feat: add networkpolicy and pdb

charts/openbas/ci/ci-common-values.yaml

@@ -25,11 +25,18 @@ env:
 
 testConnection: true
 
+networkPolicy:
+  enabled: true
+
+podDisruptionBudget:
+  enabled: true
+
 autoscaling:
   enabled: true
 
 caldera:
   enabled: true
+
   env:
     CALDERA_URL: http://openbas-ci-caldera:8888
   config:
@@ -79,6 +86,12 @@ caldera:
       - stockpile
       - training
 
+  networkPolicy:
+    enabled: true
+
+  podDisruptionBudget:
+    enabled: true
+
 collectors:
 - name: atomic-red-team
   enabled: true

charts/openbas/templates/caldera/configmap.yaml

@@ -3,6 +3,7 @@ kind: ConfigMap
 metadata:
   name: {{ include "openbas.fullname" . }}-caldera-config
   labels:
+    openbas.component: caldera
     {{- include "openbas.labels" . | nindent 4 }}
 data:
   local.yml: |

charts/openbas/templates/caldera/hpa.yaml

@@ -4,6 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "openbas.fullname" . }}-caldera
   labels:
+    openbas.component: caldera
     {{- include "openbas.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:

charts/openbas/templates/caldera/networkpolicy.yaml

@@ -0,0 +1,50 @@
+{{- if .Values.caldera.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "openbas.fullname" . }}-caldera
+  labels:
+    openbas.component: caldera
+    {{- include "openbas.labels" . | nindent 4 }}
+spec:
+  {{- if and (not .Values.caldera.networkPolicy.policyTypes) (not .Values.caldera.networkPolicy.ingress) (not .Values.caldera.networkPolicy.egress) }}
+  podSelector: {}
+  {{- else }}
+  podSelector:
+    matchLabels:
+      openbas.component: caldera
+      {{- include "openbas.selectorLabels" . | nindent 6 }}
+  {{- end }}
+
+  {{- if .Values.caldera.networkPolicy.policyTypes }}
+  {{- with .Values.caldera.networkPolicy.policyTypes }}
+  policyTypes:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- end }}
+
+  {{- if .Values.caldera.networkPolicy.ingress }}
+  {{- with .Values.caldera.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  ingress:
+  - {}
+  {{- end }}
+
+  {{- if .Values.caldera.networkPolicy.egress }}
+  {{- with .Values.caldera.networkPolicy.egress }}
+  egress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  egress:
+  - {}
+  {{- end }}
+
+{{- end }}

charts/openbas/templates/caldera/poddisruptionbudget.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.caldera.podDisruptionBudget.enabled -}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "openbas.fullname" . }}-caldera
+  labels:
+    openbas.component: caldera
+    {{- include "openbas.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      openbas.component: caldera
+      {{- include "openbas.selectorLabels" . | nindent 6 }}
+  {{- if .Values.caldera.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.caldera.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.caldera.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.caldera.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end -}}

charts/openbas/templates/server/hpa.yaml

@@ -4,6 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "openbas.fullname" . }}-server
   labels:
+    openbas.component: server
     {{- include "openbas.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:

charts/openbas/templates/server/networkpolicy.yaml

@@ -0,0 +1,50 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "openbas.fullname" . }}-server
+  labels:
+    openbas.component: server
+    {{- include "openbas.labels" . | nindent 4 }}
+spec:
+  {{- if and (not .Values.networkPolicy.policyTypes) (not .Values.networkPolicy.ingress) (not .Values.networkPolicy.egress) }}
+  podSelector: {}
+  {{- else }}
+  podSelector:
+    matchLabels:
+      openbas.component: server
+      {{- include "openbas.selectorLabels" . | nindent 6 }}
+  {{- end }}
+
+  {{- if .Values.networkPolicy.policyTypes }}
+  {{- with .Values.networkPolicy.policyTypes }}
+  policyTypes:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- end }}
+
+  {{- if .Values.networkPolicy.ingress }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  ingress:
+  - {}
+  {{- end }}
+
+  {{- if .Values.networkPolicy.egress }}
+  {{- with .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  egress:
+  - {}
+  {{- end }}
+
+{{- end }}

charts/openbas/templates/server/poddisruptionbudget.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.podDisruptionBudget.enabled -}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "openbas.fullname" . }}-server
+  labels:
+    openbas.component: server
+    {{- include "openbas.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      openbas.component: server
+      {{- include "openbas.selectorLabels" . | nindent 6 }}
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end -}}

charts/openbas/templates/server/secret.yaml

@@ -5,6 +5,7 @@ type: Opaque
 metadata:
   name: {{ include "openbas.fullname" . }}-credentials
   labels:
+    openbas.component: server
     {{- include "openbas.labels" . | nindent 4 }}
   annotations:
     helm.sh/hook: "pre-install,pre-upgrade"

charts/openbas/templates/server/serviceaccount.yaml

@@ -4,6 +4,7 @@ kind: ServiceAccount
 metadata:
   name: {{ include "openbas.serviceAccountName" . }}
   labels:
+    openbas.component: server
     {{- include "openbas.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations: