feat(common/networkpolicy): add templates for selectors

cwrau · cwrau · commit 8587b239b86c · 2025-03-13T09:22:01.000+01:00
diff --git a/charts/common/templates/_ciliumnetworkpolicy.tpl b/charts/common/templates/_ciliumnetworkpolicy.tpl
diff --git a/charts/common/templates/_cni.tpl b/charts/common/templates/_cni.tpl
@@ -0,0 +1,11 @@
+{{- define "common.networkPolicy.type" -}}
+  {{- if eq .Values.global.networkPolicy.type "auto" -}}
+    {{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumNetworkPolicy" -}}
+      cilium
+    {{- else -}}
+      native
+    {{- end -}}
+  {{- else -}}
+    {{- .Values.global.networkPolicy.type -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/common/templates/_networkpolicy.tpl b/charts/common/templates/_networkpolicy.tpl
@@ -1,18 +1,26 @@
-{{- define "common.networkpolicy.identities.kube-apiserver" -}}
+{{- define "common.networkPolicy.identity.kube-apiserver" -}}
   {{- $identities := list -}}
-  {{- $inClusterControlPlaneEntity := (dict "fromEntities" (list "kube-apiserver")) -}}
-  {{- $konnectivityDaemonSetNamespace := "kube-system" -}}
-  {{- $konnectivityDameonSetName := "konnectivity-agent" -}}
-  {{- $konnectivityProxiedControlPlaneMatchLabels := dict
-      "io.kubernetes.pod.namespace" $konnectivityDaemonSetNamespace
-      "k8s-app" $konnectivityDameonSetName
-  -}}
-  {{- $konnectivityProxiedControlPlaneEndpoint := (dict "fromEndpoints" (list (dict "matchLabels" $konnectivityProxiedControlPlaneMatchLabels))) -}}
-  {{- $matchLabels := dict -}}
-  {{- if lookup "apps/v1" "DaemonSet" $konnectivityDaemonSetNamespace $konnectivityDameonSetName -}}
-    {{- $identities = append $identities $konnectivityProxiedControlPlaneEndpoint -}}
+  {{- $kubeSystemNamespace := "kube-system" -}}
+  {{- $konnectivityName := "konnectivity-agent" -}}
+  {{- if lookup "apps/v1" "DaemonSet" $kubeSystemNamespace $konnectivityName -}}
+    {{- $identities = append $identities (dict "endpoint" (dict
+        "namespace" $kubeSystemNamespace
+        "pod" (dict
+          "k8s-app" $konnectivityName
+        )
+        "serviceAccount" $konnectivityName
+      ))
+    -}}
   {{- else -}}
-    {{- $identities = append $identities $inClusterControlPlaneEntity -}}
+    {{- $identities = append $identities (dict "endpoint" (dict
+        "namespace" $kubeSystemNamespace
+        "pod" (dict
+          "tier" "control-plane"
+          "component" "kube-apiserver"
+        )
+      ))
+     -}}
+    {{- $identities = append $identities (dict "entity" "kube-apiserver") -}}
   {{- end -}}
   {{- toYaml $identities -}}
 {{- end -}}
diff --git a/charts/common/templates/_networkpolicyrules.tpl b/charts/common/templates/_networkpolicyrules.tpl
@@ -0,0 +1,52 @@
+{{- define "common.networkPolicy.rule.from.kube-apiserver" -}}
+  {{- $useCilium := eq .cilium true -}}
+  {{- $identities := include "common.networkPolicy.identity.kube-apiserver" (dict) | fromYamlArray -}}
+  {{- $rules := list -}}
+  {{- $ports := list -}}
+  {{/* Process ports from input, handling both a single as well as a list of protocols */}}
+  {{- if hasKey . "ports" -}}
+    {{- range $port, $protocols := (.ports | default (list)) -}}
+      {{- $_protocols := $protocols -}}
+      {{- if kindIs "string" $protocols -}}
+        {{- $_protocols = list $protocols -}}
+      {{- end -}}
+      {{- range $protocol := $_protocols -}}
+        {{- $ports = append $ports (dict "port" $port "protocol" $protocol) -}}
+      {{- end }}
+    {{- end -}}
+  {{- end -}}
+  {{/* Create rules for each identity based on network policy type */}}
+  {{- range $identity := $identities -}}
+    {{- $rule := dict -}}
+    {{- $endpoint := $identity.endpoint -}}
+    {{/* For cilium use entity or endpoint based rules */}}
+    {{- if $useCilium -}}
+      {{- if hasKey $identity "entity" -}}
+        {{- $rule = dict "fromEntities" (list $identity.entity) -}}
+      {{- else -}}
+        {{- $matchLabels := dict "io.kubernetes.pod.namespace" $endpoint.namespace -}}
+        {{- if hasKey $endpoint "serviceAccount" -}}
+          {{- $matchLabels = set $matchLabels "io.cilium.k8s.policy.serviceaccount" $endpoint.serviceAccount -}}
+        {{- else -}}
+          {{- $matchLabels = mustMerge $matchLabels $endpoint.pod -}}
+        {{- end -}}
+        {{- $rule = dict "fromEndpoints" (list (dict "matchLabels" $matchLabels)) -}}
+      {{- end -}}
+      {{- if $ports }}
+        {{- $rule = set $rule "toPorts" (list (dict "ports" $ports)) -}}
+      {{- end -}}
+    {{/* For native k8s use namespace- and podSelector */}}
+    {{- else -}}
+      {{- $from := dict "namespaceSelector" (dict "matchLabels" (dict "kubernetes.io/metadata.name" $endpoint.namespace)) -}}
+      {{- $from = set $from "podSelector" (dict "matchLabels" $endpoint.pod) -}}
+      {{- $rule = set $rule "from" (list $from) -}}
+      {{- if $ports -}}
+        {{- $rule = set $rule "ports" $ports -}}
+      {{- end -}}
+    {{- end -}}
+
+    {{- $rules = append $rules $rule -}}
+  {{- end -}}
+
+  {{- toYaml $rules -}}
+{{- end -}}
