Skip to content

Add network policy in helm chart #8266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
+711 −0
Draft

Add network policy in helm chart #8266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
24d1f83
feat: add NetworkPolicy template
GabboPenna Jul 21, 2025
abffb78
add helm template and test
haywoodsh Sep 12, 2025
36ee3fc
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Sep 17, 2025
c93af1d
update tests
haywoodsh Sep 18, 2025
838ef0c
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions charts/nginx-ingress/templates/controller-networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "nginx-ingress.fullname" . }}-network-policy
labels:
{{- include "nginx-ingress.labels" . | nindent 4 }}
spec:
podSelector:
{{- toYaml .Values.networkPolicy.podSelector | nindent 4 }}
policyTypes:
{{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }}

{{- if has "Ingress" .Values.networkPolicy.policyTypes }}
ingress:
{{- toYaml .Values.networkPolicy.ingress | nindent 4 }}
{{- end }}

{{- if has "Egress" .Values.networkPolicy.policyTypes }}
egress:
{{- toYaml .Values.networkPolicy.egress | nindent 4 }}
{{- end }}
{{- end }}
72 changes: 72 additions & 0 deletions charts/nginx-ingress/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2681,6 +2681,78 @@
]
}
}
},
"networkPolicy": {
"type": "object",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can skip type considering recent schema changes

"default": {
"enabled": false
},
"title": "Configuration for NetworkPolicy",
"required": [
"enabled"
],
"properties": {
"enabled": {
"type": "boolean",
"default": false,
"title": "Enable NetworkPolicy",
"examples": [
false,
true
]
},
"policyTypes": {
"type": "array",
"default": [
"Ingress",
"Egress"
],
"title": "Types of policy to create",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/policyTypes"
},
"podSelector": {
"type": "object",
"default": {},
"title": "Label selector for pods (defaults to ingress controller pods)",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"
},
"ingress": {
"type": "array",
"default": [
{
"from": [],
"ports": [
{
"protocol": "TCP",
"port": 80
},
{
"protocol": "TCP",
"port": 443
}
]
}
],
"title": "Ingress rules",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/ingress"
},
"egress": {
"type": "array",
"default": [
{
"to": [],
"ports": [
{
"protocol": "UDP",
"port": 53
}
]
}
],
"title": "Egress rules",
"$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.33.1/_definitions.json#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec/properties/egress"
}
}
}
},
"examples": [
Expand Down
32 changes: 32 additions & 0 deletions charts/nginx-ingress/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -766,3 +766,35 @@ nginxAgent:
processorBufferSize: 50000
## The name of a custom ConfigMap to use instead of the one provided by default
customConfigMap: ""

## Configure Kubernetes NetworkPolicy for the ingress controller pods
networkPolicy:
## Enable creation of a NetworkPolicy resource for the ingress controller pods
enabled: false

## List of NetworkPolicy types to apply (Ingress, Egress, or both)
policyTypes:
- Ingress
- Egress

## Label selector for pods the NetworkPolicy applies to (defaults to all pods in the same namespace)
podSelector: {}
## matchLabels:
## app.kubernetes.io/name: nginx-ingress
## app.kubernetes.io/instance: nginx-ingress

## List of ingress rules for allowed sources and ports
ingress:
- from: []
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443

## List of egress rules for allowed destinations and ports
egress:
- to: []
ports:
- protocol: UDP
port: 53
Loading