diff --git a/docs/hugo/content/contributing/aso-codegen-structure.svg b/docs/hugo/content/contributing/aso-codegen-structure.svg index df45b7e4975..6b8050cee28 100644 --- a/docs/hugo/content/contributing/aso-codegen-structure.svg +++ b/docs/hugo/content/contributing/aso-codegen-structure.svg @@ -1 +1 @@ -pkgpkginternalinternaltestcasestestcasestesttestreportingreportingjsonastjsonastfunctionsfunctionsconversionsconversionsconfigconfigcodegencodegenastmodelastmodelastbuilderastbuildertestdatatestdatatestdatatestdatatestdatatestdatatestdatatestdatapipelinepipelinetestdatatestdatastoragestoragetestdatatestdataArmResourceArmResourceAllOfAllOf.go.json.md.mod.yamleach dot sized by file size \ No newline at end of file +pkgpkginternalinternaltestcasestestcasestesttestreportingreportingjsonastjsonastfunctionsfunctionsconversionsconversionsconfigconfigcodegencodegenastmodelastmodelastbuilderastbuildertestdatatestdatatestdatatestdatatestdatatestdatatestdatatestdatapipelinepipelinetestdatatestdatastoragestoragetestdatatestdataArmResourceArmResourceAllOfAllOf.go.json.md.mod.yamleach dot sized by file size \ No newline at end of file diff --git a/docs/hugo/content/contributing/aso-v1-structure.svg b/docs/hugo/content/contributing/aso-v1-structure.svg index bb062d39a79..b5db9390f51 100644 --- a/docs/hugo/content/contributing/aso-v1-structure.svg +++ b/docs/hugo/content/contributing/aso-v1-structure.svg @@ -1 +1 @@ -scriptsscriptspkgpkgdevopsdevopscontrollerscontrollersconfigconfigchartschartsapiapisecretssecretsresourcemanagerresourcemanagerhelpershelperserrhelperrhelpsamplessamplesrbacrbacdefaultdefaultcrdcrdazure-service-operatorazure-service-operatorv1beta1v1beta1v1alpha2v1alpha2v1alpha1v1alpha1kubekubekeyvaultkeyvaultvnetvnetvmssvmssvmextvmextvmvmstoragesstoragesrediscachesrediscachespsqlpsqlpippipnicnicmysqlmysqlkeyvaultskeyvaultseventhubseventhubscosmosdbcosmosdbconfigconfigazuresqlazuresqlappinsightsappinsightsapimapimpatchespatchescrdscrdstemplatestemplatesredisredisvnetrulevnetruleserverserverpsqluserpsqluserdatabasedatabasevnetrulevnetruleserverservermysqlusermysqluserdatabasedatabasesqldatabasesqldatabaseaccountaccountazuresqldbazuresqldbapimgmtapimgmtgeneratedgenerated.gitignore.go.json.md.mod.mysql.sh.yaml.ymleach dot sized by file size \ No newline at end of file +scriptsscriptspkgpkgdevopsdevopscontrollerscontrollersconfigconfigchartschartsapiapisecretssecretsresourcemanagerresourcemanagerhelpershelperserrhelperrhelpsamplessamplesrbacrbacdefaultdefaultcrdcrdazure-service-operatorazure-service-operatorv1beta1v1beta1v1alpha2v1alpha2v1alpha1v1alpha1kubekubekeyvaultkeyvaultvnetvnetvmssvmssvmextvmextvmvmstoragesstoragesrediscachesrediscachespsqlpsqlpippipnicnicmysqlmysqlkeyvaultskeyvaultseventhubseventhubscosmosdbcosmosdbconfigconfigazuresqlazuresqlappinsightsappinsightsapimapimpatchespatchescrdscrdstemplatestemplatesredisredisvnetrulevnetruleserverserverpsqluserpsqluserdatabasedatabasevnetrulevnetruleserverservermysqlusermysqluserdatabasedatabasesqldatabasesqldatabaseaccountaccountazuresqldbazuresqldbapimgmtapimgmtgeneratedgenerated.gitignore.go.json.md.mod.mysql.sh.yaml.ymleach dot sized by file size \ No newline at end of file diff --git a/docs/hugo/content/contributing/aso-v2-structure.svg b/docs/hugo/content/contributing/aso-v2-structure.svg index cba659cef46..a743018c592 100644 --- a/docs/hugo/content/contributing/aso-v2-structure.svg +++ b/docs/hugo/content/contributing/aso-v2-structure.svg @@ -1 +1 @@ -samplessamplespkgpkginternalinternalconfigconfigchartschartsapiapistoragestoragenetworknetworkeventgrideventgriddocumentdbdocumentdbcomputecomputecachecachegenruntimegenruntimeutilutilcontrollerscontrollerswebwebsynapsesynapsesubscriptionsubscriptionstoragestoragesqlsqlsignalrservicesignalrserviceservicebusservicebussearchsearchresourcesresourcesnetworknetworkmanagedidentitymanagedidentitykeyvaultkeyvaultinsightsinsightseventhubeventhubeventgrideventgriddocumentdbdocumentdbdevicesdevicesdbforpostgresqldbforpostgresqldbformysqldbformysqldbformariadbdbformariadbdataprotectiondataprotectiondatafactorydatafactorycontainerservicecontainerservicecomputecomputecdncdncachecachebatchbatchauthorizationauthorizationmongodbmongodbrecordingsrecordingsv1api20211101v1api20211101.gitignore.go.md.mod.mysql.sql.txt.yamleach dot sized by file size \ No newline at end of file +samplessamplespkgpkginternalinternalconfigconfigchartschartsapiapistoragestoragenetworknetworkeventgrideventgriddocumentdbdocumentdbcomputecomputecachecachegenruntimegenruntimeutilutilcontrollerscontrollerswebwebsynapsesynapsesubscriptionsubscriptionstoragestoragesqlsqlsignalrservicesignalrserviceservicebusservicebussearchsearchresourcesresourcesnetworknetworkmanagedidentitymanagedidentitykeyvaultkeyvaultinsightsinsightseventhubeventhubeventgrideventgriddocumentdbdocumentdbdevicesdevicesdbforpostgresqldbforpostgresqldbformysqldbformysqldbformariadbdbformariadbdatafactorydatafactorycontainerservicecontainerservicecomputecomputecdncdncachecachebatchbatchauthorizationauthorizationrecordingsrecordingsv1api20211101v1api20211101.gitignore.go.md.mod.mysql.sql.txt.yamleach dot sized by file size \ No newline at end of file diff --git a/docs/hugo/content/contributing/asoctl-structure.svg b/docs/hugo/content/contributing/asoctl-structure.svg index e4f3b8a365f..fa9b158d985 100644 --- a/docs/hugo/content/contributing/asoctl-structure.svg +++ b/docs/hugo/content/contributing/asoctl-structure.svg @@ -1 +1 @@ -internalinternalcmdcmdimportingimportingcrdcrdimport_azure_r...import_azure_r...import_azure_r...root.goroot.goroot.golog.golog.golog.goclean-crds.goclean-crds.goclean-crds.gogo.sumgo.sumgo.sumgo.modgo.modgo.modimportable_arm_resource.goimportable_arm_resource.goimportable_arm_resource.goresource_importer.goresource_importer.goresource_importer.goimportable_arm_...importable_arm_...importable_arm_...resource_impor...resource_impor...resource_impor...resource_impor...resource_impor...resource_impor...importable_re...importable_re...importable_re...find_resour...find_resour...find_resour...find_child...find_child...find_child...find_grou...find_grou...find_grou...import_s...import_s...import_s...cleaner_test.gocleaner_test.gocleaner_test.gocleaner.gocleaner.gocleaner.go.cmd.go.modeach dot sized by file size \ No newline at end of file +internalinternalcmdcmdimportingimportingcrdcrdimport_azure_r...import_azure_r...import_azure_r...root.goroot.goroot.golog.golog.golog.goclean-crds.goclean-crds.goclean-crds.gogo.sumgo.sumgo.sumgo.modgo.modgo.modimportable_arm_resource.goimportable_arm_resource.goimportable_arm_resource.goresource_importer.goresource_importer.goresource_importer.goimportable_arm_...importable_arm_...importable_arm_...resource_impor...resource_impor...resource_impor...resource_impor...resource_impor...resource_impor...importable_re...importable_re...importable_re...find_resour...find_resour...find_resour...find_child...find_child...find_child...find_grou...find_grou...find_grou...import_s...import_s...import_s...cleaner_test.gocleaner_test.gocleaner_test.gocleaner.gocleaner.gocleaner.go.cmd.go.modeach dot sized by file size \ No newline at end of file diff --git a/v2/charts/azure-service-operator/templates/networkpolicies.yaml b/v2/charts/azure-service-operator/templates/networkpolicies.yaml new file mode 100644 index 00000000000..2beb00a84f6 --- /dev/null +++ b/v2/charts/azure-service-operator/templates/networkpolicies.yaml @@ -0,0 +1,55 @@ +{{- if .Values.networkPolicies.enable }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: azure-service-operator-allow-ingress + namespace: {{ .Release.namespace }} +spec: + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: azure-service-operator-allow-egress + namespace: {{ .Release.namespace }} +spec: + egress: + - ports: + # Required for communication with the Azure API + - port: 443 + protocol: TCP + to: + - ipBlock: + cidr: 0.0.0.0/0 + # Required for communication with the Kubernetes API + - port: {{ .Values.networkPolicies.kubernetesApiPort }} + protocol: TCP + to: + - ipBlock: + cidr: {{ .Values.networkPolicies.kubernetesApiCIDR }} + # Required for communication with MySQL servers when using MySQL user object + - port: 3306 + protocol: TCP + to: + - ipBlock: + cidr: {{ .Values.networkPolicies.mysqlCIDR }} + # Required for communication with PostgreSQL servers when using PostgreSQL user object + - port: 5432 + protocol: TCP + to: + - ipBlock: + cidr: {{ .Values.networkPolicies.postgresqlCIDR }} + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Egress +{{- end }} diff --git a/v2/charts/azure-service-operator/values.yaml b/v2/charts/azure-service-operator/values.yaml index 85d0f61c994..2b4f8ff6d83 100644 --- a/v2/charts/azure-service-operator/values.yaml +++ b/v2/charts/azure-service-operator/values.yaml @@ -120,3 +120,15 @@ podAnnotations: {} # NOTE: 'installCRDs' should be set to false while installing a tenant. multitenant: enable: false + +# networkPolicies allows you to configure the NetworkPolicies deployed as part of the Chart +networkPolicies: + enable: true + # TCP port to be configured for talking to the Kubernetes API + kubernetesApiPort: 6443 + # Destination CIDR for talking to the Kubernetes API + kubernetesApiCIDR: 0.0.0.0/0 + # Destination CIDR for talking to MySQL servers + mysqlCIDR: 0.0.0.0/0 + # Destination CIDR for talking to PostgreSQL servers + postgresqlCIDR: 0.0.0.0/0