From e21cc8bcdecfcba509bfaea01609858393a2730e Mon Sep 17 00:00:00 2001 From: fastlorenzo Date: Thu, 13 Apr 2023 20:39:07 +0200 Subject: [PATCH] fix: Restrict web ports to ingress-nginx when network policies are enabled Signed-off-by: fastlorenzo --- mailu/templates/network-policies.yaml | 20 +++++++++++++++----- mailu/values.yaml | 12 +++++++++++- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/mailu/templates/network-policies.yaml b/mailu/templates/network-policies.yaml index 663c4806..e366da48 100644 --- a/mailu/templates/network-policies.yaml +++ b/mailu/templates/network-policies.yaml @@ -19,6 +19,8 @@ spec: policyTypes: - Ingress - Egress + ingress: [] + egress: [] --- apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} kind: NetworkPolicy @@ -60,18 +62,26 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: front ingress: - # Allow ports 25/TCP, 80/TCP, 110/TCP, 143/TCP, 443/TCP, 465/TCP, 587/TCP, 995/TCP, 993/TCP + # Allow ports 80/TCP, 443/TCP for ingress controller - ports: - - port: 25 - protocol: TCP - port: 80 protocol: TCP + - port: 443 + protocol: TCP + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Values.networkPolicy.ingressController.namespace }} + podSelector: + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressController.podSelector "context" $) | nindent 10 }} + # Allow ports 25/TCP, 110/TCP, 143/TCP, 465/TCP, 587/TCP, 995/TCP, 993/TCP through loadbalancer + - ports: + - port: 25 + protocol: TCP - port: 110 protocol: TCP - port: 143 protocol: TCP - - port: 443 - protocol: TCP - port: 465 protocol: TCP - port: 587 diff --git a/mailu/values.yaml b/mailu/values.yaml index 6e891013..4922216c 100644 --- a/mailu/values.yaml +++ b/mailu/values.yaml @@ -105,10 +105,20 @@ subnet: 10.42.0.0/16 ## @param subnet6 Change this if you're using different address ranges for pods (IPv6) subnet6: "" -## @param networkPolicy.enabled Enable network policy networkPolicy: + ## @param networkPolicy.enabled Enable network policy enabled: false + ## @param networkPolicy.ingressController.namespace Namespace where the ingress controller is deployed + ## @param networkPolicy.ingressController.podSelector Selector for the ingress controller pods + ingressController: + namespace: ingress-nginx + podSelector: | + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + ## @param mailuVersion Override Mailu version to be deployed (tag of mailu images). Defaults to `Chart.AppVersion` - must be master or a version >= 2.0 mailuVersion: ""