Add NetworkPolicies

2020-05-01 01:32:18 +02:00 · 2020-05-01 01:32:18 +02:00 · 63318b11b9
commit 63318b11b9
parent 07283a2243
4 changed files with 39 additions and 5 deletions
--- a/files/NetworkPolicies/allow-from-namespaces.yaml
+++ b/files/NetworkPolicies/allow-from-namespaces.yaml
@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-namespaces
+  namespace: kubernetes-dashboard
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+      - podSelector: {}
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            namespace: tools
+        podSelector:
+          matchLabels:
+            app: traefik
+  policyTypes:
+  - Ingress
--- a/files/NetworkPolicies/default-deny-all.yaml
+++ b/files/NetworkPolicies/default-deny-all.yaml
@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: kubernetes-dashboard
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -4,9 +4,12 @@
    k8s:
      state: present
      context: "{{ my_context }}"
+      merge_type: merge
      resource_definition: "{{ lookup('file', item) | from_yaml }}"
    with_items:
      - "kubernetes-dashboard-Namespace.yaml"
+      - NetworkPolicies/default-deny-all.yaml
+      - NetworkPolicies/allow-from-namespaces.yaml
      - "kubernetes-dashboard-ServiceAccount.yaml"
      - "kubernetes-dashboard-Service.yaml"
      - "kubernetes-dashboard-certs-Secret.yaml"
@ -35,6 +38,7 @@
    k8s:
      state: present
      context: "{{ my_context }}"
+      merge_type: merge
      definition:
        apiVersion: traefik.containo.us/v1alpha1
        kind: Middleware
@ -53,6 +57,7 @@
    k8s:
      state: present
      context: "{{ my_context }}"
+      merge_type: merge
      resource_definition: "{{ lookup('template', item) | from_yaml }}"
    with_items:
      - dashboard-ingress.yaml
--- a/templates/dashboard-ingress.yaml
+++ b/templates/dashboard-ingress.yaml
@ -1,4 +1,4 @@
-{% if traefik_version | regex_search('(1.)') %}
+{% if traefik_version | regex_search('(^1.)') %}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
@ -25,7 +25,7 @@ spec:
          serviceName: kubernetes-dashboard
          servicePort: 443
 {% else %}
-{% if traefik_version | regex_search('(2.)') %}
+{% if traefik_version | regex_search('(^2.)') %}
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@ -43,11 +43,11 @@ spec:
    middlewares:
 {% if ingress_whitelist is defined %}
      - name: traefik-ipwhitelist
-        namespace: tools
+        namespace: traefik
 {% endif %}
 {% if basic_auth is defined %}
      - name: basic-auth
-        namespace: tools
+        namespace: traefik
 {% endif %}
      - name: kubernetes-dashboard-auth
    services:
@ -60,7 +60,7 @@ spec:
  tls:
    options:
      name: default
-      namespace: tools
+      namespace: traefik
    secretName: wildcard-cluster
 {% endif %}
 {% endif %}