fix: Restrict web ports to ingress-nginx when network policies are en…

…abled Signed-off-by: fastlorenzo <git@bernardi.be>
Mailu · Apr 13, 2023 · e21cc8b · e21cc8b
1 parent a766d13
commit e21cc8b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/mailu/templates/network-policies.yaml b/mailu/templates/network-policies.yaml
@@ -19,6 +19,8 @@ spec:
   policyTypes:
     - Ingress
     - Egress
+  ingress: []
+  egress: []
 ---
 apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
 kind: NetworkPolicy
@@ -60,18 +62,26 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: front
   ingress:
-    # Allow ports 25/TCP, 80/TCP, 110/TCP, 143/TCP, 443/TCP, 465/TCP, 587/TCP, 995/TCP, 993/TCP
+    # Allow ports 80/TCP, 443/TCP for ingress controller
     - ports:
-      - port: 25
-        protocol: TCP
       - port: 80
         protocol: TCP
+      - port: 443
+        protocol: TCP
+      from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Values.networkPolicy.ingressController.namespace }}
+        podSelector:
+          {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressController.podSelector "context" $) | nindent 10 }}
+    # Allow ports 25/TCP, 110/TCP, 143/TCP, 465/TCP, 587/TCP, 995/TCP, 993/TCP through loadbalancer
+    - ports:
+      - port: 25
+        protocol: TCP
       - port: 110
         protocol: TCP
       - port: 143
         protocol: TCP
-      - port: 443
-        protocol: TCP
       - port: 465
         protocol: TCP
       - port: 587

diff --git a/mailu/values.yaml b/mailu/values.yaml
@@ -105,10 +105,20 @@ subnet: 10.42.0.0/16
 ## @param subnet6 Change this if you're using different address ranges for pods (IPv6)
 subnet6: ""
 
-## @param networkPolicy.enabled Enable network policy
 networkPolicy:
+  ## @param networkPolicy.enabled Enable network policy
   enabled: false
 
+  ## @param networkPolicy.ingressController.namespace Namespace where the ingress controller is deployed
+  ## @param networkPolicy.ingressController.podSelector Selector for the ingress controller pods
+  ingressController:
+    namespace: ingress-nginx
+    podSelector: |
+      matchLabels:
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/component: controller
+
 ## @param mailuVersion Override Mailu version to be deployed (tag of mailu images). Defaults to `Chart.AppVersion` - must be master or a version >= 2.0
 mailuVersion: ""