffic for services that would be blocked by Otterize network policies when protecting a server. Choosing `off` may necessitate manual network policy creation to allow external traffic, while `always` automatically creates policies for all such resource that are visible to the operator. | `ifBlockedByOtterize` |
| `operator.resources` | Resources override. | |
| `operator.enableDatabasePolicyCreation` | Whether the operator should create database policies according to ClientIntents | `true` |
| `operator.enableEgressNetworkPolicyCreation` | **experimental** - Enables experimental support for egress network policies (coming soon!) | `false` |
| `operator.enableEgressNetworkPolicyCreation` | Enables support for egress network policies | `false` |
| `operator.separateNetpolsForIngressAndEgress` | If set to true, the operator will create separate network policies for ingress and egress traffic. | `false` |
| `watchedNamespaces` | List of namespaces the intents operator should watch. The operator will be blind to any namespace not in this list. | `(nil) meaning watch all` |
| `enforcedNamespaces` | When using "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active. | `(nil)` |
| `operator.autoGenerateTLSUsingCredentialsOperator` | If set to true, adds the necessary pod annotations in order to integrate with credentials-operator, and get tls certificate. | `false` |
Expand Down
6 changes: 5 additions & 1 deletion intents-operator/templates/intents-operator-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,11 @@ spec:
value: "false"
{{- end }}
{{- if eq true .Values.operator.enableEgressNetworkPolicyCreation }}
- name: OTTERIZE_EXP_ENABLE_EGRESS_NETWORK_POLICIES
- name: OTTERIZE_ENABLE_EGRESS_NETWORK_POLICIES
value: "true"
{{- end }}
{{- if eq true .Values.operator.separateNetpolsForIngressAndEgress }}
- name: OTTERIZE_SEPARATE_NETPOLS_FOR_INGRESS_AND_EGRESS
value: "true"
{{- end }}
{{- if .Values.global.aws.rolesAnywhere.enabled }}
Expand Down
6 changes: 6 additions & 0 deletions intents-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,13 @@ operator:
allowExternalTraffic: ifBlockedByOtterize
enableIstioPolicyCreation: true
enableDatabasePolicyCreation: true

# If set to true, the operator will create network policies for egress traffic.
enableEgressNetworkPolicyCreation: false

# If set to true, the operator will create separate network policies for ingress and egress traffic.
# (Only available with enableEgressNetworkPolicyCreation set to true)
separateNetpolsForIngressAndEgress: false
ingressControllerAWSALBExempt: false
extraEnvVars:

Expand Down
Loading