diff --git a/docs/sources/setup/install/helm/reference.md b/docs/sources/setup/install/helm/reference.md
index 8252a6fd103a3..e650d0fca2fc2 100644
--- a/docs/sources/setup/install/helm/reference.md
+++ b/docs/sources/setup/install/helm/reference.md
@@ -3110,6 +3110,15 @@ false
[]
+ |
+
+
+ | networkPolicy.flavor |
+ string |
+ Specifies whether the policies created will be standard Network Policies (flavor: kubernetes) or Cilium Network Policies (flavor: cilium) |
+
+"kubernetes"
+
|
diff --git a/production/helm/loki/CHANGELOG.md b/production/helm/loki/CHANGELOG.md
index 78571b3de600d..96bebdf5aebc9 100644
--- a/production/helm/loki/CHANGELOG.md
+++ b/production/helm/loki/CHANGELOG.md
@@ -13,6 +13,10 @@ Entries should include a reference to the pull request that introduced the chang
[//]: # ( : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.)
+## 5.41.2
+
+- [FEATURE] Add ciliumnetworkpolicies.
+
## 5.41.1
- [FEATURE] Allow topology spread constraints for Loki read deployment component.
diff --git a/production/helm/loki/Chart.yaml b/production/helm/loki/Chart.yaml
index d9cf011e4f23e..fc7e0fbacbc6e 100644
--- a/production/helm/loki/Chart.yaml
+++ b/production/helm/loki/Chart.yaml
@@ -3,7 +3,7 @@ name: loki
description: Helm chart for Grafana Loki in simple, scalable mode
type: application
appVersion: 2.9.3
-version: 5.41.1
+version: 5.41.2
home: https://grafana.github.io/helm-charts
sources:
- https://github.com/grafana/loki
diff --git a/production/helm/loki/README.md b/production/helm/loki/README.md
index 3caad398ada44..e1da365b5bf92 100644
--- a/production/helm/loki/README.md
+++ b/production/helm/loki/README.md
@@ -1,6 +1,6 @@
# loki
-  
+  
Helm chart for Grafana Loki in simple, scalable mode
diff --git a/production/helm/loki/templates/ciliumnetworkpolicy.yaml b/production/helm/loki/templates/ciliumnetworkpolicy.yaml
new file mode 100644
index 0000000000000..5633ae1945206
--- /dev/null
+++ b/production/helm/loki/templates/ciliumnetworkpolicy.yaml
@@ -0,0 +1,184 @@
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "loki.name" . }}-namespace-only
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "loki.labels" . | nindent 4 }}
+spec:
+ endpointSelector: {}
+ egress:
+ - toEndpoints:
+ - {}
+ ingress:
+ - fromEndpoints:
+ - {}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "loki.name" . }}-egress-dns
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "loki.labels" . | nindent 4 }}
+spec:
+ endpointSelector:
+ matchLabels:
+ {{- include "loki.selectorLabels" . | nindent 6 }}
+ egress:
+ - toPorts:
+ - ports:
+ - port: dns
+ protocol: UDP
+ toEndpoints:
+ - namespaceSelector: {}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "loki.name" . }}-ingress
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "loki.labels" . | nindent 4 }}
+spec:
+ endpointSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ {{- if .Values.gateway.enabled }}
+ - gateway
+ {{- else }}
+ - read
+ - write
+ {{- end }}
+ matchLabels:
+ {{- include "loki.selectorLabels" . | nindent 6 }}
+ ingress:
+ - toPorts:
+ - port: http
+ protocol: TCP
+ {{- if .Values.networkPolicy.ingress.namespaceSelector }}
+ fromEndpoints:
+ - matchLabels:
+ {{- toYaml .Values.networkPolicy.ingress.namespaceSelector | nindent 8 }}
+ {{- if .Values.networkPolicy.ingress.podSelector }}
+ {{- toYaml .Values.networkPolicy.ingress.podSelector | nindent 8 }}
+ {{- end }}
+ {{- end }}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "loki.name" . }}-ingress-metrics
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "loki.labels" . | nindent 4 }}
+spec:
+ endpointSelector:
+ matchLabels:
+ {{- include "loki.selectorLabels" . | nindent 6 }}
+ ingress:
+ - toPorts:
+ - port: http-metrics
+ protocol: TCP
+ {{- if .Values.networkPolicy.metrics.cidrs }}
+ {{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
+ toCIDR:
+ - {{ $cidr }}
+ {{- end }}
+ {{- if .Values.networkPolicy.metrics.namespaceSelector }}
+ fromEndpoints:
+ - matchLabels:
+ {{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 8 }}
+ {{- if .Values.networkPolicy.metrics.podSelector }}
+ {{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "loki.name" . }}-egress-alertmanager
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "loki.labels" . | nindent 4 }}
+spec:
+ endpointSelector:
+ matchLabels:
+ {{- include "loki.backendSelectorLabels" . | nindent 6 }}
+ egress:
+ - toPorts:
+ - port: {{ .Values.networkPolicy.alertmanager.port }}
+ protocol: TCP
+ {{- if .Values.networkPolicy.alertmanager.namespaceSelector }}
+ toEndpoints:
+ - matchLabels:
+ {{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector | nindent 8 }}
+ {{- if .Values.networkPolicy.alertmanager.podSelector }}
+ {{- toYaml .Values.networkPolicy.alertmanager.podSelector | nindent 8 }}
+ {{- end }}
+ {{- end }}
+
+{{- if .Values.networkPolicy.externalStorage.ports }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "loki.name" . }}-egress-external-storage
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "loki.labels" . | nindent 4 }}
+spec:
+ endpointSelector:
+ matchLabels:
+ {{- include "loki.selectorLabels" . | nindent 6 }}
+ egress:
+ - toPorts:
+ {{- range $port := .Values.networkPolicy.externalStorage.ports }}
+ - port: {{ $port }}
+ protocol: TCP
+ {{- end }}
+ {{- if .Values.networkPolicy.externalStorage.cidrs }}
+ {{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }}
+ toCIDR:
+ - {{ $cidr }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- end }}
+
+{{- if .Values.networkPolicy.discovery.port }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "loki.name" . }}-egress-discovery
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "loki.labels" . | nindent 4 }}
+spec:
+ endpointSelector:
+ matchLabels:
+ {{- include "loki.selectorLabels" . | nindent 6 }}
+ egress:
+ - toPorts:
+ - port: {{ .Values.networkPolicy.discovery.port }}
+ protocol: TCP
+ {{- if .Values.networkPolicy.discovery.namespaceSelector }}
+ toEndpoints:
+ - matchLabels:
+ {{- toYaml .Values.networkPolicy.discovery.namespaceSelector | nindent 8 }}
+ {{- if .Values.networkPolicy.discovery.podSelector }}
+ {{- toYaml .Values.networkPolicy.discovery.podSelector | nindent 8 }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/production/helm/loki/templates/networkpolicy.yaml b/production/helm/loki/templates/networkpolicy.yaml
index 4424d90db08d4..27c85280eb08c 100644
--- a/production/helm/loki/templates/networkpolicy.yaml
+++ b/production/helm/loki/templates/networkpolicy.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.networkPolicy.enabled }}
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
diff --git a/production/helm/loki/values.yaml b/production/helm/loki/values.yaml
index 738cf6ea25ae7..e82967a4efb3b 100644
--- a/production/helm/loki/values.yaml
+++ b/production/helm/loki/values.yaml
@@ -1465,6 +1465,9 @@ gateway:
networkPolicy:
# -- Specifies whether Network Policies should be created
enabled: false
+ # -- Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
+ # or Cilium Network Policies (flavor: cilium)
+ flavor: kubernetes
metrics:
# -- Specifies the Pods which are allowed to access the metrics port.
# As this is cross-namespace communication, you also need the namespaceSelector.