From 29b41fbe63b4e489d0a79a6959d7d4089f290be6 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Tue, 13 Jan 2026 11:13:56 -0800 Subject: [PATCH] feat: adding default metadata deny network policy --- .../templates/network-policy.yaml | 39 ++++++++++++++++ charts/langgraph-cloud/values.yaml | 44 +++++++++++++++++++ .../templates/network-policy.yaml | 39 ++++++++++++++++ charts/langgraph-dataplane/values.yaml | 44 +++++++++++++++++++ .../templates/network-policy.yaml | 37 ++++++++++++++++ charts/langsmith-observability/values.yaml | 44 +++++++++++++++++++ .../langsmith/templates/network-policy.yaml | 39 ++++++++++++++++ charts/langsmith/values.yaml | 44 +++++++++++++++++++ 8 files changed, 330 insertions(+) create mode 100644 charts/langgraph-cloud/templates/network-policy.yaml create mode 100644 charts/langgraph-dataplane/templates/network-policy.yaml create mode 100644 charts/langsmith-observability/templates/network-policy.yaml create mode 100644 charts/langsmith/templates/network-policy.yaml diff --git a/charts/langgraph-cloud/templates/network-policy.yaml b/charts/langgraph-cloud/templates/network-policy.yaml new file mode 100644 index 00000000..db1f12e4 --- /dev/null +++ b/charts/langgraph-cloud/templates/network-policy.yaml @@ -0,0 +1,39 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "langGraphCloud.fullname" . }}-network-policy + namespace: {{ .Values.namespace | default .Release.Namespace | quote }} + labels: + {{- include "langGraphCloud.labels" . | nindent 4 }} + annotations: + {{- include "langGraphCloud.annotations" . | nindent 4 }} +spec: + podSelector: {} # Apply to all pods in namespace + policyTypes: + {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }} + {{- with .Values.networkPolicy.ingress }} + ingress: + {{- toYaml . | nindent 4 }} + {{- end }} + egress: + # Rule 1: Allow all IPv4 traffic EXCEPT blocked CIDRs + - to: + - ipBlock: + cidr: {{ .Values.networkPolicy.egress.allowAllExcept.cidr }} + except: + {{- toYaml .Values.networkPolicy.egress.allowAllExcept.except | nindent 12 }} + # Rule 2: Allow DNS resolution + {{- with .Values.networkPolicy.egress.dns }} + - ports: + {{- toYaml .ports | nindent 6 }} + {{- with .to }} + to: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + # Rule 3: Additional custom egress rules + {{- with .Values.networkPolicy.egress.custom }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/langgraph-cloud/values.yaml b/charts/langgraph-cloud/values.yaml index 1deb4b9a..1ffc47a9 100644 --- a/charts/langgraph-cloud/values.yaml +++ b/charts/langgraph-cloud/values.yaml @@ -15,6 +15,50 @@ commonVolumes: [] # -- Common volume mounts added to all deployments/statefulsets. commonVolumeMounts: [] +# Network Policy configuration +networkPolicy: + # -- Enable network policy to block metadata endpoints and localhost + enabled: true + + # -- Policy types to enforce + policyTypes: + - Egress + + # -- Ingress rules (empty by default - no ingress restrictions) + ingress: [] + + # -- Egress rules + egress: + # Allow all IPv4 traffic except specified CIDRs + allowAllExcept: + cidr: 0.0.0.0/0 + except: + - 169.254.169.254/32 # Cloud metadata endpoint (AWS, Azure, GCP) + + # DNS resolution configuration + dns: + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + # Optional: Restrict DNS to specific destinations + # to: + # - namespaceSelector: + # matchLabels: + # name: kube-system + + # Additional custom egress rules (optional) + # Example: Allow egress to specific external services + custom: [] + # custom: + # - to: + # - ipBlock: + # cidr: 10.0.0.0/8 + # ports: + # - protocol: TCP + # port: 443 + images: # -- If supplied, all children .repository values will be prepended with this registry name + `/` registry: diff --git a/charts/langgraph-dataplane/templates/network-policy.yaml b/charts/langgraph-dataplane/templates/network-policy.yaml new file mode 100644 index 00000000..e0993b18 --- /dev/null +++ b/charts/langgraph-dataplane/templates/network-policy.yaml @@ -0,0 +1,39 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "langgraphDataplane.fullname" . }}-network-policy + namespace: {{ .Values.namespace | default .Release.Namespace | quote }} + labels: + {{- include "langgraphDataplane.labels" . | nindent 4 }} + annotations: + {{- include "langgraphDataplane.annotations" . | nindent 4 }} +spec: + podSelector: {} # Apply to all pods in namespace + policyTypes: + {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }} + {{- with .Values.networkPolicy.ingress }} + ingress: + {{- toYaml . | nindent 4 }} + {{- end }} + egress: + # Rule 1: Allow all IPv4 traffic EXCEPT blocked CIDRs + - to: + - ipBlock: + cidr: {{ .Values.networkPolicy.egress.allowAllExcept.cidr }} + except: + {{- toYaml .Values.networkPolicy.egress.allowAllExcept.except | nindent 12 }} + # Rule 2: Allow DNS resolution + {{- with .Values.networkPolicy.egress.dns }} + - ports: + {{- toYaml .ports | nindent 6 }} + {{- with .to }} + to: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + # Rule 3: Additional custom egress rules + {{- with .Values.networkPolicy.egress.custom }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/langgraph-dataplane/values.yaml b/charts/langgraph-dataplane/values.yaml index 0c4b9180..c43c3ecc 100644 --- a/charts/langgraph-dataplane/values.yaml +++ b/charts/langgraph-dataplane/values.yaml @@ -17,6 +17,50 @@ commonVolumes: [] # -- Common volume mounts added to all deployments/statefulsets. commonVolumeMounts: [] +# Network Policy configuration +networkPolicy: + # -- Enable network policy to block metadata endpoints and localhost + enabled: true + + # -- Policy types to enforce + policyTypes: + - Egress + + # -- Ingress rules (empty by default - no ingress restrictions) + ingress: [] + + # -- Egress rules + egress: + # Allow all IPv4 traffic except specified CIDRs + allowAllExcept: + cidr: 0.0.0.0/0 + except: + - 169.254.169.254/32 # Cloud metadata endpoint (AWS, Azure, GCP) + + # DNS resolution configuration + dns: + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + # Optional: Restrict DNS to specific destinations + # to: + # - namespaceSelector: + # matchLabels: + # name: kube-system + + # Additional custom egress rules (optional) + # Example: Allow egress to specific external services + custom: [] + # custom: + # - to: + # - ipBlock: + # cidr: 10.0.0.0/8 + # ports: + # - protocol: TCP + # port: 443 + images: # -- If supplied, all children .repository values will be prepended with this registry name + `/` registry: "" diff --git a/charts/langsmith-observability/templates/network-policy.yaml b/charts/langsmith-observability/templates/network-policy.yaml new file mode 100644 index 00000000..3d8f62fc --- /dev/null +++ b/charts/langsmith-observability/templates/network-policy.yaml @@ -0,0 +1,37 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Release.Name }}-network-policy + namespace: {{ .Values.langsmithNamespace | default "langsmith" | quote }} + labels: + {{- include "langsmith-observability.labels" . | nindent 4 }} +spec: + podSelector: {} # Apply to all pods in namespace + policyTypes: + {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }} + {{- with .Values.networkPolicy.ingress }} + ingress: + {{- toYaml . | nindent 4 }} + {{- end }} + egress: + # Rule 1: Allow all IPv4 traffic EXCEPT blocked CIDRs + - to: + - ipBlock: + cidr: {{ .Values.networkPolicy.egress.allowAllExcept.cidr }} + except: + {{- toYaml .Values.networkPolicy.egress.allowAllExcept.except | nindent 12 }} + # Rule 2: Allow DNS resolution + {{- with .Values.networkPolicy.egress.dns }} + - ports: + {{- toYaml .ports | nindent 6 }} + {{- with .to }} + to: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + # Rule 3: Additional custom egress rules + {{- with .Values.networkPolicy.egress.custom }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/langsmith-observability/values.yaml b/charts/langsmith-observability/values.yaml index 7e57a9f4..c8e03ba8 100644 --- a/charts/langsmith-observability/values.yaml +++ b/charts/langsmith-observability/values.yaml @@ -7,6 +7,50 @@ nameOverride: "" # -- Labels that will be applied to all resources created by the chart commonLabels: {} +# Network Policy configuration +networkPolicy: + # -- Enable network policy to block metadata endpoints and localhost + enabled: true + + # -- Policy types to enforce + policyTypes: + - Egress + + # -- Ingress rules (empty by default - no ingress restrictions) + ingress: [] + + # -- Egress rules + egress: + # Allow all IPv4 traffic except specified CIDRs + allowAllExcept: + cidr: 0.0.0.0/0 + except: + - 169.254.169.254/32 # Cloud metadata endpoint (AWS, Azure, GCP) + + # DNS resolution configuration + dns: + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + # Optional: Restrict DNS to specific destinations + # to: + # - namespaceSelector: + # matchLabels: + # name: kube-system + + # Additional custom egress rules (optional) + # Example: Allow egress to specific external services + custom: [] + # custom: + # - to: + # - ipBlock: + # cidr: 10.0.0.0/8 + # ports: + # - protocol: TCP + # port: 443 + # ======================== Grafana ======================== # Values for Grafana: https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml diff --git a/charts/langsmith/templates/network-policy.yaml b/charts/langsmith/templates/network-policy.yaml new file mode 100644 index 00000000..9a0b5640 --- /dev/null +++ b/charts/langsmith/templates/network-policy.yaml @@ -0,0 +1,39 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "langsmith.fullname" . }}-network-policy + namespace: {{ .Values.namespace | default .Release.Namespace | quote }} + labels: + {{- include "langsmith.labels" . | nindent 4 }} + annotations: + {{- include "langsmith.annotations" . | nindent 4 }} +spec: + podSelector: {} # Apply to all pods in namespace + policyTypes: + {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }} + {{- with .Values.networkPolicy.ingress }} + ingress: + {{- toYaml . | nindent 4 }} + {{- end }} + egress: + # Rule 1: Allow all IPv4 traffic EXCEPT blocked CIDRs + - to: + - ipBlock: + cidr: {{ .Values.networkPolicy.egress.allowAllExcept.cidr }} + except: + {{- toYaml .Values.networkPolicy.egress.allowAllExcept.except | nindent 12 }} + # Rule 2: Allow DNS resolution + {{- with .Values.networkPolicy.egress.dns }} + - ports: + {{- toYaml .ports | nindent 6 }} + {{- with .to }} + to: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + # Rule 3: Additional custom egress rules + {{- with .Values.networkPolicy.egress.custom }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/langsmith/values.yaml b/charts/langsmith/values.yaml index cd844ea7..b0fdf325 100644 --- a/charts/langsmith/values.yaml +++ b/charts/langsmith/values.yaml @@ -25,6 +25,50 @@ commonPodSecurityContext: {} # -- Kubernetes cluster domain. Only change if not using 'cluster.local' clusterDomain: "cluster.local" +# Network Policy configuration +networkPolicy: + # -- Enable network policy to block metadata endpoints and localhost + enabled: true + + # -- Policy types to enforce + policyTypes: + - Egress + + # -- Ingress rules (empty by default - no ingress restrictions) + ingress: [] + + # -- Egress rules + egress: + # Allow all IPv4 traffic except specified CIDRs + allowAllExcept: + cidr: 0.0.0.0/0 + except: + - 169.254.169.254/32 # Cloud metadata endpoint (AWS, Azure, GCP) + + # DNS resolution configuration + dns: + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + # Optional: Restrict DNS to specific destinations + # to: + # - namespaceSelector: + # matchLabels: + # name: kube-system + + # Additional custom egress rules (optional) + # Example: Allow egress to specific external services + custom: [] + # custom: + # - to: + # - ipBlock: + # cidr: 10.0.0.0/8 + # ports: + # - protocol: TCP + # port: 443 + images: # -- If supplied, all children .repository values will be prepended with this registry name + `/` registry: ""