search

thanos-io / kube-thanos

Kubernetes specific configuration for deploying Thanos.
Apache License 2.0
520 stars 177 forks source link

Add NetworkPolicy to all components #314

Open metalmatze opened 10 months ago

metalmatze commented 10 months ago

I would be great to add NetworkPolicy to all components.

Here's an example for a thanos-store:

    networkPolicy: {
      kind: 'NetworkPolicy',
      apiVersion: 'networking.k8s.io/v1',
      metadata: {
        name: 'thanos-store',
        namespace: cfg.namespace,
      },
      spec: {
        podSelector: {
          matchLabels: {
            'app.kubernetes.io/name': 'thanos-store',
          },
        },
        egress: [{}],  // Allow all outside egress to connect to object storage
        ingress: [{
          from: [{
            namespaceSelector: {
              matchLabels: {
                'kubernetes.io/metadata.name': cfg.namespace,
              },
            },
            podSelector: {
              matchLabels: {
                'app.kubernetes.io/name': 'thanos-query',
              },
            },
          }],
        }],
        policyTypes: ['Egress'],
      },
    },

Example PR to add the network policy to individual components: https://github.com/parca-dev/demo-deployments/pull/189/files This should really live in kube-thanos and not in each individual downstream project.