85 lines
3 KiB
YAML
85 lines
3 KiB
YAML
|
{{- if .Values.hub.networkPolicy.enabled -}}
|
||
|
|
apiVersion: networking.k8s.io/v1
|
||
|
|
kind: NetworkPolicy
|
||
|
|
metadata:
|
||
|
|
name: {{ include "jupyterhub.hub.fullname" . }}
|
||
|
|
labels:
|
||
|
|
{{- include "jupyterhub.labels" . | nindent 4 }}
|
||
|
|
spec:
|
||
|
|
podSelector:
|
||
|
|
matchLabels:
|
||
|
|
{{- include "jupyterhub.matchLabels" . | nindent 6 }}
|
||
|
|
policyTypes:
|
||
|
|
- Ingress
|
||
|
|
- Egress
|
||
|
|
|
||
|
|
# IMPORTANT:
|
||
|
|
# NetworkPolicy's ingress "from" and egress "to" rule specifications require
|
||
|
|
# great attention to detail. A quick summary is:
|
||
|
|
#
|
||
|
|
# 1. You can provide "from"/"to" rules that provide access either ports or a
|
||
|
|
# subset of ports.
|
||
|
|
# 2. You can for each "from"/"to" rule provide any number of
|
||
|
|
# "sources"/"destinations" of four different kinds.
|
||
|
|
# - podSelector - targets pods with a certain label in the same namespace as the NetworkPolicy
|
||
|
|
# - namespaceSelector - targets all pods running in namespaces with a certain label
|
||
|
|
# - namespaceSelector and podSelector - targets pods with a certain label running in namespaces with a certain label
|
||
|
|
# - ipBlock - targets network traffic from/to a set of IP address ranges
|
||
|
|
#
|
||
|
|
# Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors
|
||
|
|
#
|
||
|
|
ingress:
|
||
|
|
{{- with .Values.hub.networkPolicy.allowedIngressPorts }}
|
||
|
|
# allow incoming traffic to these ports independent of source
|
||
|
|
- ports:
|
||
|
|
{{- range $port := . }}
|
||
|
|
- port: {{ $port }}
|
||
|
|
{{- end }}
|
||
|
|
{{- end }}
|
||
|
|
|
||
|
|
# allowed pods (hub.jupyter.org/network-access-hub) --> hub
|
||
|
|
- ports:
|
||
|
|
- port: http
|
||
|
|
from:
|
||
|
|
# source 1 - labeled pods
|
||
|
|
- podSelector:
|
||
|
|
matchLabels:
|
||
|
|
hub.jupyter.org/network-access-hub: "true"
|
||
|
|
{{- if eq .Values.hub.networkPolicy.interNamespaceAccessLabels "accept" }}
|
||
|
|
namespaceSelector:
|
||
|
|
matchLabels: {} # without this, the podSelector would only consider pods in the local namespace
|
||
|
|
# source 2 - pods in labeled namespaces
|
||
|
|
- namespaceSelector:
|
||
|
|
matchLabels:
|
||
|
|
hub.jupyter.org/network-access-hub: "true"
|
||
|
|
{{- end }}
|
||
|
|
|
||
|
|
{{- with .Values.hub.networkPolicy.ingress }}
|
||
|
|
# depends, but default is nothing --> hub
|
||
|
|
{{- . | toYaml | nindent 4 }}
|
||
|
|
{{- end }}
|
||
|
|
|
||
|
|
egress:
|
||
|
|
# hub --> proxy
|
||
|
|
- to:
|
||
|
|
- podSelector:
|
||
|
|
matchLabels:
|
||
|
|
{{- $_ := merge (dict "componentLabel" "proxy") . }}
|
||
|
|
{{- include "jupyterhub.matchLabels" $_ | nindent 14 }}
|
||
|
|
ports:
|
||
|
|
- port: 8001
|
||
|
|
|
||
|
|
# hub --> singleuser-server
|
||
|
|
- to:
|
||
|
|
- podSelector:
|
||
|
|
matchLabels:
|
||
|
|
{{- $_ := merge (dict "componentLabel" "singleuser-server") . }}
|
||
|
|
{{- include "jupyterhub.matchLabels" $_ | nindent 14 }}
|
||
|
|
ports:
|
||
|
|
- port: 8888
|
||
|
|
|
||
|
|
{{- with (include "jupyterhub.networkPolicy.renderEgressRules" (list . .Values.hub.networkPolicy)) }}
|
||
|
|
{{- . | nindent 4 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- end }}
|