Skip to content

Commit 9b5d022

Browse files
YuryHrytsukYuryHrytsuk
committed
Changes for cert manager network policy
1 parent 950e691 commit 9b5d022

File tree

4 files changed

+10
-24
lines changed

4 files changed

+10
-24
lines changed

charts/calico-configuration/templates/globalpolicy.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ spec:
88
# "calico-system", "calico-apiserver", "tigera-operator" -- calico namespaces (when installed via scripts [local deployment])
99
# TODO: other namespaces are to be removed from this list (once appropriate network policies are created)
1010
namespaceSelector:
11-
kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "cert-manager", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn"}
11+
kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn"}
1212
types:
1313
- Ingress
1414
- Egress

charts/cert-manager/Chart.lock

Lines changed: 0 additions & 6 deletions
This file was deleted.

charts/cert-manager/templates/networkpolicy.yaml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,18 @@ spec:
99
- action: Allow
1010
protocol: TCP
1111
source:
12-
selector: 'component == "kube-apiserver"'
12+
# both selectors below did not work
13+
# selector: 'component == "kube-apiserver"'
14+
# namespaceSelector: kubernetes.io/metadata.name == "kube-system"
15+
nets:
16+
- 10.0.0.0/8
17+
- 172.16.0.0/12
18+
- 192.168.0.0/16
1319
destination:
1420
selector: 'app.kubernetes.io/component == "webhook"'
1521
ports:
16-
- {{ .Values.cert-manager.webhook.securePort }}
22+
# https://stackoverflow.com/a/63863410/12124525
23+
- {{ index .Values "cert-manager" "webhook" "securePort" }}
1724
egress:
1825
# 3. TCP: cert-manager (webhook, controller, cainjector, startupapicheck) -> Kubernetes API server
1926
- action: Allow

charts/cert-manager/templates/tests/test-connection.yaml

Lines changed: 0 additions & 15 deletions
This file was deleted.

0 commit comments

Comments
 (0)