Skip to content

Commit

Permalink
Helm: add cilium networkpolicies (grafana#11425)
Browse files Browse the repository at this point in the history
**What this PR does / why we need it**:

This PR adds `ciliumnetworkpolicies` that are equivalent to the standard
`networkpolicies` already present in the templates. As `cilium` usage as
a CNI is rising and the usage of `ciliumnetworkpolicies` is more and
more widespread, having the possibility to deploy those directly from a
setting in the values would be a time-saving option for a lot of
deployments.

**Special notes for your reviewer**:

**Checklist**
- [x] Reviewed the
[`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md)
guide (**required**)
- [ ] Documentation added
- [ ] Tests updated
- [x] `CHANGELOG.md` updated
- [ ] If the change is worth mentioning in the release notes, add
`add-to-release-notes` label
- [ ] Changes that require user attention or interaction to upgrade are
documented in `docs/sources/setup/upgrade/_index.md`
- [x] For Helm chart changes bump the Helm chart version in
`production/helm/loki/Chart.yaml` and update
`production/helm/loki/CHANGELOG.md` and
`production/helm/loki/README.md`. [Example
PR](grafana@d10549e)
- [ ] If the change is deprecating or removing a configuration option,
update the `deprecated-config.yaml` and `deleted-config.yaml` files
respectively in the `tools/deprecated-config-checker` directory.
[Example
PR](grafana@0d4416a)

---------

Signed-off-by: QuantumEnigmaa <[email protected]>
  • Loading branch information
QuantumEnigmaa authored and rhnasc committed Apr 12, 2024
1 parent 3a5d895 commit e2c63ab
Show file tree
Hide file tree
Showing 7 changed files with 203 additions and 3 deletions.
9 changes: 9 additions & 0 deletions docs/sources/setup/install/helm/reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -3110,6 +3110,15 @@ false
<td><pre lang="json">
[]
</pre>
</td>
</tr>
<tr>
<td>networkPolicy.flavor</td>
<td>string</td>
<td>Specifies whether the policies created will be standard Network Policies (flavor: kubernetes) or Cilium Network Policies (flavor: cilium)</td>
<td><pre lang="json">
"kubernetes"
</pre>
</td>
</tr>
<tr>
Expand Down
4 changes: 4 additions & 0 deletions production/helm/loki/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ Entries should include a reference to the pull request that introduced the chang

[//]: # (<AUTOMATED_UPDATES_LOCATOR> : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.)

## 5.41.2

- [FEATURE] Add ciliumnetworkpolicies.

## 5.41.1

- [FEATURE] Allow topology spread constraints for Loki read deployment component.
Expand Down
2 changes: 1 addition & 1 deletion production/helm/loki/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: loki
description: Helm chart for Grafana Loki in simple, scalable mode
type: application
appVersion: 2.9.3
version: 5.41.1
version: 5.41.2
home: https://grafana.github.io/helm-charts
sources:
- https://github.com/grafana/loki
Expand Down
2 changes: 1 addition & 1 deletion production/helm/loki/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# loki

![Version: 5.41.1](https://img.shields.io/badge/Version-5.41.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.3](https://img.shields.io/badge/AppVersion-2.9.3-informational?style=flat-square)
![Version: 5.41.2](https://img.shields.io/badge/Version-5.41.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.3](https://img.shields.io/badge/AppVersion-2.9.3-informational?style=flat-square)

Helm chart for Grafana Loki in simple, scalable mode

Expand Down
184 changes: 184 additions & 0 deletions production/helm/loki/templates/ciliumnetworkpolicy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-namespace-only
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector: {}
egress:
- toEndpoints:
- {}
ingress:
- fromEndpoints:
- {}

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-egress-dns
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
egress:
- toPorts:
- ports:
- port: dns
protocol: UDP
toEndpoints:
- namespaceSelector: {}

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-ingress
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
{{- if .Values.gateway.enabled }}
- gateway
{{- else }}
- read
- write
{{- end }}
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
ingress:
- toPorts:
- port: http
protocol: TCP
{{- if .Values.networkPolicy.ingress.namespaceSelector }}
fromEndpoints:
- matchLabels:
{{- toYaml .Values.networkPolicy.ingress.namespaceSelector | nindent 8 }}
{{- if .Values.networkPolicy.ingress.podSelector }}
{{- toYaml .Values.networkPolicy.ingress.podSelector | nindent 8 }}
{{- end }}
{{- end }}

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-ingress-metrics
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
ingress:
- toPorts:
- port: http-metrics
protocol: TCP
{{- if .Values.networkPolicy.metrics.cidrs }}
{{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
toCIDR:
- {{ $cidr }}
{{- end }}
{{- if .Values.networkPolicy.metrics.namespaceSelector }}
fromEndpoints:
- matchLabels:
{{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 8 }}
{{- if .Values.networkPolicy.metrics.podSelector }}
{{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-egress-alertmanager
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.backendSelectorLabels" . | nindent 6 }}
egress:
- toPorts:
- port: {{ .Values.networkPolicy.alertmanager.port }}
protocol: TCP
{{- if .Values.networkPolicy.alertmanager.namespaceSelector }}
toEndpoints:
- matchLabels:
{{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector | nindent 8 }}
{{- if .Values.networkPolicy.alertmanager.podSelector }}
{{- toYaml .Values.networkPolicy.alertmanager.podSelector | nindent 8 }}
{{- end }}
{{- end }}

{{- if .Values.networkPolicy.externalStorage.ports }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-egress-external-storage
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
egress:
- toPorts:
{{- range $port := .Values.networkPolicy.externalStorage.ports }}
- port: {{ $port }}
protocol: TCP
{{- end }}
{{- if .Values.networkPolicy.externalStorage.cidrs }}
{{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }}
toCIDR:
- {{ $cidr }}
{{- end }}
{{- end }}
{{- end }}

{{- end }}

{{- if .Values.networkPolicy.discovery.port }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "loki.name" . }}-egress-discovery
namespace: {{ $.Release.Namespace }}
labels:
{{- include "loki.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "loki.selectorLabels" . | nindent 6 }}
egress:
- toPorts:
- port: {{ .Values.networkPolicy.discovery.port }}
protocol: TCP
{{- if .Values.networkPolicy.discovery.namespaceSelector }}
toEndpoints:
- matchLabels:
{{- toYaml .Values.networkPolicy.discovery.namespaceSelector | nindent 8 }}
{{- if .Values.networkPolicy.discovery.podSelector }}
{{- toYaml .Values.networkPolicy.discovery.podSelector | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion production/helm/loki/templates/networkpolicy.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.networkPolicy.enabled }}
{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
Expand Down
3 changes: 3 additions & 0 deletions production/helm/loki/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1465,6 +1465,9 @@ gateway:
networkPolicy:
# -- Specifies whether Network Policies should be created
enabled: false
# -- Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
# or Cilium Network Policies (flavor: cilium)
flavor: kubernetes
metrics:
# -- Specifies the Pods which are allowed to access the metrics port.
# As this is cross-namespace communication, you also need the namespaceSelector.
Expand Down

0 comments on commit e2c63ab

Please sign in to comment.