From 778a2db0f974b6483b8aef6c24f272f3f5ca2990 Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Fri, 26 Dec 2025 11:21:23 -0600 Subject: [PATCH] feat(cloudnative-pg): add optional networkPolicy Signed-off-by: Pat Riehecky --- .../templates/networkpolicy.yaml | 22 +++++++++++++++ charts/cloudnative-pg/values.schema.json | 3 ++ charts/cloudnative-pg/values.yaml | 28 +++++++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 charts/cloudnative-pg/templates/networkpolicy.yaml diff --git a/charts/cloudnative-pg/templates/networkpolicy.yaml b/charts/cloudnative-pg/templates/networkpolicy.yaml new file mode 100644 index 0000000000..6459fa83bd --- /dev/null +++ b/charts/cloudnative-pg/templates/networkpolicy.yaml @@ -0,0 +1,22 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "cloudnative-pg.fullname" . }}-network-policy + namespace: {{ include "cloudnative-pg.namespace" . }} +spec: + egress: + {{- with .Values.networkPolicy.egress }} + {{- toYaml . | nindent 4 }} + {{- end }} + ingress: + {{- with .Values.networkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + podSelector: + matchLabels: + {{- include "cloudnative-pg.selectorLabels" . | nindent 6 }} + policyTypes: + - Egress + - Ingress +{{- end }} diff --git a/charts/cloudnative-pg/values.schema.json b/charts/cloudnative-pg/values.schema.json index 4c69aae69a..6e33648681 100644 --- a/charts/cloudnative-pg/values.schema.json +++ b/charts/cloudnative-pg/values.schema.json @@ -167,6 +167,9 @@ "namespaceOverride": { "type": "string" }, + "networkPolicy": { + "type": "object" + }, "nodeSelector": { "type": "object" }, diff --git a/charts/cloudnative-pg/values.yaml b/charts/cloudnative-pg/values.yaml index cbba75053b..33f07f86f6 100644 --- a/charts/cloudnative-pg/values.yaml +++ b/charts/cloudnative-pg/values.yaml @@ -66,6 +66,34 @@ webhook: failureThreshold: 6 periodSeconds: 5 +# Configure a networkPolicy for the operator +networkPolicy: + # -- Specifies whether the networkPolicy should be created. + enabled: false + # -- The ingress traffic + # Should match the webhook and (optionally) metrics port + ingress: + - ports: + - port: 8080 # metrics port + protcol: TCP + - port: 9443 # webhook port + protcol: TCP + # -- The egress traffic + # This uses DNS (53/udp, 53/tcp) and the API server (80/tcp, 443/tcp, 6443/tcp) + # OKD and Openshift use 6443/tcp + egress: + - ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - port: 6443 + protocol: TCP + # Operator configuration. config: # -- Specifies whether the secret should be created.