grafana · MichelHollands · Dec 13, 2023 · Nov 23, 2023 · Dec 11, 2023 · Dec 11, 2023
@@ -3110,6 +3110,15 @@ false
 			<td><pre lang="json">
 []
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>networkPolicy.flavor</td>
+			<td>string</td>
+			<td>Specifies whether the policies created will be standard Network Policies (flavor: kubernetes) or Cilium Network Policies (flavor: cilium)</td>
+			<td><pre lang="json">
+"kubernetes"
+</pre>
 </td>
 		</tr>
 		<tr>

diff --git a/production/helm/loki/CHANGELOG.md b/production/helm/loki/CHANGELOG.md
@@ -13,6 +13,10 @@ Entries should include a reference to the pull request that introduced the chang
 
 [//]: # (<AUTOMATED_UPDATES_LOCATOR> : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.)
 
+## 5.41.2
+
+- [FEATURE] Add ciliumnetworkpolicies.
+
 ## 5.41.1
 
 - [FEATURE] Allow topology spread constraints for Loki read deployment component.

@@ -3,7 +3,7 @@ name: loki
 description: Helm chart for Grafana Loki in simple, scalable mode
 type: application
 appVersion: 2.9.3
-version: 5.41.1
+version: 5.41.2
 home: https://grafana.github.io/helm-charts
 sources:
   - https://github.com/grafana/loki

@@ -1,6 +1,6 @@
 # loki
 
-![Version: 5.41.1](https://img.shields.io/badge/Version-5.41.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.3](https://img.shields.io/badge/AppVersion-2.9.3-informational?style=flat-square)
+![Version: 5.41.2](https://img.shields.io/badge/Version-5.41.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.3](https://img.shields.io/badge/AppVersion-2.9.3-informational?style=flat-square)
 
 Helm chart for Grafana Loki in simple, scalable mode
 

@@ -0,0 +1,184 @@
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-namespace-only
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+    - {}
+  ingress:
+  - fromEndpoints:
+    - {}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-egress-dns
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  egress:
+  - toPorts:
+    - ports:
+      - port: dns
+        protocol: UDP
+    toEndpoints:
+    - namespaceSelector: {}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-ingress
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchExpressions:
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        {{- if .Values.gateway.enabled }}
+          - gateway
+        {{- else }}
+          - read
+          - write
+        {{- end }}
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  ingress:
+  - toPorts:
+    - port: http
+      protocol: TCP
+  {{- if .Values.networkPolicy.ingress.namespaceSelector }}
+    fromEndpoints:
+    - matchLabels:
+        {{- toYaml .Values.networkPolicy.ingress.namespaceSelector | nindent 8 }}
+        {{- if .Values.networkPolicy.ingress.podSelector }}
+        {{- toYaml .Values.networkPolicy.ingress.podSelector | nindent 8 }}
+        {{- end }}
+  {{- end }}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-ingress-metrics
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  ingress:
+  - toPorts:
+    - port: http-metrics
+      protocol: TCP
+  {{- if .Values.networkPolicy.metrics.cidrs }}
+    {{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
+    toCIDR:
+    - {{ $cidr }}
+    {{- end }}
+    {{- if .Values.networkPolicy.metrics.namespaceSelector }}
+    fromEndpoints:
+    - matchLabels:
+        {{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 8 }}
+        {{- if .Values.networkPolicy.metrics.podSelector }}
+        {{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 8 }}
+        {{- end }}
+    {{- end }}
+  {{- end }}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-egress-alertmanager
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.backendSelectorLabels" . | nindent 6 }}
+  egress:
+  - toPorts:
+    - port: {{ .Values.networkPolicy.alertmanager.port }}
+      protocol: TCP
+  {{- if .Values.networkPolicy.alertmanager.namespaceSelector }}
+    toEndpoints:
+    - matchLabels:
+        {{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector | nindent 8 }}
+        {{- if .Values.networkPolicy.alertmanager.podSelector }}
+        {{- toYaml .Values.networkPolicy.alertmanager.podSelector | nindent 8 }}
+        {{- end }}
+  {{- end }}
+
+{{- if .Values.networkPolicy.externalStorage.ports }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-egress-external-storage
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  egress:
+  - toPorts:
+    {{- range $port := .Values.networkPolicy.externalStorage.ports }}
+    - port: {{ $port }}
+      protocol: TCP
+    {{- end }}
+  {{- if .Values.networkPolicy.externalStorage.cidrs }}
+    {{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }}
+    toCIDR:
+    - {{ $cidr }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- end }}
+
+{{- if .Values.networkPolicy.discovery.port }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-egress-discovery
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  egress:
+  - toPorts:
+    - port: {{ .Values.networkPolicy.discovery.port }}
+      protocol: TCP
+  {{- if .Values.networkPolicy.discovery.namespaceSelector }}
+    toEndpoints:
+    - matchLabels:
+        {{- toYaml .Values.networkPolicy.discovery.namespaceSelector | nindent 8 }}
+        {{- if .Values.networkPolicy.discovery.podSelector }}
+        {{- toYaml .Values.networkPolicy.discovery.podSelector | nindent 8 }}
+        {{- end }}
+  {{- end }}
+{{- end }}
@@ -1,4 +1,4 @@
-{{- if .Values.networkPolicy.enabled }}
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

@@ -1465,6 +1465,9 @@ gateway:
 networkPolicy:
   # -- Specifies whether Network Policies should be created
   enabled: false
+  # -- Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
+  # or Cilium Network Policies (flavor: cilium)
+  flavor: kubernetes
   metrics:
     # -- Specifies the Pods which are allowed to access the metrics port.
     # As this is cross-namespace communication, you also need the namespaceSelector.