From 891ce788ab40d38a1faf5e018331d717c530ab28 Mon Sep 17 00:00:00 2001 From: Quentin Bisson Date: Fri, 19 Jan 2024 11:01:20 +0100 Subject: [PATCH] Add ciliumnetworkpolicies (#558) --- keda/README.md | 2 ++ .../manager/ciliumnetworkpolicy.yaml | 27 +++++++++++++++++++ .../metrics-server/ciliumnetworkpolicy.yaml | 26 ++++++++++++++++++ .../webhooks/ciliumnetworkpolicy.yaml | 27 +++++++++++++++++++ keda/values.yaml | 6 +++++ 5 files changed, 88 insertions(+) create mode 100644 keda/templates/manager/ciliumnetworkpolicy.yaml create mode 100644 keda/templates/metrics-server/ciliumnetworkpolicy.yaml create mode 100644 keda/templates/webhooks/ciliumnetworkpolicy.yaml diff --git a/keda/README.md b/keda/README.md index c0de0233..f62a56c4 100644 --- a/keda/README.md +++ b/keda/README.md @@ -83,6 +83,8 @@ their default values. | `http.timeout` | int | `3000` | The default HTTP timeout to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and the timeout does not necessarily apply to them) | | `image.pullPolicy` | string | `"Always"` | Image pullPolicy for all KEDA components | | `imagePullSecrets` | list | `[]` | Name of secret to use to pull images to use to pull Docker images | +| `networkPolicy.enabled` | bool | `false` | Enable network policies | +| `networkPolicy.flavor` | string | `"cilium"` | Flavor of the network policies (cilium) | | `nodeSelector` | object | `{}` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) | | `podIdentity.activeDirectory.identity` | string | `""` | Identity in Azure Active Directory to use for Azure pod identity | | `podIdentity.aws.irsa.audience` | string | `"sts.amazonaws.com"` | Sets the token audience for IRSA. This will be set as an annotation on the KEDA service account. | diff --git a/keda/templates/manager/ciliumnetworkpolicy.yaml b/keda/templates/manager/ciliumnetworkpolicy.yaml new file mode 100644 index 00000000..f9186810 --- /dev/null +++ b/keda/templates/manager/ciliumnetworkpolicy.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ .Values.operator.name }} + name: {{ .Values.operator.name }} + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ .Values.operator.name }} + egress: + - toEntities: + - kube-apiserver + - cluster + ingress: + - fromEntities: + - cluster +{{ end }} diff --git a/keda/templates/metrics-server/ciliumnetworkpolicy.yaml b/keda/templates/metrics-server/ciliumnetworkpolicy.yaml new file mode 100644 index 00000000..887ef5c2 --- /dev/null +++ b/keda/templates/metrics-server/ciliumnetworkpolicy.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: {{ .Values.operator.name }}-metrics-apiserver + namespace: {{ .Release.Namespace }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ .Values.operator.name }}-metrics-apiserver + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ .Values.operator.name }}-metrics-apiserver + egress: + - toEntities: + - kube-apiserver + - cluster + ingress: + - fromEntities: + - cluster +{{ end }} diff --git a/keda/templates/webhooks/ciliumnetworkpolicy.yaml b/keda/templates/webhooks/ciliumnetworkpolicy.yaml new file mode 100644 index 00000000..1eea65d1 --- /dev/null +++ b/keda/templates/webhooks/ciliumnetworkpolicy.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.webhooks.enabled .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: {{ .Values.webhooks.name }} + namespace: {{ .Release.Namespace }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ .Values.webhooks.name }} + name: {{ .Values.webhooks.name }} + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + endpointSelector: + matchLabels: + app: {{ .Values.webhooks.name }} + egress: + - toEntities: + - kube-apiserver + - cluster + ingress: + - fromEntities: + - cluster +{{ end }} diff --git a/keda/values.yaml b/keda/values.yaml index f64216de..878d788c 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -53,6 +53,12 @@ watchNamespace: "" # -- Name of secret to use to pull images to use to pull Docker images imagePullSecrets: [] +networkPolicy: + # -- Enable network policies + enabled: false + # -- Flavor of the network policies (cilium) + flavor: "cilium" + operator: # -- Name of the KEDA operator name: keda-operator