Merge pull request #517 from kubescape/netpol

fix egress rules
kubescape · Oct 9, 2024 · e139743 · e139743
2 parents adb641c + becd8cd
commit e139743
Show file tree

Hide file tree

Showing 11 changed files with 185 additions and 51 deletions.
diff --git a/charts/kubescape-operator/assets/common-egress-rules.yaml b/charts/kubescape-operator/assets/common-egress-rules.yaml
@@ -16,7 +16,7 @@
   to:
     - podSelector:
         matchLabels:
-          app: otel-collector
+          {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name) | nindent 10 }}
 {{- if ne .Values.global.httpsProxy "" }}
 - ports:
     - port: {{ .Values.global.networkPolicy.httpsProxyPort }}

diff --git a/charts/kubescape-operator/assets/kubevuln-cronjob-full.yaml b/charts/kubescape-operator/assets/kubevuln-cronjob-full.yaml
@@ -5,8 +5,8 @@ apiVersion: batch/v1
       namespace: {{ .Values.ksNamespace }}
       labels:
         app: {{ .Values.kubevulnScheduler.name }}
-        kubescape.io/tier: "core"
         tier: {{ .Values.global.namespaceTier }}
+        kubescape.io/tier: "core"
         armo.tier: "vuln-scan"
     spec:
       schedule: "{{ .Values.kubevulnScheduler.scanSchedule }}"
@@ -20,10 +20,10 @@ apiVersion: batch/v1
                 armo.tier: "vuln-scan"
                 kubescape.io/tier: "core"
             spec:
-            {{- if .Values.imagePullSecrets }}
+              {{- if .Values.imagePullSecrets }}
               imagePullSecrets:
               - name: {{ toYaml .Values.imagePullSecrets }}
-            {{- end }}
+              {{- end }}
               containers:
               - name: {{ .Values.kubevulnScheduler.name }}
                 image: "{{ .Values.kubevulnScheduler.image.repository }}:{{ .Values.kubevulnScheduler.image.tag }}"

diff --git a/charts/kubescape-operator/templates/kubescape-scheduler/networkpolicy.yaml b/charts/kubescape-operator/templates/kubescape-scheduler/networkpolicy.yaml
@@ -15,4 +15,11 @@ spec:
     - Egress
   egress:
 {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
+    - ports:
+        - protocol: TCP
+          port: 4002
+      to:
+        - podSelector:
+            matchLabels:
+              {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 14 }}
 {{- end }}
diff --git a/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml b/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml
@@ -11,6 +11,7 @@ metadata:
   namespace: {{ .Values.ksNamespace }}
   labels:
     {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevulnScheduler.name "tier" .Values.global.namespaceTier) | nindent 4 }}
+    armo.tier: "vuln-scan"
     kubescape.io/tier: "core"
 spec:
   schedule: "{{ trimPrefix "\n" (trimSuffix  "\n" $kubevuln_daily_scan_cron_tab) }}"
@@ -22,12 +23,13 @@ spec:
         metadata:
           labels:
             {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevulnScheduler.name "tier" .Values.global.namespaceTier) | nindent 12 }}
+            armo.tier: "vuln-scan"
             kubescape.io/tier: "core"
         spec:
-        {{- if .Values.imagePullSecrets }}
+          {{- if .Values.imagePullSecrets }}
           imagePullSecrets:
           - name: {{ toYaml .Values.imagePullSecrets }}
-        {{- end }}
+          {{- end }}
           containers:
           - name: {{ .Values.kubevulnScheduler.name }}
             image: "{{ .Values.kubevulnScheduler.image.repository }}:{{ .Values.kubevulnScheduler.image.tag }}"
@@ -46,9 +48,9 @@ spec:
               - -path=v1/triggerAction
               - -headers=Content-Type:application/json
               - -path-body=/home/ks/request-body.json
-              {{- if .Values.kubevulnScheduler.insecureSkipTLSVerify }}
+            {{- if .Values.kubevulnScheduler.insecureSkipTLSVerify }}
               - -skip-ssl-verify=true
-              {{- end}}
+            {{- end}}
             volumeMounts:
               - name: {{ .Values.kubevulnScheduler.name }}
                 mountPath: /home/ks/request-body.json

diff --git a/charts/kubescape-operator/templates/kubevuln-scheduler/networkpolicy.yaml b/charts/kubescape-operator/templates/kubevuln-scheduler/networkpolicy.yaml
@@ -15,4 +15,11 @@ spec:
     - Egress
   egress:
 {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }}
+    - ports:
+        - protocol: TCP
+          port: 4002
+      to:
+        - podSelector:
+            matchLabels:
+              {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 14 }}
 {{- end }}
diff --git a/charts/kubescape-operator/templates/kubevuln/service.yaml b/charts/kubescape-operator/templates/kubevuln/service.yaml
@@ -14,5 +14,5 @@ spec:
       targetPort: {{ .Values.kubevuln.service.targetPort }}
       protocol: {{ .Values.kubevuln.service.protocol }}
   selector:
-    app: {{ .Values.kubevuln.name }}
+    {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name) | nindent 4 }}
 {{- end }}
diff --git a/charts/kubescape-operator/templates/otel-collector/networkpolicy.yaml b/charts/kubescape-operator/templates/otel-collector/networkpolicy.yaml
@@ -35,4 +35,6 @@ spec:
       ports:
         - port: otlp
           protocol: TCP
+        - port: otlp-http
+          protocol: TCP
 {{- end }}
diff --git a/charts/kubescape-operator/templates/otel-collector/service.yaml b/charts/kubescape-operator/templates/otel-collector/service.yaml
@@ -19,5 +19,5 @@ spec:
       targetPort: 4318
       protocol: TCP
   selector:
-    app: {{ .Values.otelCollector.name }}
+    {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name) | nindent 4 }}
 {{ end }}
diff --git a/charts/kubescape-operator/templates/prometheus-exporter/service.yaml b/charts/kubescape-operator/templates/prometheus-exporter/service.yaml
@@ -14,5 +14,5 @@ spec:
       targetPort: {{ .Values.prometheusExporter.service.targetPort }}
       protocol: {{ .Values.prometheusExporter.service.protocol }}
   selector:
-    app: {{ .Values.prometheusExporter.name }}
+    {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name) | nindent 4 }}
 {{- end }}
diff --git a/charts/kubescape-operator/templates/synchronizer/service.yaml b/charts/kubescape-operator/templates/synchronizer/service.yaml
@@ -14,5 +14,5 @@ spec:
       targetPort: {{ .Values.synchronizer.service.targetPort }}
       protocol: {{ .Values.synchronizer.service.protocol }}
   selector:
-    app: {{ .Values.synchronizer.name }}
+    {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name) | nindent 4 }}
   {{- end }}