Add network policies change

Adding network policies restriction to the openfaas and the openfaas-fn namespaces introduced by Matias in the openfaas-cloud repo Signed-off-by: Martin Dekov <[email protected]>
openfaas · May 30, 2019 · d7e9177 · d7e9177
1 parent f17475e
commit d7e9177
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -206,6 +206,12 @@ If you are planning on building functions using the `dockerfile` template you ne
 #### Enable scaling to zero
 If you want your functions to scale to zero then you need to set `scale_to_zero: true`.
 
+#### Toggle network policies
+
+Network policies restriction for the openfaas and openfaas-fn namespaces are applied by default. If you would like to remove that restriction set `network_policies: false`.
+
+When deployed, network policies restrict communication so that functions cannot talk to the core OpenFaaS components in the `openfaas` namespace. They also prevent functions from invoking each other directly. It is recommended to enable this feature.
+
 ### Run the `ofc-bootstrap`
 
 ```bash

diff --git a/example.init.yaml b/example.init.yaml
@@ -242,3 +242,6 @@ enable_dockerfile_lang: false
 # Set to true to enable scaling to zero
 scale_to_zero: false
 openfaas_cloud_version: 0.9.4
+
+# Enable network policies
+network_policies: true
diff --git a/main.go b/main.go
@@ -607,11 +607,15 @@ func deployCloudComponents(plan types.Plan) error {
 	if plan.SCM == "gitlab" {
 		gitlabEnv = "GITLAB=true"
 	}
+	networkPoliciesEnv := ""
+	if plan.NetworkPolicies {
+		networkPoliciesEnv = "ENABLE_NETWORK_POLICIES=true"
+	}
 
 	task := execute.ExecTask{
 		Command: "./scripts/deploy-cloud-components.sh",
 		Shell:   true,
-		Env:     []string{authEnv, gitlabEnv},
+		Env:     []string{authEnv, gitlabEnv, networkPoliciesEnv},
 	}
 
 	res, err := task.Execute()

diff --git a/pkg/types/types.go b/pkg/types/types.go
@@ -54,6 +54,7 @@ type Plan struct {
 	EnableDockerfileLang bool                     `yaml:"enable_dockerfile_lang"`
 	ScaleToZero          bool                     `yaml:"scale_to_zero"`
 	OpenFaaSCloudVersion string                   `yaml:"openfaas_cloud_version"`
+	NetworkPolicies      bool                     `yaml:"network_policies"`
 }
 
 // Deployment is the deployment section of YAML concerning

diff --git a/scripts/deploy-cloud-components.sh b/scripts/deploy-cloud-components.sh
@@ -23,6 +23,9 @@ kubectl apply -f ./tmp/openfaas-cloud/yaml/core/edge-router-svc.yml
 
 kubectl apply -f ./tmp/openfaas-cloud/yaml/core/edge-auth-svc.yml
 
+if [ "$ENABLE_NETWORK_POLICIES" = "true" ] ; then
+    kubectl apply -f ./tmp/openfaas-cloud/yaml/network-policy/
+fi
 
 cd ./tmp/openfaas-cloud