allow disabling network policies via installNetworkPolicies

cyril.cros · corneliusludmann · commit 0f4562a8abeb · 2021-03-18T16:51:52.000+01:00
diff --git a/chart/templates/blobserve-networkpolicy.yaml b/chart/templates/blobserve-networkpolicy.yaml
@@ -2,6 +2,7 @@
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
 {{ $comp := .Values.components.blobserve -}}
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -31,3 +32,4 @@ spec:
         matchLabels:
           app: {{ template "gitpod.fullname" . }}
           component: ws-proxy
+{{- end -}}
diff --git a/chart/templates/content-service-networkpolicy.yaml b/chart/templates/content-service-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2021 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -19,3 +20,4 @@ spec:
   - Ingress
   ingress:
   - {}
+{{- end -}}
diff --git a/chart/templates/dashboard-deny-all-allow-explicit-networkpolicy.yaml b/chart/templates/dashboard-deny-all-allow-explicit-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -27,3 +28,4 @@ spec:
         matchLabels:
           app: {{ template "gitpod.fullname" . }}
           component: proxy
+{{- end -}}
diff --git a/chart/templates/db-deny-all-allow-explicit-networkpolicy.yaml b/chart/templates/db-deny-all-allow-explicit-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -56,3 +57,4 @@ spec:
         matchLabels:
           app: sweeper
     {{- end -}}
+{{- end -}}
diff --git a/chart/templates/image-builder-networkpolicy.yaml b/chart/templates/image-builder-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -32,4 +33,5 @@ spec:
         cidr: 0.0.0.0/0
         except:
         # Google Compute engine special, reserved VM metadata IP
-        - 169.254.169.254/32
+        - 169.254.169.254/32
+{{- end -}}
diff --git a/chart/templates/messagebus-allow-all-networkpolicy.yaml b/chart/templates/messagebus-allow-all-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -19,4 +20,5 @@ spec:
   - Ingress
   ingress:
   # allow ingress for everyone in the cluster. The workspace pods have an egress limit that prevents them from accessing the messagebus service anyways.
-  - {}
+  - {}
+{{- end -}}
diff --git a/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml b/chart/templates/proxy-deny-all-allow-explicit-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -36,3 +37,4 @@ spec:
         matchLabels:
           app: prometheus
           component: server
+{{- end -}}
diff --git a/chart/templates/registry-facade-allow-all-networkpolicy.yaml b/chart/templates/registry-facade-allow-all-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -19,4 +20,5 @@ spec:
   - Ingress
   ingress:
   # allow ingress for everyone in the cluster. The workspace pods have an egress limit that prevents them from accessing the registry-facade service anyways.
-  - {}
+  - {}
+{{- end -}}
diff --git a/chart/templates/server-deny-all-allow-explicit-networkpolicy.yaml b/chart/templates/server-deny-all-allow-explicit-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -43,3 +44,4 @@ spec:
         matchLabels:
           app: {{ template "gitpod.fullname" . }}
           component: cerc
+{{- end -}}
diff --git a/chart/templates/workspace-networkpolicy-default.yaml b/chart/templates/workspace-networkpolicy-default.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -91,3 +92,4 @@ spec:
         matchLabels:
           app: gitpod
           component: proxy
+{{- end -}}
diff --git a/chart/templates/ws-daemon-networkpolicy.yaml b/chart/templates/ws-daemon-networkpolicy.yaml
@@ -2,6 +2,7 @@
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
 {{ $comp := .Values.components.wsDaemon -}}
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -37,4 +38,5 @@ spec:
     - podSelector:
         matchLabels:
           app: prometheus
-          component: server
+          component: server
+{{- end -}}
diff --git a/chart/templates/ws-manager-networkpolicy.yaml b/chart/templates/ws-manager-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -18,4 +19,5 @@ spec:
   policyTypes:
   - Ingress
   ingress:
-  - {}
+  - {}
+{{- end -}}
diff --git a/chart/templates/ws-proxy-networkpolicy.yaml b/chart/templates/ws-proxy-networkpolicy.yaml
@@ -2,7 +2,7 @@
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
 {{ $comp := .Values.components.wsProxy -}}
-{{- if not $comp.disabled -}}
+{{- if and (not $comp.disabled) (.Values.installNetworkPolicies) -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -24,4 +24,4 @@ spec:
   - ports:
     - protocol: TCP
       port: {{ $comp.ports.httpProxy.containerPort }}
-{{ end }}
+{{ end }}
diff --git a/chart/templates/ws-scheduler-networkpolicy.yaml b/chart/templates/ws-scheduler-networkpolicy.yaml
@@ -1,6 +1,7 @@
 # Copyright (c) 2020 Gitpod GmbH. All rights reserved.
 # Licensed under the MIT License. See License-MIT.txt in the project root for license information.
 
+{{ if .Values.installNetworkPolicies -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -18,4 +19,5 @@ spec:
   policyTypes:
   - Ingress
   ingress:
-  - {}
+  - {}
+{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -15,6 +15,7 @@ installation:
   cluster: "00"
   shortname: ""
 license: ""
+installNetworkPolicies: true
 installPodSecurityPolicies: true
 imagePullPolicy: IfNotPresent
 resources:
