From d5e0da1692693931b3892bef0a976fe2d3f8d558 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Tue, 24 Jun 2025 14:26:03 +0200 Subject: [PATCH] fix: add cilium cluster feature guards to network policies --- .../CiliumNetworkPolicy-allow-applicationset-ingress.yaml | 2 ++ .../CiliumNetworkPolicy-allow-argo-notifications.yaml | 2 ++ ...umNetworkPolicy-allow-argo-repo-access-applicationset.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-argo-repo-access.yaml | 2 ++ .../CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml | 2 ++ .../CiliumNetworkPolicy-allow-image-updater-repo-access.yaml | 2 ++ .../manifests/policies/CiliumNetworkPolicy-allow-ingress.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-kube-api.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-microsoft-sso.yaml | 2 ++ .../CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml | 2 ++ ...iliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml | 2 ++ .../CiliumNetworkPolicy-allow-prometheus-metrics.yaml | 2 ++ values/atlantis/manifests/network/allow-api-server.yaml | 2 ++ .../atlantis/manifests/network/allow-external-services.yaml | 2 ++ values/atlantis/manifests/network/allow-sentry.yaml | 2 ++ values/atlantis/manifests/network/atlantis-policies.yaml | 2 ++ .../CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-api-server.yaml | 2 ++ .../CiliumNetworkPolicy-allow-prometheus-metrics.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-world-traffic.yaml | 2 ++ .../cilium-manifests/dashboards/cilium-policy-verdicts.yaml | 2 ++ values/cilium/cilium-manifests/loadbalancer.yaml | 2 ++ .../CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml | 2 ++ .../spire-manifests/CiliumNetworkPolicy-allow-api-server.yaml | 2 ++ .../CiliumNetworkPolicy-allow-remote-node-to-server.yaml | 2 ++ values/csi-addons-system/manifests/allow-9070-host.yaml | 2 ++ values/dapr/manifests/network/allow-api-server.yaml | 2 ++ values/dapr/manifests/network/allow-remote-node.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-host-traffic.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-hubble-traffic.yaml | 2 ++ .../CiliumNetworkPolicy-allow-prometheus-metrics.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-s3-traffic.yaml | 2 ++ .../CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml | 2 ++ .../CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml | 2 ++ .../network/CiliumNetworkPolicy-allow-prometheus-metrics.yaml | 2 ++ .../CiliumNetworkPolicy-allow-promtail-to-api-server.yaml | 2 ++ .../network/CiliumNetworkPolicy-allow-s3-traffic.yaml | 2 ++ .../loki/manifests/network/CiliumNetworkPolicy-allow-s3.yaml | 2 ++ .../network/CiliumNetworkPolicy-allow-stats-grafana.yaml | 2 ++ ...tworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml | 2 ++ .../manifests/network/CiliumNetworkPolicy-allow-ext.yaml | 4 +++- .../manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml | 4 +++- .../policies/CiliumNetworkPolicy-allow-api-server.yaml | 2 ++ .../CiliumNetworkPolicy-allow-remote-node-webhooks.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-alerting.yaml | 2 ++ .../CiliumNetworkPolicy-allow-alertmanager-ingress.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-dns-metrics.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-etcd-metrics.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-grafana-ingress.yaml | 2 ++ .../CiliumNetworkPolicy-allow-grafana-oidc-login.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-grafana-plugins.yaml | 2 ++ .../CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-host-traffic.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-nginx-ingress.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-opencost-scrape.yaml | 2 ++ ...liumNetworkPolicy-allow-remote-node-to-metrics-server.yaml | 2 ++ .../CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-robusta-ingress.yaml | 2 ++ .../manifests/policies/CiliumNetworkPolicy-allow-slack.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-stats-grafana.yaml | 2 ++ .../CiliumNetworkPolicy-allow-inter-node-traffic.yaml | 2 ++ .../CiliumNetworkPolicy-allow-operator-traffic.yaml | 2 ++ .../CiliumNetworkPolicy-allow-rabbitmq-traffic.yaml | 2 ++ values/rabbitmq/network.bak/policy-allow-rabbitmq.yaml | 2 ++ values/system/oceanbox/network/allow-azure-egress.yaml | 2 ++ values/system/oceanbox/network/allow-ceph-egress.yaml | 2 ++ .../system/oceanbox/network/allow-microsoft-oidc-login.yaml | 2 ++ .../oceanbox/network/clusterpolicy-allow-api-server.yaml | 2 ++ .../oceanbox/network/clusterpolicy-allow-ekman-egress.yaml | 2 ++ .../network/clusterpolicy-allow-namespace-traffic.yaml | 2 ++ .../oceanbox/network/clusterpolicy-allow-oceanboxio.yaml | 2 ++ .../oceanbox/network/clusterpolicy-allow-remote-node.yaml | 2 ++ .../network/CiliumNetworkPolicy-allow-api-server.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-api-server.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-job-api-server.yaml | 2 ++ .../CiliumNetworkPolicy-allow-prometheus-metrics.yaml | 2 ++ .../policies/CiliumNetworkPolicy-allow-api-server.yaml | 2 ++ .../CiliumNetworkPolicy-allow-prometheus-metrics.yaml | 2 ++ 78 files changed, 158 insertions(+), 2 deletions(-) diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-applicationset-ingress.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-applicationset-ingress.yaml index 1678e7a3..34a8d3fd 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-applicationset-ingress.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-applicationset-ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: - fromEndpoints: - matchLabels: io.kubernetes.pod.namespace: ingress-nginx +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-notifications.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-notifications.yaml index 045dbc56..d27ed7c1 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-notifications.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-notifications.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/component: notifications-controller +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml index 0af071b5..957374cb 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/component: applicationset-controller +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access.yaml index 6e2b7e04..7112d826 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/component: repo-server +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml index 5f030377..6e4773d2 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: - fromEndpoints: - matchLabels: io.kubernetes.pod.namespace: ingress-nginx +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml index 1534b3c8..0610c72a 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: argocd-image-updater +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-ingress.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-ingress.yaml index 2096eaae..8f25b6c8 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-ingress.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: - fromEndpoints: - matchLabels: io.kubernetes.pod.namespace: ingress-nginx +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-kube-api.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-kube-api.yaml index 40045bb8..a6646e42 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-kube-api.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-kube-api.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -14,3 +15,4 @@ spec: protocol: TCP endpointSelector: matchLabels: {} +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-microsoft-sso.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-microsoft-sso.yaml index e68b04d2..4d60a538 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-microsoft-sso.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-microsoft-sso.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -14,3 +15,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: argocd-dex-server +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml index ebfed5bd..c54d6bf9 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -16,3 +17,4 @@ spec: - ports: - port: "8090" protocol: TCP +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml index f8f81286..8153b4ef 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -16,3 +17,4 @@ spec: - ports: - port: "9090" protocol: TCP +{{- end }} diff --git a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml index a1b0f86f..c9676916 100644 --- a/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml +++ b/values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -28,3 +29,4 @@ spec: protocol: TCP - port: "5558" protocol: TCP +{{- end }} diff --git a/values/atlantis/manifests/network/allow-api-server.yaml b/values/atlantis/manifests/network/allow-api-server.yaml index 0f5e8533..603a2877 100644 --- a/values/atlantis/manifests/network/allow-api-server.yaml +++ b/values/atlantis/manifests/network/allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} # apiVersion: cilium.io/v2 # kind: CiliumNetworkPolicy # metadata: @@ -13,3 +14,4 @@ # - ports: # - port: "6443" # protocol: TCP +{{- end }} diff --git a/values/atlantis/manifests/network/allow-external-services.yaml b/values/atlantis/manifests/network/allow-external-services.yaml index 130af143..82a27d8c 100644 --- a/values/atlantis/manifests/network/allow-external-services.yaml +++ b/values/atlantis/manifests/network/allow-external-services.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -9,3 +10,4 @@ spec: - matchName: id.barentswatch.no endpointSelector: matchLabels: {} +{{- end }} diff --git a/values/atlantis/manifests/network/allow-sentry.yaml b/values/atlantis/manifests/network/allow-sentry.yaml index 3369e3bf..f3b42712 100644 --- a/values/atlantis/manifests/network/allow-sentry.yaml +++ b/values/atlantis/manifests/network/allow-sentry.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -10,3 +11,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: atlantis +{{- end }} diff --git a/values/atlantis/manifests/network/atlantis-policies.yaml b/values/atlantis/manifests/network/atlantis-policies.yaml index 8afc4753..29c2f67b 100644 --- a/values/atlantis/manifests/network/atlantis-policies.yaml +++ b/values/atlantis/manifests/network/atlantis-policies.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} # apiVersion: cilium.io/v2 # kind: CiliumClusterwideNetworkPolicy # metadata: @@ -23,3 +24,4 @@ # # - matchPattern: '*.gitlab.com' # endpointSelector: # matchLabels: {} +{{- end }} diff --git a/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml b/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml index 7ff9859e..b36d7197 100644 --- a/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml +++ b/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: ingress: - fromEntities: - remote-node +{{- end }} diff --git a/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml b/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml index 49e026d4..e7cbe849 100644 --- a/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml +++ b/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -10,3 +11,4 @@ spec: - kube-apiserver endpointSelector: matchLabels: {} +{{- end }} diff --git a/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml index d64ede50..5ed9de16 100644 --- a/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml +++ b/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -16,3 +17,4 @@ spec: - ports: - port: "9402" protocol: TCP +{{- end }} diff --git a/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-world-traffic.yaml b/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-world-traffic.yaml index a3d26127..311dbbd3 100644 --- a/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-world-traffic.yaml +++ b/values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-world-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -10,3 +11,4 @@ spec: - world endpointSelector: matchLabels: {} +{{- end }} diff --git a/values/cilium/cilium-manifests/dashboards/cilium-policy-verdicts.yaml b/values/cilium/cilium-manifests/dashboards/cilium-policy-verdicts.yaml index 7ec5aa19..9fdc6975 100644 --- a/values/cilium/cilium-manifests/dashboards/cilium-policy-verdicts.yaml +++ b/values/cilium/cilium-manifests/dashboards/cilium-policy-verdicts.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -1112,3 +1113,4 @@ data: "version": 1, "weekStart": "" } +{{- end }} diff --git a/values/cilium/cilium-manifests/loadbalancer.yaml b/values/cilium/cilium-manifests/loadbalancer.yaml index 3f5af939..d69aa6c5 100644 --- a/values/cilium/cilium-manifests/loadbalancer.yaml +++ b/values/cilium/cilium-manifests/loadbalancer.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} {{if .Values.cilium.loadbalancerPool.enabled }} apiVersion: "cilium.io/v2alpha1" kind: CiliumLoadBalancerIPPool @@ -21,3 +22,4 @@ spec: externalIPs: true loadBalancerIPs: true {{- end}} +{{- end }} diff --git a/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml index 9fc9bb26..9cffb36d 100644 --- a/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml +++ b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: ingress: - fromEntities: - remote-node +{{- end }} diff --git a/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-api-server.yaml b/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-api-server.yaml index ca0bd2c4..123124d3 100644 --- a/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-api-server.yaml +++ b/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: protocol: TCP endpointSelector: matchLabels: {} +{{- end }} diff --git a/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-remote-node-to-server.yaml b/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-remote-node-to-server.yaml index 013a84f9..99984672 100644 --- a/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-remote-node-to-server.yaml +++ b/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-remote-node-to-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: - ports: - port: "8081" protocol: TCP +{{- end }} diff --git a/values/csi-addons-system/manifests/allow-9070-host.yaml b/values/csi-addons-system/manifests/allow-9070-host.yaml index 0242a579..b14e9fde 100644 --- a/values/csi-addons-system/manifests/allow-9070-host.yaml +++ b/values/csi-addons-system/manifests/allow-9070-host.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: @@ -26,3 +27,4 @@ spec: - toEntities: - remote-node endpointSelector: {} +{{- end }} diff --git a/values/dapr/manifests/network/allow-api-server.yaml b/values/dapr/manifests/network/allow-api-server.yaml index c4ce28c6..144130ea 100644 --- a/values/dapr/manifests/network/allow-api-server.yaml +++ b/values/dapr/manifests/network/allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: - ports: - port: "6443" protocol: TCP +{{- end }} diff --git a/values/dapr/manifests/network/allow-remote-node.yaml b/values/dapr/manifests/network/allow-remote-node.yaml index 4c182e9f..9a602e92 100644 --- a/values/dapr/manifests/network/allow-remote-node.yaml +++ b/values/dapr/manifests/network/allow-remote-node.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -14,3 +15,4 @@ spec: - ports: - port: "4000" protocol: TCP +{{- end }} diff --git a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml index 4ffbbd8c..259cfb92 100644 --- a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml +++ b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: matchLabels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx +{{- end }} diff --git a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-hubble-traffic.yaml b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-hubble-traffic.yaml index fa9ee953..2644a306 100644 --- a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-hubble-traffic.yaml +++ b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-hubble-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: matchLabels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx +{{- end }} diff --git a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml index 98bbc402..e948d1a3 100644 --- a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml +++ b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -15,3 +16,4 @@ spec: - ports: - port: "9913" protocol: TCP +{{- end }} diff --git a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-s3-traffic.yaml b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-s3-traffic.yaml index b3bcc3d3..69c800f8 100644 --- a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-s3-traffic.yaml +++ b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-s3-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -17,3 +18,4 @@ spec: matchLabels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx +{{- end }} diff --git a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml index 4ecbe4fa..f2c438cd 100644 --- a/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml +++ b/values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -17,3 +18,4 @@ spec: protocol: TCP - port: "443" protocol: TCP +{{- end }} diff --git a/values/loki/manifests/network/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml b/values/loki/manifests/network/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml index 7e43aeb7..9dd89f55 100644 --- a/values/loki/manifests/network/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml +++ b/values/loki/manifests/network/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -16,3 +17,4 @@ spec: matchLabels: app.kubernetes.io/component: backend app.kubernetes.io/instance: loki +{{- end }} diff --git a/values/loki/manifests/network/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/loki/manifests/network/CiliumNetworkPolicy-allow-prometheus-metrics.yaml index e3161e8b..4634402c 100644 --- a/values/loki/manifests/network/CiliumNetworkPolicy-allow-prometheus-metrics.yaml +++ b/values/loki/manifests/network/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -18,3 +19,4 @@ spec: protocol: TCP - port: "3500" protocol: TCP +{{- end }} diff --git a/values/loki/manifests/network/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml b/values/loki/manifests/network/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml index 5d7cd58a..66950151 100644 --- a/values/loki/manifests/network/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml +++ b/values/loki/manifests/network/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -15,3 +16,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/instance: promtail +{{- end }} diff --git a/values/loki/manifests/network/CiliumNetworkPolicy-allow-s3-traffic.yaml b/values/loki/manifests/network/CiliumNetworkPolicy-allow-s3-traffic.yaml index 7ccf17ed..c33ffdab 100644 --- a/values/loki/manifests/network/CiliumNetworkPolicy-allow-s3-traffic.yaml +++ b/values/loki/manifests/network/CiliumNetworkPolicy-allow-s3-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -10,3 +11,4 @@ spec: - 10.255.241.30/32 endpointSelector: matchLabels: {} +{{- end }} diff --git a/values/loki/manifests/network/CiliumNetworkPolicy-allow-s3.yaml b/values/loki/manifests/network/CiliumNetworkPolicy-allow-s3.yaml index 84087dce..387b57a1 100644 --- a/values/loki/manifests/network/CiliumNetworkPolicy-allow-s3.yaml +++ b/values/loki/manifests/network/CiliumNetworkPolicy-allow-s3.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/instance: loki +{{- end }} diff --git a/values/loki/manifests/network/CiliumNetworkPolicy-allow-stats-grafana.yaml b/values/loki/manifests/network/CiliumNetworkPolicy-allow-stats-grafana.yaml index 47a8be11..b2ea0b42 100644 --- a/values/loki/manifests/network/CiliumNetworkPolicy-allow-stats-grafana.yaml +++ b/values/loki/manifests/network/CiliumNetworkPolicy-allow-stats-grafana.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/instance: loki +{{- end }} diff --git a/values/opentelemetry-collector/manifests/network/CiliumNetworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml b/values/opentelemetry-collector/manifests/network/CiliumNetworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml index 80f83639..e970add1 100644 --- a/values/opentelemetry-collector/manifests/network/CiliumNetworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml +++ b/values/opentelemetry-collector/manifests/network/CiliumNetworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: ingress: - fromEntities: - world +{{- end }} diff --git a/values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml b/values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml index 806e00dd..42330f07 100644 --- a/values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml +++ b/values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,4 +12,5 @@ spec: - matchName: raw.githubusercontent.com endpointSelector: matchLabels: - app.kubernetes.io/name: plausible-analytics \ No newline at end of file + app.kubernetes.io/name: plausible-analytics +{{- end }} diff --git a/values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml b/values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml index 645da60f..46dd1212 100644 --- a/values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml +++ b/values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,4 +13,5 @@ spec: - matchName: www.gravatar.com endpointSelector: matchLabels: - app.kubernetes.io/name: plausible-analytics \ No newline at end of file + app.kubernetes.io/name: plausible-analytics +{{- end }} diff --git a/values/postgres-operator/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml b/values/postgres-operator/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml index d32ac553..8d65923e 100644 --- a/values/postgres-operator/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml +++ b/values/postgres-operator/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -14,3 +15,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/instance: postgres-operator +{{- end }} diff --git a/values/postgres-operator/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml b/values/postgres-operator/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml index 6c04cc22..7bc8d2f3 100644 --- a/values/postgres-operator/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml +++ b/values/postgres-operator/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: - ports: - port: "9443" protocol: TCP +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-alerting.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-alerting.yaml index e092cb26..a64a482e 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-alerting.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-alerting.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/instance: prom-alertmanager +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml index b6f96e64..cba5b21a 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: - fromEndpoints: - matchLabels: io.kubernetes.pod.namespace: ingress-nginx +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-dns-metrics.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-dns-metrics.yaml index 0ee91e6e..43cd2850 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-dns-metrics.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-dns-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: prometheus +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-etcd-metrics.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-etcd-metrics.yaml index 90ac789e..dfee735c 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-etcd-metrics.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-etcd-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: prometheus +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-ingress.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-ingress.yaml index fca3baf2..4c5b70c9 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-ingress.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: - fromEndpoints: - matchLabels: io.kubernetes.pod.namespace: ingress-nginx +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml index ed2084fe..df2bed14 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -14,3 +15,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: grafana +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-plugins.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-plugins.yaml index 60721c6a..6d93886c 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-plugins.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-plugins.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: grafana +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml index 453c2330..7769f176 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: grafana +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml index bb3a591a..a931f3d7 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: - kube-apiserver endpointSelector: matchLabels: {} +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-nginx-ingress.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-nginx-ingress.yaml index ac650e55..72f2d8bf 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-nginx-ingress.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-nginx-ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: - fromEndpoints: - matchLabels: io.kubernetes.pod.namespace: ingress-nginx +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-opencost-scrape.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-opencost-scrape.yaml index 4b7bd679..8fa672a7 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-opencost-scrape.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-opencost-scrape.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -17,3 +18,4 @@ spec: - ports: - port: "9090" protocol: TCP +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml index 0603da13..df69d01b 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: ingress: - fromEntities: - remote-node +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml index eeabfcbd..b6c32be0 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: ingress: - fromEntities: - remote-node +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-robusta-ingress.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-robusta-ingress.yaml index c1856c3f..f2c0f49b 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-robusta-ingress.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-robusta-ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: - fromEndpoints: - matchLabels: io.kubernetes.pod.namespace: robusta +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-slack.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-slack.yaml index 86f00f44..d0937128 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-slack.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-slack.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -10,3 +11,4 @@ spec: - matchName: hooks.slack.com endpointSelector: matchLabels: {} +{{- end }} diff --git a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-stats-grafana.yaml b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-stats-grafana.yaml index 5d1ed102..70050065 100644 --- a/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-stats-grafana.yaml +++ b/values/prometheus/manifests/policies/CiliumNetworkPolicy-allow-stats-grafana.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -11,3 +12,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: grafana +{{- end }} diff --git a/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-inter-node-traffic.yaml b/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-inter-node-traffic.yaml index d06ad626..c17057ba 100644 --- a/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-inter-node-traffic.yaml +++ b/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-inter-node-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -50,3 +51,4 @@ spec: - port: "35680" - port: "35681" - port: "35682" +{{- end }} diff --git a/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-operator-traffic.yaml b/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-operator-traffic.yaml index b7deeb34..27f457ec 100644 --- a/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-operator-traffic.yaml +++ b/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-operator-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -16,3 +17,4 @@ spec: - ports: - port: "15672" - port: "15671" +{{- end }} diff --git a/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-rabbitmq-traffic.yaml b/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-rabbitmq-traffic.yaml index f57cd209..0c6a71f9 100644 --- a/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-rabbitmq-traffic.yaml +++ b/values/rabbitmq/network.bak/CiliumNetworkPolicy-allow-rabbitmq-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -25,3 +26,4 @@ spec: - port: "15675" - port: "15692" - port: "15691" +{{- end }} diff --git a/values/rabbitmq/network.bak/policy-allow-rabbitmq.yaml b/values/rabbitmq/network.bak/policy-allow-rabbitmq.yaml index 0310e549..965a16d4 100644 --- a/values/rabbitmq/network.bak/policy-allow-rabbitmq.yaml +++ b/values/rabbitmq/network.bak/policy-allow-rabbitmq.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -15,3 +16,4 @@ spec: - port: "15672" protocol: TCP +{{- end }} diff --git a/values/system/oceanbox/network/allow-azure-egress.yaml b/values/system/oceanbox/network/allow-azure-egress.yaml index 0a473210..2d5b55d5 100644 --- a/values/system/oceanbox/network/allow-azure-egress.yaml +++ b/values/system/oceanbox/network/allow-azure-egress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -13,3 +14,4 @@ spec: protocol: TCP endpointSelector: {} +{{- end }} diff --git a/values/system/oceanbox/network/allow-ceph-egress.yaml b/values/system/oceanbox/network/allow-ceph-egress.yaml index 51044489..ded17b4f 100644 --- a/values/system/oceanbox/network/allow-ceph-egress.yaml +++ b/values/system/oceanbox/network/allow-ceph-egress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -15,3 +16,4 @@ spec: # protocol: TCP endpointSelector: {} +{{- end }} diff --git a/values/system/oceanbox/network/allow-microsoft-oidc-login.yaml b/values/system/oceanbox/network/allow-microsoft-oidc-login.yaml index d53abc01..c1434db2 100644 --- a/values/system/oceanbox/network/allow-microsoft-oidc-login.yaml +++ b/values/system/oceanbox/network/allow-microsoft-oidc-login.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -8,3 +9,4 @@ spec: - toFQDNs: - matchName: login.microsoftonline.com - matchPattern: '*.microsoftonline.com' +{{- end }} diff --git a/values/system/oceanbox/network/clusterpolicy-allow-api-server.yaml b/values/system/oceanbox/network/clusterpolicy-allow-api-server.yaml index 4d2c046d..8541faca 100644 --- a/values/system/oceanbox/network/clusterpolicy-allow-api-server.yaml +++ b/values/system/oceanbox/network/clusterpolicy-allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -8,3 +9,4 @@ spec: egress: - toEntities: - kube-apiserver +{{- end }} diff --git a/values/system/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml b/values/system/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml index 27fed9cb..8e250518 100644 --- a/values/system/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml +++ b/values/system/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -20,3 +21,4 @@ spec: protocol: TCP - port: "30080" protocol: TCP +{{- end }} diff --git a/values/system/oceanbox/network/clusterpolicy-allow-namespace-traffic.yaml b/values/system/oceanbox/network/clusterpolicy-allow-namespace-traffic.yaml index 06995008..3434a8ee 100644 --- a/values/system/oceanbox/network/clusterpolicy-allow-namespace-traffic.yaml +++ b/values/system/oceanbox/network/clusterpolicy-allow-namespace-traffic.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -26,3 +27,4 @@ spec: rules: dns: - matchPattern: "*" +{{- end }} diff --git a/values/system/oceanbox/network/clusterpolicy-allow-oceanboxio.yaml b/values/system/oceanbox/network/clusterpolicy-allow-oceanboxio.yaml index 2dbd2992..c4a69243 100644 --- a/values/system/oceanbox/network/clusterpolicy-allow-oceanboxio.yaml +++ b/values/system/oceanbox/network/clusterpolicy-allow-oceanboxio.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -10,3 +11,4 @@ spec: - matchPattern: "*oceanbox.io" - matchPattern: "*.oceanbox.io" +{{- end }} diff --git a/values/system/oceanbox/network/clusterpolicy-allow-remote-node.yaml b/values/system/oceanbox/network/clusterpolicy-allow-remote-node.yaml index 2bb81aac..f591d574 100644 --- a/values/system/oceanbox/network/clusterpolicy-allow-remote-node.yaml +++ b/values/system/oceanbox/network/clusterpolicy-allow-remote-node.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: @@ -8,3 +9,4 @@ spec: ingress: - fromEntities: - kube-apiserver +{{- end }} diff --git a/values/tempo/manifests/network/CiliumNetworkPolicy-allow-api-server.yaml b/values/tempo/manifests/network/CiliumNetworkPolicy-allow-api-server.yaml index aa3ddd8c..b3414028 100644 --- a/values/tempo/manifests/network/CiliumNetworkPolicy-allow-api-server.yaml +++ b/values/tempo/manifests/network/CiliumNetworkPolicy-allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -12,3 +13,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/instance: tempo +{{- end }} diff --git a/values/velero/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml b/values/velero/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml index cb01381b..6f6e0d4f 100644 --- a/values/velero/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml +++ b/values/velero/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -14,3 +15,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/instance: velero +{{- end }} diff --git a/values/velero/manifests/policies/CiliumNetworkPolicy-allow-job-api-server.yaml b/values/velero/manifests/policies/CiliumNetworkPolicy-allow-job-api-server.yaml index 21c8e2ff..ddbdd97e 100644 --- a/values/velero/manifests/policies/CiliumNetworkPolicy-allow-job-api-server.yaml +++ b/values/velero/manifests/policies/CiliumNetworkPolicy-allow-job-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -14,3 +15,4 @@ spec: endpointSelector: matchLabels: batch.kubernetes.io/job-name: velero-upgrade-crds +{{- end }} diff --git a/values/velero/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/velero/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml index 1631d4bf..96bc1ddc 100644 --- a/values/velero/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml +++ b/values/velero/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -15,3 +16,4 @@ spec: - ports: - port: "8085" protocol: TCP +{{- end }} diff --git a/values/x509-exporter/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml b/values/x509-exporter/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml index 7742a0fe..fd5b553e 100644 --- a/values/x509-exporter/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml +++ b/values/x509-exporter/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -14,3 +15,4 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/instance: x509-exporter +{{- end }} diff --git a/values/x509-exporter/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/x509-exporter/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml index cc040dd9..ec9c0030 100644 --- a/values/x509-exporter/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml +++ b/values/x509-exporter/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.cilium.enabled }} apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: @@ -15,3 +16,4 @@ spec: - ports: - port: "9793" protocol: TCP +{{- end }}