0xgui commented on a change in pull request #199:
URL: https://github.com/apache/apisix-helm-chart/pull/199#discussion_r775833932
##########
File path: charts/apisix/templates/networkpolicy.yaml
##########
@@ -0,0 +1,72 @@
+{{- if .Values.apisix.networkPolicy.enabled }}
+{{- $fullName := include "apisix.fullname" . -}}
+kind: NetworkPolicy
+apiVersion: {{ template "networkPolicy.apiVersion" . }}
+metadata:
+ name: {{ include "apisix.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- include "apisix.labels" . | nindent 4 }}
+ {{- if .Values.apisix.networkPolicy.annotations }}
+ {{- with .Values.apisix.networkPolicy.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels: {{- include "apisix.selectorLabels" . | nindent 6 }}
+ policyTypes:
+ - Ingress
+ {{- if .Values.apisix.networkPolicy.additionalEgress }}
+ - Egress
+ egress:
Review comment:
@tokers
I think that maybe there is some confusion in what the egress rules does in
a networkpolicy.
Just like you said, The egress rules are used to limit the destinations
that APISIX can reach.
If the user chooses to enable the egress policy in the networkpolicy, the
current rules say to allow DNS traffic (port 53 TCP/UDP) so we can translate
the addresses and also allow connection to the etcd cluster service in the
desired port.
We don't specify source ports in the egress rules, but destination ports. In
this case, without `additionalEgress` rules we are allowing by default the
apisix pod to connect to external DNS ports and etcd ports.
If I'm failing to understand something let me know.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
