Merge pull request #435 from ishankhare07/fix-workload-namespace-isol…

…ation

introduce isolation.targetNamespace in k0s, k3s, k8s chart values

charts/k0s/templates/limitrange.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: LimitRange
 metadata:
   name: {{ .Release.Name }}-limit-range
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   limits:
   - default:

charts/k0s/templates/networkpolicy.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ .Release.Name }}-workloads
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   podSelector:
     matchLabels:
@@ -30,13 +30,11 @@ spec:
             matchLabels:
               vcluster.loft.sh/managed-by: {{ .Release.Name }}
         - ipBlock:
-            cidr: 0.0.0.0/0
+            cidr: {{ .Values.isolation.networkPolicy.outgoingConnections.ipBlock.cidr }}
             except:
-              - 100.64.0.0/10
-              - 127.0.0.0/8
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
+              {{- range .Values.isolation.networkPolicy.outgoingConnections.ipBlock.except }}
+              - {{ . }}
+              {{- end }}
   policyTypes:
     - Egress
 ---

charts/k0s/templates/resourcequota.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ResourceQuota
 metadata:
   name:  {{ .Release.Name }}-quota
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   hard:
     {{- range $key, $val := .Values.isolation.resourceQuota.quota }}

charts/k0s/values.yaml

@@ -242,6 +242,7 @@ coredns:
 # standards, limit ranges and resource quotas
 isolation:
   enabled: false
+  namespace: null
 
   podSecurityStandard: baseline
 
@@ -280,3 +281,12 @@ isolation:
 
   networkPolicy:
     enabled: true
+    outgoingConnections:
+      ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+          - 100.64.0.0/10
+          - 127.0.0.0/8
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16

charts/k3s/templates/limitrange.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: LimitRange
 metadata:
   name: {{ .Release.Name }}-limit-range
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   limits:
   - default:

charts/k3s/templates/networkpolicy.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ .Release.Name }}-workloads
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   podSelector:
     matchLabels:
@@ -30,13 +30,11 @@ spec:
             matchLabels:
               vcluster.loft.sh/managed-by: {{ .Release.Name }}
         - ipBlock:
-            cidr: 0.0.0.0/0
+            cidr: {{ .Values.isolation.networkPolicy.outgoingConnections.ipBlock.cidr }}
             except:
-              - 100.64.0.0/10
-              - 127.0.0.0/8
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
+              {{- range .Values.isolation.networkPolicy.outgoingConnections.ipBlock.except }}
+              - {{ . }}
+              {{- end }}
   policyTypes:
     - Egress
 ---

charts/k3s/templates/resourcequota.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ResourceQuota
 metadata:
   name:  {{ .Release.Name }}-quota
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   hard:
     {{- range $key, $val := .Values.isolation.resourceQuota.quota }}

charts/k3s/values.yaml

@@ -244,6 +244,7 @@ coredns:
 # standards, limit ranges and resource quotas
 isolation:
   enabled: false
+  namespace: null
 
   podSecurityStandard: baseline
 
@@ -282,3 +283,12 @@ isolation:
 
   networkPolicy:
     enabled: true
+    outgoingConnections:
+      ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+          - 100.64.0.0/10
+          - 127.0.0.0/8
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16

charts/k8s/templates/limitrange.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: LimitRange
 metadata:
   name: {{ .Release.Name }}-limit-range
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   limits:
   - default:

charts/k8s/templates/networkpolicy.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ .Release.Name }}-workloads
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   podSelector:
     matchLabels:
@@ -30,13 +30,11 @@ spec:
             matchLabels:
               vcluster.loft.sh/managed-by: {{ .Release.Name }}
         - ipBlock:
-            cidr: 0.0.0.0/0
+            cidr: {{ .Values.isolation.networkPolicy.outgoingConnections.ipBlock.cidr }}
             except:
-              - 100.64.0.0/10
-              - 127.0.0.0/8
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
+              {{- range .Values.isolation.networkPolicy.outgoingConnections.ipBlock.except }}
+              - {{ . }}
+              {{- end }}
   policyTypes:
     - Egress
 ---

charts/k8s/templates/resourcequota.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ResourceQuota
 metadata:
   name:  {{ .Release.Name }}-quota
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.isolation.namespace | default .Release.Namespace }}
 spec:
   hard:
     {{- range $key, $val := .Values.isolation.resourceQuota.quota }}

charts/k8s/values.yaml

@@ -273,6 +273,7 @@ coredns:
 # standards, limit ranges and resource quotas
 isolation:
   enabled: false
+  namespace: null
 
   podSecurityStandard: baseline
 
@@ -311,3 +312,12 @@ isolation:
 
   networkPolicy:
     enabled: true
+    outgoingConnections:
+      ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+          - 100.64.0.0/10
+          - 127.0.0.0/8
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16