feat: adding localhost/metadata deny network policy

charts/langgraph-cloud/templates/network-policy.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "langGraphCloud.fullname" . }}-network-policy
+  namespace: {{ .Values.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "langGraphCloud.labels" . | nindent 4 }}
+  annotations:
+    {{- include "langGraphCloud.annotations" . | nindent 4 }}
+spec:
+  podSelector: {}  # Apply to all pods in namespace
+  policyTypes:
+    {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  egress:
+    # Rule 1: Allow all IPv4 traffic EXCEPT blocked CIDRs
+    - to:
+      - ipBlock:
+          cidr: {{ .Values.networkPolicy.egress.allowAllExcept.cidr }}
+          except:
+            {{- toYaml .Values.networkPolicy.egress.allowAllExcept.except | nindent 12 }}
+    # Rule 2: Allow DNS resolution
+    {{- with .Values.networkPolicy.egress.dns }}
+    - ports:
+      {{- toYaml .ports | nindent 6 }}
+      {{- with .to }}
+      to:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    # Rule 3: Additional custom egress rules
+    {{- with .Values.networkPolicy.egress.custom }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/langgraph-cloud/values.yaml

@@ -15,6 +15,50 @@ commonVolumes: []
 # -- Common volume mounts added to all deployments/statefulsets.
 commonVolumeMounts: []
 
+# Network Policy configuration
+networkPolicy:
+  # -- Enable network policy to block metadata endpoints and localhost
+  enabled: true
+
+  # -- Policy types to enforce
+  policyTypes:
+    - Egress
+
+  # -- Ingress rules (empty by default - no ingress restrictions)
+  ingress: []
+
+  # -- Egress rules
+  egress:
+    # Allow all IPv4 traffic except specified CIDRs
+    allowAllExcept:
+      cidr: 0.0.0.0/0
+      except:
+        - 169.254.169.254/32  # Cloud metadata endpoint (AWS, Azure, GCP)
+
+    # DNS resolution configuration
+    dns:
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+      # Optional: Restrict DNS to specific destinations
+      # to:
+      #   - namespaceSelector:
+      #       matchLabels:
+      #         name: kube-system
+
+    # Additional custom egress rules (optional)
+    # Example: Allow egress to specific external services
+    custom: []
+    # custom:
+    #   - to:
+    #     - ipBlock:
+    #         cidr: 10.0.0.0/8
+    #     ports:
+    #     - protocol: TCP
+    #       port: 443
+
 images:
   # -- If supplied, all children <image_name>.repository values will be prepended with this registry name + `/`
   registry:

charts/langgraph-dataplane/templates/network-policy.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "langgraphDataplane.fullname" . }}-network-policy
+  namespace: {{ .Values.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "langgraphDataplane.labels" . | nindent 4 }}
+  annotations:
+    {{- include "langgraphDataplane.annotations" . | nindent 4 }}
+spec:
+  podSelector: {}  # Apply to all pods in namespace
+  policyTypes:
+    {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  egress:
+    # Rule 1: Allow all IPv4 traffic EXCEPT blocked CIDRs
+    - to:
+      - ipBlock:
+          cidr: {{ .Values.networkPolicy.egress.allowAllExcept.cidr }}
+          except:
+            {{- toYaml .Values.networkPolicy.egress.allowAllExcept.except | nindent 12 }}
+    # Rule 2: Allow DNS resolution
+    {{- with .Values.networkPolicy.egress.dns }}
+    - ports:
+      {{- toYaml .ports | nindent 6 }}
+      {{- with .to }}
+      to:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    # Rule 3: Additional custom egress rules
+    {{- with .Values.networkPolicy.egress.custom }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/langgraph-dataplane/values.yaml

@@ -17,6 +17,50 @@ commonVolumes: []
 # -- Common volume mounts added to all deployments/statefulsets.
 commonVolumeMounts: []
 
+# Network Policy configuration
+networkPolicy:
+  # -- Enable network policy to block metadata endpoints and localhost
+  enabled: true
+
+  # -- Policy types to enforce
+  policyTypes:
+    - Egress
+
+  # -- Ingress rules (empty by default - no ingress restrictions)
+  ingress: []
+
+  # -- Egress rules
+  egress:
+    # Allow all IPv4 traffic except specified CIDRs
+    allowAllExcept:
+      cidr: 0.0.0.0/0
+      except:
+        - 169.254.169.254/32  # Cloud metadata endpoint (AWS, Azure, GCP)
+
+    # DNS resolution configuration
+    dns:
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+      # Optional: Restrict DNS to specific destinations
+      # to:
+      #   - namespaceSelector:
+      #       matchLabels:
+      #         name: kube-system
+
+    # Additional custom egress rules (optional)
+    # Example: Allow egress to specific external services
+    custom: []
+    # custom:
+    #   - to:
+    #     - ipBlock:
+    #         cidr: 10.0.0.0/8
+    #     ports:
+    #     - protocol: TCP
+    #       port: 443
+
 images:
    # -- If supplied, all children <image_name>.repository values will be prepended with this registry name + `/`
   registry: ""

charts/langsmith-observability/templates/network-policy.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-network-policy
+  namespace: {{ .Values.langsmithNamespace | default "langsmith" | quote }}
+  labels:
+    {{- include "langsmith-observability.labels" . | nindent 4 }}
+spec:
+  podSelector: {}  # Apply to all pods in namespace
+  policyTypes:
+    {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  egress:
+    # Rule 1: Allow all IPv4 traffic EXCEPT blocked CIDRs
+    - to:
+      - ipBlock:
+          cidr: {{ .Values.networkPolicy.egress.allowAllExcept.cidr }}
+          except:
+            {{- toYaml .Values.networkPolicy.egress.allowAllExcept.except | nindent 12 }}
+    # Rule 2: Allow DNS resolution
+    {{- with .Values.networkPolicy.egress.dns }}
+    - ports:
+      {{- toYaml .ports | nindent 6 }}
+      {{- with .to }}
+      to:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    # Rule 3: Additional custom egress rules
+    {{- with .Values.networkPolicy.egress.custom }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/langsmith-observability/values.yaml

@@ -7,6 +7,50 @@ nameOverride: ""
 # -- Labels that will be applied to all resources created by the chart
 commonLabels: {}
 
+# Network Policy configuration
+networkPolicy:
+  # -- Enable network policy to block metadata endpoints and localhost
+  enabled: true
+
+  # -- Policy types to enforce
+  policyTypes:
+    - Egress
+
+  # -- Ingress rules (empty by default - no ingress restrictions)
+  ingress: []
+
+  # -- Egress rules
+  egress:
+    # Allow all IPv4 traffic except specified CIDRs
+    allowAllExcept:
+      cidr: 0.0.0.0/0
+      except:
+        - 169.254.169.254/32  # Cloud metadata endpoint (AWS, Azure, GCP)
+
+    # DNS resolution configuration
+    dns:
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+      # Optional: Restrict DNS to specific destinations
+      # to:
+      #   - namespaceSelector:
+      #       matchLabels:
+      #         name: kube-system
+
+    # Additional custom egress rules (optional)
+    # Example: Allow egress to specific external services
+    custom: []
+    # custom:
+    #   - to:
+    #     - ipBlock:
+    #         cidr: 10.0.0.0/8
+    #     ports:
+    #     - protocol: TCP
+    #       port: 443
+
 # ======================== Grafana ========================
 
 # Values for Grafana: https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml

charts/langsmith/templates/network-policy.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "langsmith.fullname" . }}-network-policy
+  namespace: {{ .Values.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "langsmith.labels" . | nindent 4 }}
+  annotations:
+    {{- include "langsmith.annotations" . | nindent 4 }}
+spec:
+  podSelector: {}  # Apply to all pods in namespace
+  policyTypes:
+    {{- toYaml .Values.networkPolicy.policyTypes | nindent 4 }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  egress:
+    # Rule 1: Allow all IPv4 traffic EXCEPT blocked CIDRs
+    - to:
+      - ipBlock:
+          cidr: {{ .Values.networkPolicy.egress.allowAllExcept.cidr }}
+          except:
+            {{- toYaml .Values.networkPolicy.egress.allowAllExcept.except | nindent 12 }}
+    # Rule 2: Allow DNS resolution
+    {{- with .Values.networkPolicy.egress.dns }}
+    - ports:
+      {{- toYaml .ports | nindent 6 }}
+      {{- with .to }}
+      to:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    # Rule 3: Additional custom egress rules
+    {{- with .Values.networkPolicy.egress.custom }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/langsmith/values.yaml

@@ -25,6 +25,50 @@ commonPodSecurityContext: {}
 # -- Kubernetes cluster domain. Only change if not using 'cluster.local'
 clusterDomain: "cluster.local"
 
+# Network Policy configuration
+networkPolicy:
+  # -- Enable network policy to block metadata endpoints and localhost
+  enabled: true
+
+  # -- Policy types to enforce
+  policyTypes:
+    - Egress
+
+  # -- Ingress rules (empty by default - no ingress restrictions)
+  ingress: []
+
+  # -- Egress rules
+  egress:
+    # Allow all IPv4 traffic except specified CIDRs
+    allowAllExcept:
+      cidr: 0.0.0.0/0
+      except:
+        - 169.254.169.254/32  # Cloud metadata endpoint (AWS, Azure, GCP)
+
+    # DNS resolution configuration
+    dns:
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+      # Optional: Restrict DNS to specific destinations
+      # to:
+      #   - namespaceSelector:
+      #       matchLabels:
+      #         name: kube-system
+
+    # Additional custom egress rules (optional)
+    # Example: Allow egress to specific external services
+    custom: []
+    # custom:
+    #   - to:
+    #     - ipBlock:
+    #         cidr: 10.0.0.0/8
+    #     ports:
+    #     - protocol: TCP
+    #       port: 443
+
 images:
    # -- If supplied, all children <image_name>.repository values will be prepended with this registry name + `/`
   registry: ""