From a8741301eaf1df3bbb020ad7027c954a88f14502 Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Tue, 1 Sep 2020 17:57:38 +0300 Subject: [PATCH 1/3] Allow explicit network policy enablement --- templates/server-network-policy.yaml | 2 +- values.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml index 0879d5b9a..e91c90f0f 100644 --- a/templates/server-network-policy.yaml +++ b/templates/server-network-policy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.global.openshift }} +{{- if or (.Values.global.openshift) (eq (.Values.server.networkPolicy.enabled | toString) "true" ) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/values.yaml b/values.yaml index 1a5554283..d47ac4089 100644 --- a/values.yaml +++ b/values.yaml @@ -298,6 +298,10 @@ server: # beta.kubernetes.io/arch: amd64 nodeSelector: null + # Enables network policy for server pods + networkPolicy: + enabled: true + # Priority class for server pods priorityClassName: "" From c666e567fc5d4e377f9ef1263836fb46344ff93a Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Tue, 1 Sep 2020 18:05:23 +0300 Subject: [PATCH 2/3] Disable default network policy --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index d47ac4089..6fa43b5c8 100644 --- a/values.yaml +++ b/values.yaml @@ -300,7 +300,7 @@ server: # Enables network policy for server pods networkPolicy: - enabled: true + enabled: false # Priority class for server pods priorityClassName: "" From 52e8edc828c5f1f5094506f9c79f07eeb147e8c1 Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Wed, 2 Sep 2020 10:47:27 +0300 Subject: [PATCH 3/3] Make network policy configurable by explicit flag only --- templates/server-network-policy.yaml | 2 +- test/unit/server-network-policy.bats | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml index e91c90f0f..1061a5b27 100644 --- a/templates/server-network-policy.yaml +++ b/templates/server-network-policy.yaml @@ -1,4 +1,4 @@ -{{- if or (.Values.global.openshift) (eq (.Values.server.networkPolicy.enabled | toString) "true" ) }} +{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats index 0df89fcb4..07ca2b60c 100755 --- a/test/unit/server-network-policy.bats +++ b/test/unit/server-network-policy.bats @@ -2,7 +2,7 @@ load _helpers -@test "server/network-policy: OpenShift - disabled by default" { +@test "server/network-policy: disabled by default" { cd `chart_dir` local actual=$( (helm template \ --show-only templates/server-network-policy.yaml \ @@ -11,12 +11,12 @@ load _helpers [ "${actual}" = "false" ] } -@test "server/network-policy: OpenShift - enabled if OpenShift" { +@test "server/network-policy: enabled by server.networkPolicy.enabled" { cd `chart_dir` local actual=$( (helm template \ - --set 'global.openshift=true' \ + --set 'server.networkPolicy.enabled=true' \ --show-only templates/server-network-policy.yaml \ . || echo "---") | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] -} \ No newline at end of file +}