From 8a9c5ae973bf05741f2cc37df027b1a9a12684c4 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Mon, 22 Jul 2024 15:43:04 +0200 Subject: [PATCH 1/2] helm: add network policy Signed-off-by: Simon L. --- .../templates/nextcloud-aio-networkpolicy.yaml | 14 ++++++++++++++ nextcloud-aio-helm-chart/update-helm.sh | 18 ++++++++++++++++++ nextcloud-aio-helm-chart/values.yaml | 1 + 3 files changed, 33 insertions(+) create mode 100755 nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml new file mode 100755 index 00000000000..7f0bdbae380 --- /dev/null +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.NETWORK_POLICY_ENABLED "yes" }} +# https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + namespace: "{{ .Values.NAMESPACE }}" + name: nextcloud-aio-deny-from-other-namespaces +spec: + podSelector: + matchLabels: + ingress: + - from: + - podSelector: {} +{{- end }} diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index c92139446ad..7fb80ec769b 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -315,6 +315,23 @@ find ./ -name '*talk-deployment.yaml' -exec sed -i "/^.*\- env:/r /tmp/additiona # shellcheck disable=SC1083 find ./ -name '*deployment.yaml' -exec sed -i '/image: nextcloud/s/$/"/;s|image: nextcloud/|image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.NEXTCLOUD_IMAGE_ORG }}/|;' \{} \; +cat << EOL > templates/nextcloud-aio-networkpolicy.yaml +{{- if eq .Values.NETWORK_POLICY_ENABLED "yes" }} +# https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + namespace: "{{ .Values.NAMESPACE }}" + name: nextcloud-aio-deny-from-other-namespaces +spec: + podSelector: + matchLabels: + ingress: + - from: + - podSelector: {} +{{- end }} +EOL + cd ../ mkdir -p ../helm-chart/ rm latest/Chart.yaml @@ -355,6 +372,7 @@ cat << ADDITIONAL_CONFIG >> /tmp/sample.conf NAMESPACE: default # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster NAMESPACE_DISABLED: "no" # By setting this to "yes", you can disabled the creation of the namespace so that you can use a pre-created one +NETWORK_POLICY_ENABLED: "no" # By setting this to "yes", you can enable a network policy that limits network access to the same namespace. ⚠️ Attention: this breaks if you use an ingress!!! So it should be disabled if you do so! SUBSCRIPTION_KEY: # This allows to set the Nextcloud Enterprise key via ENV SERVERINFO_TOKEN: # This allows to set the serverinfo app token for monitoring your Nextcloud via the serverinfo app APPS_ALLOWLIST: # This allows to configure allowed apps that will be shown in Nextcloud's Appstore. You need to enter the app-IDs of the apps here and separate them with spaces. E.g. 'files richdocuments' diff --git a/nextcloud-aio-helm-chart/values.yaml b/nextcloud-aio-helm-chart/values.yaml index 115ca86d368..dddc569cc3e 100755 --- a/nextcloud-aio-helm-chart/values.yaml +++ b/nextcloud-aio-helm-chart/values.yaml @@ -49,6 +49,7 @@ REDIS_STORAGE_SIZE: 1Gi # You can change the size of the redis volume that NAMESPACE: default # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster NAMESPACE_DISABLED: "no" # By setting this to "yes", you can disabled the creation of the namespace so that you can use a pre-created one +NETWORK_POLICY_ENABLED: "no" # By setting this to "yes", you can enable a network policy that limits network access to the same namespace. ⚠️ Attention: this breaks if you use an ingress!!! So it should be disabled if you do so! SUBSCRIPTION_KEY: # This allows to set the Nextcloud Enterprise key via ENV SERVERINFO_TOKEN: # This allows to set the serverinfo app token for monitoring your Nextcloud via the serverinfo app APPS_ALLOWLIST: # This allows to configure allowed apps that will be shown in Nextcloud's Appstore. You need to enter the app-IDs of the apps here and separate them with spaces. E.g. 'files richdocuments' From 533c270d061e45f867654600bdd5e47f76e76b10 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 25 Jul 2024 15:27:50 +0200 Subject: [PATCH 2/2] address review Signed-off-by: Simon L. --- .../templates/nextcloud-aio-networkpolicy.yaml | 6 ++++++ nextcloud-aio-helm-chart/update-helm.sh | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml index 7f0bdbae380..8e6986b8786 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml @@ -8,7 +8,13 @@ metadata: spec: podSelector: matchLabels: + policyTypes: + - Ingress + - Egress ingress: - from: - podSelector: {} + egress: + - to: + - podSelector: {} {{- end }} diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index 7fb80ec769b..3a251b009e5 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -326,9 +326,15 @@ metadata: spec: podSelector: matchLabels: + policyTypes: + - Ingress + - Egress ingress: - from: - podSelector: {} + egress: + - to: + - podSelector: {} {{- end }} EOL