Add optional NetworkPolicy templates for namespace isolation#5
Conversation
Adds a default-deny NetworkPolicy and per-pod allow rule templates for spire-server, OIDC discovery provider, SPIFFE CSI driver, and ZTWIM operator. All disabled by default — patterns opt in via values. Note: spire-agent uses hostNetwork and is not affected by NetworkPolicies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
minmzzhang
left a comment
minmzzhang
left a comment
There was a problem hiding this comment.
shall we update the conditions before submission?
| @@ -0,0 +1,18 @@ | |||
| {{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") .Values.networkPolicy.csiDriver.enabled }} | |||
There was a problem hiding this comment.
do we want to add the toSring here?
{{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") (eq (.Values.networkPolicy.csiDriver.enabled | toString) "true") }}
| @@ -0,0 +1,22 @@ | |||
| {{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") .Values.networkPolicy.oidcDiscoveryProvider.enabled }} | |||
There was a problem hiding this comment.
same here toString for the 2nd half
| @@ -0,0 +1,22 @@ | |||
| {{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") .Values.networkPolicy.operator.enabled }} | |||
There was a problem hiding this comment.
same here toString for the 2nd half
| @@ -0,0 +1,22 @@ | |||
| {{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") .Values.networkPolicy.spireServer.enabled }} | |||
There was a problem hiding this comment.
same here toString for the 2nd half
Great catch, I'm fixing it right away. |
Use toString + eq for both halves of the condition to handle values passed as strings via Helm overrides (common in Validated Patterns). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
minmzzhang
left a comment
minmzzhang
left a comment
There was a problem hiding this comment.
let's also bump up the version, and run "make helm-docs" before submission. Otherwise, all LGTM! very well documented!
|
If the superlinter fails, probably should add the prettier reformatting as updated in the rhbk chart: Makefile
|
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
Tested successfully as part of validatedpatterns/layered-zero-trust#145
Agree with @minmzzhang that we should bump the chart version and regen the docs
|
@minmzzhang / @sabre1041 I bumped the chart version and regen the helm docs. Please merge it and create new release. Then we can go ahead and merge validatedpatterns/layered-zero-trust#145. |
|
Hi @p-rog , as expected the
|
3 participants
Adds a default-deny NetworkPolicy and per-pod allow rule templates for spire-server, OIDC discovery provider, SPIFFE CSI driver, and ZTWIM operator. All disabled by default — patterns opt in via values.
Note: spire-agent uses hostNetwork and is not affected by NetworkPolicies.