Add option to disable the network policy at install time

2026-02-06 19:05:55 +00:00 · 2020-10-03 17:35:55 +03:00
parent 73e5640109
commit 07677ed4a7
6 changed files with 17 additions and 3 deletions
--- a/cmd/gotk/bootstrap.go
+++ b/cmd/gotk/bootstrap.go
@@ -52,6 +52,7 @@ var (
 	bootstrapArch               string
 	bootstrapBranch             string
 	bootstrapWatchAllNamespaces bool
+	bootstrapNetworkPolicy      bool
 	bootstrapLogLevel           string
 	bootstrapManifestsPath      string
 	bootstrapRequiredComponents = []string{"source-controller", "kustomize-controller"}
@@ -80,6 +81,8 @@ func init() {
 	rootCmd.AddCommand(bootstrapCmd)
 	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapWatchAllNamespaces, "watch-all-namespaces", true,
 		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
+	bootstrapCmd.PersistentFlags().BoolVar(&bootstrapNetworkPolicy, "network-policy", true,
+		"deny ingress access to the toolkit controllers from other namespaces using network policies")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapLogLevel, "log-level", "info", "set the controllers log level")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapManifestsPath, "manifests", "", "path to the manifest directory")
 	bootstrapCmd.PersistentFlags().MarkHidden("manifests")
@@ -126,7 +129,7 @@ func generateInstallManifests(targetPath, namespace, tmpDir string, localManifes
 	}

 	if err := genInstallManifests(bootstrapVersion, namespace, bootstrapComponents,
-		bootstrapWatchAllNamespaces, bootstrapRegistry, bootstrapImagePullSecret,
+		bootstrapWatchAllNamespaces, bootstrapNetworkPolicy, bootstrapRegistry, bootstrapImagePullSecret,
 		bootstrapArch, bootstrapLogLevel, gotkDir); err != nil {
 		return "", fmt.Errorf("generating manifests failed: %w", err)
 	}
--- a/cmd/gotk/install.go
+++ b/cmd/gotk/install.go
@@ -64,6 +64,7 @@ var (
 	installImagePullSecret    string
 	installArch               string
 	installWatchAllNamespaces bool
+	installNetworkPolicy      bool
 	installLogLevel           string
 )

@@ -87,6 +88,8 @@ func init() {
 	installCmd.Flags().BoolVar(&installWatchAllNamespaces, "watch-all-namespaces", true,
 		"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
 	installCmd.Flags().StringVar(&installLogLevel, "log-level", "info", "set the controllers log level")
+	installCmd.Flags().BoolVar(&installNetworkPolicy, "network-policy", true,
+		"deny ingress access to the toolkit controllers from other namespaces using network policies")
 	rootCmd.AddCommand(installCmd)
 }

@@ -113,7 +116,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if installManifestsPath == "" {
 		err = genInstallManifests(installVersion, namespace, installComponents,
-			installWatchAllNamespaces, installRegistry, installImagePullSecret,
+			installWatchAllNamespaces, installNetworkPolicy, installRegistry, installImagePullSecret,
 			installArch, installLogLevel, tmpDir)
 		if err != nil {
 			return fmt.Errorf("install failed: %w", err)
@@ -215,7 +218,9 @@ transformers:

 resources:
  - namespace.yaml
+{{- if .NetworkPolicy }}
  - policies.yaml
+{{- end }}
  - roles
 {{- range .Components }}
  - {{.}}.yaml
@@ -333,7 +338,7 @@ func downloadManifests(version string, tmpDir string) error {
 }

 func genInstallManifests(version string, namespace string, components []string,
-	watchAllNamespaces bool, registry, imagePullSecret, arch, logLevel, tmpDir string) error {
+	watchAllNamespaces, networkPolicy bool, registry, imagePullSecret, arch, logLevel, tmpDir string) error {
 	eventsAddr := ""
 	if utils.containsItemString(components, defaultNotification) {
 		eventsAddr = fmt.Sprintf("http://%s/", defaultNotification)
@@ -348,6 +353,7 @@ func genInstallManifests(version string, namespace string, components []string,
 		ImagePullSecret    string
 		Arch               string
 		WatchAllNamespaces bool
+		NetworkPolicy      bool
 		LogLevel           string
 	}{
 		Version:            version,
@@ -358,6 +364,7 @@ func genInstallManifests(version string, namespace string, components []string,
 		ImagePullSecret:    imagePullSecret,
 		Arch:               arch,
 		WatchAllNamespaces: watchAllNamespaces,
+		NetworkPolicy:      networkPolicy,
 		LogLevel:           logLevel,
 	}

--- a/docs/cmd/gotk_bootstrap.md
+++ b/docs/cmd/gotk_bootstrap.md
@@ -15,6 +15,7 @@ The bootstrap sub-commands bootstrap the toolkit components on the targeted Git
  -h, --help                       help for bootstrap
      --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
      --log-level string           set the controllers log level (default "info")
+      --network-policy             deny ingress access to the toolkit controllers from other namespaces using network policies (default true)
      --registry string            container registry where the toolkit images are published (default "ghcr.io/fluxcd")
  -v, --version string             toolkit version (default "latest")
      --watch-all-namespaces       watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed (default true)
--- a/docs/cmd/gotk_bootstrap_github.md
+++ b/docs/cmd/gotk_bootstrap_github.md
@@ -64,6 +64,7 @@ gotk bootstrap github [flags]
      --kubeconfig string          path to the kubeconfig file (default "~/.kube/config")
      --log-level string           set the controllers log level (default "info")
  -n, --namespace string           the namespace scope for this operation (default "gotk-system")
+      --network-policy             deny ingress access to the toolkit controllers from other namespaces using network policies (default true)
      --registry string            container registry where the toolkit images are published (default "ghcr.io/fluxcd")
      --timeout duration           timeout for this operation (default 5m0s)
      --verbose                    print generated objects
--- a/docs/cmd/gotk_bootstrap_gitlab.md
+++ b/docs/cmd/gotk_bootstrap_gitlab.md
@@ -61,6 +61,7 @@ gotk bootstrap gitlab [flags]
      --kubeconfig string          path to the kubeconfig file (default "~/.kube/config")
      --log-level string           set the controllers log level (default "info")
  -n, --namespace string           the namespace scope for this operation (default "gotk-system")
+      --network-policy             deny ingress access to the toolkit controllers from other namespaces using network policies (default true)
      --registry string            container registry where the toolkit images are published (default "ghcr.io/fluxcd")
      --timeout duration           timeout for this operation (default 5m0s)
      --verbose                    print generated objects
--- a/docs/cmd/gotk_install.md
+++ b/docs/cmd/gotk_install.md
@@ -38,6 +38,7 @@ gotk install [flags]
  -h, --help                       help for install
      --image-pull-secret string   Kubernetes secret name used for pulling the toolkit images from a private registry
      --log-level string           set the controllers log level (default "info")
+      --network-policy             deny ingress access to the toolkit controllers from other namespaces using network policies (default true)
      --registry string            container registry where the toolkit images are published (default "ghcr.io/fluxcd")
  -v, --version string             toolkit version (default "latest")
      --watch-all-namespaces       watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed (default true)