feat: add additional ciliumNetworkPolicies in loki helm chart for wor…

…ld egress for read, write and backend (#12066) Signed-off-by: QuantumEnigmaa <[email protected]> Co-authored-by: Michel Hollands <[email protected]>
grafana · Mar 4, 2024 · c1084a1 · c1084a1
1 parent b0478e6
commit c1084a1
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 2 deletions.
diff --git a/docs/sources/setup/install/helm/reference.md b/docs/sources/setup/install/helm/reference.md
@@ -3120,6 +3120,24 @@ null
 			<td><pre lang="json">
 null
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>networkPolicy.egressKubeApiserver.enabled</td>
+			<td>bool</td>
+			<td>Enable additional cilium egress rules to kube-apiserver for backend.</td>
+			<td><pre lang="json">
+false
+</pre>
+</td>
+		</tr>
+		<tr>
+			<td>networkPolicy.egressWorld.enabled</td>
+			<td>bool</td>
+			<td>Enable additional cilium egress rules to external world for write, read and backend.</td>
+			<td><pre lang="json">
+false
+</pre>
 </td>
 		</tr>
 		<tr>

diff --git a/production/helm/loki/CHANGELOG.md b/production/helm/loki/CHANGELOG.md
@@ -13,6 +13,10 @@ Entries should include a reference to the pull request that introduced the chang
 
 [//]: # (<AUTOMATED_UPDATES_LOCATOR> : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.)
 
+## 5.43.4
+
+- [ENHANCEMENT] Add `ciliumnetworkpolicies` with egress to world for write, read and backend.
+
 ## 5.43.3
 
 - [ENHANCEMENT] Added missing default values to support ServerSideApply

diff --git a/production/helm/loki/Chart.yaml b/production/helm/loki/Chart.yaml
@@ -3,7 +3,7 @@ name: loki
 description: Helm chart for Grafana Loki in simple, scalable mode
 type: application
 appVersion: 2.9.4
-version: 5.43.3
+version: 5.43.4
 home: https://grafana.github.io/helm-charts
 sources:
   - https://github.com/grafana/loki

diff --git a/production/helm/loki/README.md b/production/helm/loki/README.md
@@ -1,6 +1,6 @@
 # loki
 
-![Version: 5.43.3](https://img.shields.io/badge/Version-5.43.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.4](https://img.shields.io/badge/AppVersion-2.9.4-informational?style=flat-square)
+![Version: 5.43.4](https://img.shields.io/badge/Version-5.43.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.4](https://img.shields.io/badge/AppVersion-2.9.4-informational?style=flat-square)
 
 Helm chart for Grafana Loki in simple, scalable mode
 

diff --git a/production/helm/loki/templates/ciliumnetworkpolicy.yaml b/production/helm/loki/templates/ciliumnetworkpolicy.yaml
@@ -158,6 +158,49 @@ spec:
   {{- end }}
 {{- end }}
 
+{{- if .Values.networkPolicy.egressWorld.enabled }}
+{{- $global := . }}
+{{- $componentsList := list "read" "write" "backend" }}
+{{- range $component := $componentsList }}
+{{- with $global }}
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-{{ $component }}-world-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- if eq $component "read" }}
+      {{- include "loki.readSelectorLabels" . | nindent 6 }}
+      {{- else if eq $component "write" }}
+      {{- include "loki.writeSelectorLabels" . | nindent 6 }}
+      {{- else }}
+      {{- include "loki.backendSelectorLabels" . | nindent 6 }}
+      {{- end }}
+  egress:
+  - toEntities:
+    - world
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.networkPolicy.egressKubeApiserver.enabled }}
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-backend-kubeapiserver-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.backendSelectorLabels" . | nindent 6 }}
+  egress:
+  - toEntities:
+    - kube-apiserver
+{{- end }}
+
 {{- end }}
 
 {{- if and .Values.networkPolicy.discovery.port (eq .Values.networkPolicy.flavor "cilium") }}

diff --git a/production/helm/loki/values.yaml b/production/helm/loki/values.yaml
@@ -1522,6 +1522,12 @@ networkPolicy:
     podSelector: {}
     # -- Specifies the namespace the discovery Pods are running in
     namespaceSelector: {}
+  egressWorld:
+    # -- Enable additional cilium egress rules to external world for write, read and backend.
+    enabled: false
+  egressKubeApiserver:
+    # -- Enable additional cilium egress rules to kube-apiserver for backend.
+    enabled: false
 # -------------------------------------
 # Configuration for `minio` child chart
 # -------------------------------------