search

Dynatrace / dynatrace-oneagent-operator

Kubernetes/Openshift Operator for managing Dynatrace OneAgent deployments
Apache License 2.0
88 stars 48 forks source link

k8s network policies #136

Open tschonnie opened 5 years ago

tschonnie commented 5 years ago

Since it is a good practice to have a deny-all network policy in every namespace, it would be good to have the required network policies for the dynatrace oneagent documented or as a yaml in this repo. We use these helm template files to allow the communication to the k8s api server and to the dynatrace server in every namespace. What do you think about it?

{{- range $key,$val := .Values.namespaces }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-server
  namespace: {{ $key }}
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: {{ $.Values.apiServerIp }}/32
    ports:
    - protocol: TCP
      port: {{ $.Values.apiServerPort }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dynatrace
  namespace: {{ $key }}
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
  # allow dynatrace one-agent lsb148.dynatrace-managed.com
  - ports:
    - port: {{ $.Values.dynatraceServerOneAgentPort }}
      protocol: TCP
    - port: {{ $.Values.dynatraceServerDownloadPort }}
      protocol: TCP
    to:
      - ipBlock:
          cidr: {{ $.Values.dynatraceServerIp }}/32
{{- end }}
---
DTMad commented 4 years ago

Hey @tschonnie !

Sorry for the late reply - This looks good to me. Would it be ok for you to have the required NetworkPolicies mentioned in the Readme?

Regards, Marco