Closed clux closed 1 year ago
Hardest part of this was actually the apiserver access egress...
I started out with:
- namespaceSelector: matchLabels: name: default
which works in many places, but not all, so now we have this complicated endpoint query, that's fed into helm:
apiserver="$(kubectl get endpoints kubernetes -ojson | jq '.subsets[0].addresses[0].ip' -r)" helm template charts/doc-controller \ --set version=latest \ --set networkPolicy.enabled=true \ --set networkPolicy.apiserver.0=${apiserver}/32
which is fine, but we don't want first-comers to have to deal with all of that garbage so in values.yaml there's a wide-open egress default for where the endpoint is:
values.yaml
networkPolicy: apiserver: - "0.0.0.0/0" # extremely wide-open egress on ports 443 + 6443
hopefully, that is a decent enough starting point that doesn't discourage networkpolicies, but also doesn't front-load all the mysticism..
Hardest part of this was actually the apiserver access egress...
I started out with:
which works in many places, but not all, so now we have this complicated endpoint query, that's fed into helm:
which is fine, but we don't want first-comers to have to deal with all of that garbage so in
values.yamlthere's a wide-open egress default for where the endpoint is:hopefully, that is a decent enough starting point that doesn't discourage networkpolicies, but also doesn't front-load all the mysticism..