Skip to content
This repository has been archived by the owner on Dec 11, 2023. It is now read-only.

k8s network policies #136

Open
tschonnie opened this issue Sep 12, 2019 · 1 comment
Open

k8s network policies #136

tschonnie opened this issue Sep 12, 2019 · 1 comment

Comments

@tschonnie
Copy link

Since it is a good practice to have a deny-all network policy in every namespace, it would be good to have the required network policies for the dynatrace oneagent documented or as a yaml in this repo. We use these helm template files to allow the communication to the k8s api server and to the dynatrace server in every namespace. What do you think about it?

{{- range $key,$val := .Values.namespaces }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-server
  namespace: {{ $key }}
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: {{ $.Values.apiServerIp }}/32
    ports:
    - protocol: TCP
      port: {{ $.Values.apiServerPort }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dynatrace
  namespace: {{ $key }}
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
  # allow dynatrace one-agent lsb148.dynatrace-managed.com
  - ports:
    - port: {{ $.Values.dynatraceServerOneAgentPort }}
      protocol: TCP
    - port: {{ $.Values.dynatraceServerDownloadPort }}
      protocol: TCP
    to:
      - ipBlock:
          cidr: {{ $.Values.dynatraceServerIp }}/32
{{- end }}
---
@DTMad
Copy link
Member

DTMad commented May 5, 2020

Hey @tschonnie !

Sorry for the late reply - This looks good to me.
Would it be ok for you to have the required NetworkPolicies mentioned in the Readme?

Regards,
Marco

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tschonnie @DTMad