diff --git a/charts/nginx-ingress/templates/controller-networkpolicy.yaml b/charts/nginx-ingress/templates/controller-networkpolicy.yaml new file mode 100644 index 0000000000..31080e266c --- /dev/null +++ b/charts/nginx-ingress/templates/controller-networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "nginx-ingress.fullname" . }}-network-policy + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: + podSelector: + {{- toYaml .Values.networkPolicy.podSelector | nindent 4 }} + policyTypes: + {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }} + + {{- if has "Ingress" .Values.networkPolicy.policyTypes }} + ingress: + {{- toYaml .Values.networkPolicy.ingress | nindent 4 }} + {{- end }} + + {{- if has "Egress" .Values.networkPolicy.policyTypes }} + egress: + {{- toYaml .Values.networkPolicy.egress | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index b6f0ba5f32..707ca34b41 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -2681,6 +2681,78 @@ ] } } + }, + "networkPolicy": { + "type": "object", + "default": { + "enabled": false + }, + "title": "Configuration for NetworkPolicy", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable NetworkPolicy", + "examples": [ + false, + true + ] + }, + "policyTypes": { + "type": "array", + "default": [ + "Ingress", + "Egress" + ], + "title": "Types of policy to create", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/policyTypes" + }, + "podSelector": { + "type": "object", + "default": {}, + "title": "Label selector for pods (defaults to ingress controller pods)", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + }, + "ingress": { + "type": "array", + "default": [ + { + "from": [], + "ports": [ + { + "protocol": "TCP", + "port": 80 + }, + { + "protocol": "TCP", + "port": 443 + } + ] + } + ], + "title": "Ingress rules", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/ingress" + }, + "egress": { + "type": "array", + "default": [ + { + "to": [], + "ports": [ + { + "protocol": "UDP", + "port": 53 + } + ] + } + ], + "title": "Egress rules", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/egress" + } + } } }, "examples": [ diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 8693a0517c..95c74e5372 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -766,3 +766,35 @@ nginxAgent: processorBufferSize: 50000 ## The name of a custom ConfigMap to use instead of the one provided by default customConfigMap: "" + +## Configure Kubernetes NetworkPolicy for the ingress controller pods +networkPolicy: + ## Enable creation of a NetworkPolicy resource for the ingress controller pods + enabled: false + + ## List of NetworkPolicy types to apply (Ingress, Egress, or both) + policyTypes: + - Ingress + - Egress + + ## Label selector for pods the NetworkPolicy applies to (defaults to all pods in the same namespace) + podSelector: {} + ## matchLabels: + ## app.kubernetes.io/name: nginx-ingress + ## app.kubernetes.io/instance: nginx-ingress + + ## List of ingress rules for allowed sources and ports + ingress: + - from: [] + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + + ## List of egress rules for allowed destinations and ports + egress: + - to: [] + ports: + - protocol: UDP + port: 53 diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap index 3d91c099a9..ae500a217c 100755 --- a/charts/tests/__snapshots__/helmunit_test.snap +++ b/charts/tests/__snapshots__/helmunit_test.snap @@ -6650,6 +6650,523 @@ metadata: app.kubernetes.io/managed-by: Helm --- +[TestHelmNICTemplate/networkPolicy - 1] +/-/-/-/ +# Source: nginx-ingress/templates/controller-networkpolicy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: network-policy-nginx-ingress-network-policy + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +spec: + podSelector: + matchLabels: + app.kubernetes.io/instance: nginx-ingress + app.kubernetes.io/name: nginx-ingress + policyTypes: + - Ingress + - Egress + ingress: + - from: [] + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + name: monitoring + - podSelector: + matchLabels: + app: prometheus + ports: + - port: 8081 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + name: nginx-ingress + ports: + - port: 8080 + protocol: TCP + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + name: kube-system + - ports: + - port: 443 + protocol: TCP + - port: 6443 + protocol: TCP + to: [] + - ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9000 + protocol: TCP + to: + - podSelector: {} +/-/-/-/ +# Source: nginx-ingress/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: network-policy-nginx-ingress + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: network-policy-nginx-ingress + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +data: + {} +/-/-/-/ +# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: network-policy-nginx-ingress-leader-election + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +/-/-/-/ +# Source: nginx-ingress/templates/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: network-policy-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + - statefulsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +/-/-/-/ +# Source: nginx-ingress/templates/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: network-policy-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +subjects: +- kind: ServiceAccount + name: network-policy-nginx-ingress + namespace: default +roleRef: + kind: ClusterRole + name: network-policy-nginx-ingress + apiGroup: rbac.authorization.k8s.io +/-/-/-/ +# Source: nginx-ingress/templates/controller-role.yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: network-policy-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm + namespace: default +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - network-policy-nginx-ingress-leader-election + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +/-/-/-/ +# Source: nginx-ingress/templates/controller-rolebinding.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: network-policy-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: network-policy-nginx-ingress +subjects: +- kind: ServiceAccount + name: network-policy-nginx-ingress + namespace: default +/-/-/-/ +# Source: nginx-ingress/templates/controller-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: network-policy-nginx-ingress-controller + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +spec: + externalTrafficPolicy: Local + type: LoadBalancer + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + nodePort: + - port: 443 + targetPort: 443 + protocol: TCP + name: https + nodePort: + selector: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy +/-/-/-/ +# Source: nginx-ingress/templates/controller-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: network-policy-nginx-ingress-controller + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + template: + metadata: + labels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9113" + prometheus.io/scheme: "http" + spec: + volumes: [] + serviceAccountName: network-policy-nginx-ingress + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 30 + hostNetwork: false + dnsPolicy: ClusterFirst + containers: + - image: nginx/nginx-ingress:5.3.0 + name: nginx-ingress + imagePullPolicy: "IfNotPresent" + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: prometheus + containerPort: 9113 + - name: readiness-port + containerPort: 8081 + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: 0 + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + volumeMounts: [] + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + args: + + - -nginx-plus=false + - -nginx-reload-timeout=60000 + - -enable-app-protect=false + - -enable-app-protect-dos=false + - -nginx-configmaps=$(POD_NAMESPACE)/network-policy-nginx-ingress + - -ingress-class=nginx + - -health-status=false + - -health-status-uri=/nginx-health + - -nginx-debug=false + - -log-level=info + - -log-format=glog + - -nginx-status=true + - -nginx-status-port=8080 + - -nginx-status-allow-cidrs=127.0.0.1 + - -report-ingress-status + - -external-service=network-policy-nginx-ingress-controller + - -enable-leader-election=true + - -leader-election-lock-name=network-policy-nginx-ingress-leader-election + - -enable-prometheus-metrics=true + - -prometheus-metrics-listen-port=9113 + - -prometheus-tls-secret= + - -enable-service-insight=false + - -service-insight-listen-port=9114 + - -service-insight-tls-secret= + - -enable-custom-resources=true + - -enable-snippets=false + - -disable-ipv6=false + - -enable-tls-passthrough=false + - -enable-cert-manager=false + - -enable-oidc=false + - -enable-external-dns=false + - -default-http-listener-port=80 + - -default-https-listener-port=443 + - -ready-status=true + - -ready-status-port=8081 + - -enable-latency-metrics=false + - -ssl-dynamic-reload=true + - -enable-telemetry-reporting=true + - -weight-changes-dynamic-reload=false +/-/-/-/ +# Source: nginx-ingress/templates/controller-ingress-class.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: nginx + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +spec: + controller: nginx.org/ingress-controller +/-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +/-/-/-/ +# Source: nginx-ingress/templates/controller-lease.yaml +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: network-policy-nginx-ingress-leader-election + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: network-policy + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +--- + [TestHelmNICTemplate/ossAgentV3 - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml diff --git a/charts/tests/helmunit_test.go b/charts/tests/helmunit_test.go index dd459e7820..a660c1fcf2 100644 --- a/charts/tests/helmunit_test.go +++ b/charts/tests/helmunit_test.go @@ -166,6 +166,11 @@ func TestHelmNICTemplate(t *testing.T) { releaseName: "startupstatus", namespace: "default", }, + "networkPolicy": { + valuesFile: "testdata/network-policy.yaml", + releaseName: "network-policy", + namespace: "default", + }, } // Path to the helm chart we will test diff --git a/charts/tests/testdata/network-policy.yaml b/charts/tests/testdata/network-policy.yaml new file mode 100644 index 0000000000..2ae779def6 --- /dev/null +++ b/charts/tests/testdata/network-policy.yaml @@ -0,0 +1,62 @@ +networkPolicy: + enabled: true + policyTypes: + - Ingress + - Egress + podSelector: + matchLabels: + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: nginx-ingress + ingress: + - from: [] + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + name: monitoring + - podSelector: + matchLabels: + app: prometheus + ports: + - port: 8081 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + name: nginx-ingress + ports: + - port: 8080 + protocol: TCP + egress: + - to: + - namespaceSelector: + matchLabels: + name: kube-system + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: [] + ports: + - port: 443 + protocol: TCP + - port: 6443 + protocol: TCP + - to: + - podSelector: {} + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 8080 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9000 + protocol: TCP