diff --git a/chart/templates/network-policies/backing-image-data-source-network-policy.yaml b/chart/templates/network-policies/backing-image-data-source-network-policy.yaml index 7204d63caa..bb9bb404ef 100644 --- a/chart/templates/network-policies/backing-image-data-source-network-policy.yaml +++ b/chart/templates/network-policies/backing-image-data-source-network-policy.yaml @@ -9,19 +9,23 @@ spec: matchLabels: longhorn.io/component: backing-image-data-source policyTypes: - - Ingress + - Ingress ingress: - - from: - - podSelector: - matchLabels: - app: longhorn-manager - - podSelector: - matchLabels: - longhorn.io/component: instance-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-data-source + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + ports: + - protocol: TCP + port: 8000 + - from: + - podSelector: + matchLabels: + longhorn.io/component: instance-manager + ports: + - protocol: TCP + port: 8002 {{- end }} diff --git a/chart/templates/network-policies/backing-image-manager-network-policy.yaml b/chart/templates/network-policies/backing-image-manager-network-policy.yaml index 119ebf08a1..7429002c61 100644 --- a/chart/templates/network-policies/backing-image-manager-network-policy.yaml +++ b/chart/templates/network-policies/backing-image-manager-network-policy.yaml @@ -9,19 +9,52 @@ spec: matchLabels: longhorn.io/component: backing-image-manager policyTypes: - - Ingress + - Ingress + - Egress ingress: - - from: - - podSelector: - matchLabels: - app: longhorn-manager - - podSelector: - matchLabels: - longhorn.io/component: instance-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-data-source + - from: + - podSelector: + matchLabels: + app: longhorn-manager + ports: + - protocol: TCP + port: 8000 + - from: + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + {{- /* NOTE: this should allow only the port range 30001-31000 but many CNIs do not support endPort :-( + ports: + - protocol: TCP + port: 30001 + endPort: 31000 + */}} + egress: + - to: + - podSelector: + matchLabels: + longhorn.io/component: instance-manager + {{- /* NOTE: this should allow only the port range 10000-30000 but many CNIs do not support endPort :-( + ports: + - protocol: TCP + port: 10000 + endPort: 30000 + */}} + - to: + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + {{- /* NOTE: this should allow only the port range 30001-31000 but many CNIs do not support endPort :-( + ports: + - protocol: TCP + port: 30001 + endPort: 31000 + */}} + - to: + - podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source + ports: + - protocol: TCP + port: 8000 {{- end }} diff --git a/chart/templates/network-policies/instance-manager-networking.yaml b/chart/templates/network-policies/instance-manager-networking.yaml index 332aa2c2fe..3d399a3ae4 100644 --- a/chart/templates/network-policies/instance-manager-networking.yaml +++ b/chart/templates/network-policies/instance-manager-networking.yaml @@ -9,19 +9,36 @@ spec: matchLabels: longhorn.io/component: instance-manager policyTypes: - - Ingress + - Ingress ingress: - - from: - - podSelector: - matchLabels: - app: longhorn-manager - - podSelector: - matchLabels: - longhorn.io/component: instance-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-data-source + - from: + - podSelector: + matchLabels: + app: longhorn-manager + ports: + - protocol: TCP + port: 8500 + - protocol: TCP + port: 8501 + - protocol: TCP + port: 8502 + - protocol: TCP + port: 8503 + - protocol: TCP + port: 8504 + - from: + - podSelector: + matchExpressions: + - key: longhorn.io/component + operator: In + values: + - instance-manager + - backing-image-manager + - backing-image-data-source + {{- /* NOTE: this should allow only the port range 10000-30000 but many CNIs do not support endPort :-( + ports: + - protocol: TCP + port: 10000 + endPort: 30000 + */}} {{- end }} diff --git a/chart/templates/network-policies/manager-network-policy.yaml b/chart/templates/network-policies/manager-network-policy.yaml index 6f94029a53..b99fd77f99 100644 --- a/chart/templates/network-policies/manager-network-policy.yaml +++ b/chart/templates/network-policies/manager-network-policy.yaml @@ -9,27 +9,38 @@ spec: matchLabels: app: longhorn-manager policyTypes: - - Ingress + - Ingress ingress: - - from: - - podSelector: - matchLabels: - app: longhorn-manager - - podSelector: - matchLabels: - app: longhorn-ui - - podSelector: - matchLabels: - app: longhorn-csi-plugin - - podSelector: - matchLabels: - longhorn.io/managed-by: longhorn-manager - matchExpressions: - - { key: recurring-job.longhorn.io, operator: Exists } - - podSelector: - matchExpressions: - - { key: longhorn.io/job-task, operator: Exists } - - podSelector: - matchLabels: - app: longhorn-driver-deployer + - from: + - podSelector: + matchExpressions: + - key: app + operator: In + values: + - longhorn-manager + - longhorn-ui + - longhorn-csi-plugin + - longhorn-driver-deployer + - podSelector: + matchLabels: + longhorn.io/managed-by: longhorn-manager + matchExpressions: + - { key: recurring-job.longhorn.io, operator: Exists } + - podSelector: + matchExpressions: + - { key: longhorn.io/job-task, operator: Exists } + ports: + - port: 9500 + protocol: TCP + - from: + - podSelector: + matchLabels: + app: longhorn-manager + ports: + - port: 9501 + protocol: TCP + - port: 9502 + protocol: TCP + - port: 9503 + protocol: TCP {{- end }} diff --git a/chart/templates/network-policies/ui-frontend-network-policy.yaml b/chart/templates/network-policies/ui-frontend-network-policy.yaml index 6f37065980..97998074d1 100644 --- a/chart/templates/network-policies/ui-frontend-network-policy.yaml +++ b/chart/templates/network-policies/ui-frontend-network-policy.yaml @@ -10,6 +10,7 @@ spec: app: longhorn-ui policyTypes: - Ingress + - Egress ingress: - from: {{- if eq .Values.networkPolicies.type "rke1"}} @@ -37,10 +38,16 @@ spec: podSelector: matchLabels: app.kubernetes.io/name: traefik + {{- end }} ports: - port: 8000 protocol: TCP - - port: 80 - protocol: TCP - {{- end }} + egress: + - to: + - podSelector: + matchLabels: + app: longhorn-manager + ports: + - port: 9500 + protocol: TCP {{- end }} diff --git a/examples/network-policy/backing-image-data-source-network-policy.yaml b/examples/network-policy/backing-image-data-source-network-policy.yaml deleted file mode 100644 index 1257bf345e..0000000000 --- a/examples/network-policy/backing-image-data-source-network-policy.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: backing-image-data-source - namespace: longhorn-system -spec: - podSelector: - matchLabels: - longhorn.io/component: backing-image-data-source - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: longhorn-manager - - podSelector: - matchLabels: - longhorn.io/component: instance-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-data-source diff --git a/examples/network-policy/backing-image-manager-network-policy.yaml b/examples/network-policy/backing-image-manager-network-policy.yaml deleted file mode 100644 index 5c252cc42a..0000000000 --- a/examples/network-policy/backing-image-manager-network-policy.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: backing-image-manager - namespace: longhorn-system -spec: - podSelector: - matchLabels: - longhorn.io/component: backing-image-manager - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: longhorn-manager - - podSelector: - matchLabels: - longhorn.io/component: instance-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-manager diff --git a/examples/network-policy/instance-manager-networking.yaml b/examples/network-policy/instance-manager-networking.yaml deleted file mode 100644 index f30bd928ac..0000000000 --- a/examples/network-policy/instance-manager-networking.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: instance-manager - namespace: longhorn-system -spec: - podSelector: - matchLabels: - longhorn.io/component: instance-manager - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: longhorn-manager - - podSelector: - matchLabels: - longhorn.io/component: instance-manager - - podSelector: - matchLabels: - longhorn.io/component: backing-image-data-source diff --git a/examples/network-policy/manager-network-policy.yaml b/examples/network-policy/manager-network-policy.yaml deleted file mode 100644 index 3025661b8c..0000000000 --- a/examples/network-policy/manager-network-policy.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: longhorn-manager - namespace: longhorn-system -spec: - podSelector: - matchLabels: - app: longhorn-manager - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: longhorn-manager - - podSelector: - matchLabels: - app: longhorn-ui - - podSelector: - matchLabels: - app: longhorn-csi-plugin - - podSelector: - matchLabels: - longhorn.io/managed-by: longhorn-manager - matchExpressions: - - { key: recurring-job.longhorn.io, operator: Exists } - - podSelector: - matchExpressions: - - { key: longhorn.io/job-task, operator: Exists } - - podSelector: - matchLabels: - app: longhorn-driver-deployer diff --git a/examples/network-policy/recovery-backend-network-policy.yaml b/examples/network-policy/recovery-backend-network-policy.yaml deleted file mode 100644 index 4c0278038c..0000000000 --- a/examples/network-policy/recovery-backend-network-policy.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: longhorn-recovery-backend - namespace: longhorn-system -spec: - podSelector: - matchLabels: - longhorn.io/recovery-backend: longhorn-recovery-backend - policyTypes: - - Ingress - ingress: - - ports: - - protocol: TCP - port: 9503 - diff --git a/examples/network-policy/ui-network-policy.yaml b/examples/network-policy/ui-network-policy.yaml deleted file mode 100644 index e0361a0fb2..0000000000 --- a/examples/network-policy/ui-network-policy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: longhorn-ui - namespace: longhorn-system -spec: - podSelector: - matchLabels: - app: longhorn-ui - policyTypes: - - Ingress - ingress: - - from: - # Depending on the ingress controller setup in your cluster, Change the following - # info to allow the traffic from the ingress controller pods to Longhorn UI - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: ingress-nginx - podSelector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx diff --git a/examples/network-policy/webhook-network-policy.yaml b/examples/network-policy/webhook-network-policy.yaml deleted file mode 100644 index c0115fa109..0000000000 --- a/examples/network-policy/webhook-network-policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: longhorn-conversion-webhook - namespace: longhorn-system -spec: - podSelector: - matchLabels: - longhorn.io/conversion-webhook: longhorn-conversion-webhook - policyTypes: - - Ingress - ingress: - - ports: - - protocol: TCP - port: 9501 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: longhorn-admission-webhook - namespace: longhorn-system -spec: - podSelector: - matchLabels: - longhorn.io/admission-webhook: longhorn-admission-webhook - policyTypes: - - Ingress - ingress: - - ports: - - protocol: TCP - port: 9502