grafana · TheRealNoob · Jan 27, 2025 · Jan 27, 2025 · Jan 27, 2025 · Jan 27, 2025
@@ -7,6 +7,13 @@ This document contains a historical list of changes between releases. Only
 changes that impact end-user behavior are listed; changes to documentation or
 internal API changes are not present.
 
+0.11.1 (2025-01-27)
+------------------
+
+### Enhancements
+
+- Add NetworkPolicy support to the Helm chart. (@TheRealNoob)
+
 0.11.0 (2025-01-23)
 ----------
 

@@ -2,7 +2,7 @@ apiVersion: v2
 name: alloy
 description: 'Grafana Alloy'
 type: application
-version: 0.11.0
+version: 0.11.1
 appVersion: 'v1.6.1'
 icon: https://raw.githubusercontent.com/grafana/alloy/main/docs/sources/assets/alloy_icon_orange.svg
 

@@ -1,6 +1,6 @@
 # Grafana Alloy Helm chart
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![AppVersion: v1.6.1](https://img.shields.io/badge/AppVersion-v1.6.1-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.11.1](https://img.shields.io/badge/Version-0.11.1-informational?style=flat-square) ![AppVersion: v1.6.1](https://img.shields.io/badge/AppVersion-v1.6.1-informational?style=flat-square)
 
 Helm chart for deploying [Grafana Alloy][] to Kubernetes.
 
@@ -124,6 +124,19 @@ useful if just using the default DaemonSet isn't sufficient.
 | ingress.pathType | string | `"Prefix"` |  |
 | ingress.tls | list | `[]` |  |
 | nameOverride | string | `nil` | Overrides the chart's name. Used to change the infix in the resource names. |
+| networkPolicy.egress[0].to[0].ports[0].port | int | `6443` |  |
+| networkPolicy.egress[0].to[0].ports[0].protocol | string | `"TCP"` |  |
+| networkPolicy.egress[1].to[0].podSelector | object | `{}` |  |
+| networkPolicy.egress[2].to[0].ipBlock.cidr | string | `"0.0.0.0/0"` |  |
+| networkPolicy.egress[2].to[0].ipBlock.except[0] | string | `"10.0.0.0/8"` |  |
+| networkPolicy.egress[2].to[0].ipBlock.except[1] | string | `"172.16.0.0/12"` |  |
+| networkPolicy.egress[2].to[0].ipBlock.except[2] | string | `"192.168.0.0/16"` |  |
+| networkPolicy.egress[2].to[1].ipBlock.cidr | string | `"::/0"` |  |
+| networkPolicy.egress[2].to[1].ipBlock.except[0] | string | `"fc00::/7"` |  |
+| networkPolicy.enabled | bool | `false` |  |
+| networkPolicy.flavor | string | `"kubernetes"` |  |
+| networkPolicy.ingress[0].from[0].podSelector | object | `{}` |  |
+| networkPolicy.ingress[1].from[0].ipBlock.cidr | string | `"0.0.0.0/0"` |  |
 | rbac.create | bool | `true` | Whether to create RBAC resources for Alloy. |
 | service.annotations | object | `{}` |  |
 | service.clusterIP | string | `""` | Cluster IP, can be set to None, empty "" or an IP address |

@@ -0,0 +1,2 @@
+networkPolicy:
+  enabled: true
@@ -0,0 +1,25 @@
+{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "kubernetes") -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "alloy.fullname" . }}
+  namespace: {{ include "alloy.namespace" . }}
+  labels:
+    {{- include "alloy.labels" . | nindent 4 }}
+    app.kubernetes.io/component: networking
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "alloy.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- if .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml .Values.networkPolicy.ingress | nindent 4 }}
+  {{- end }}
+  {{- if .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml .Values.networkPolicy.egress | nindent 4 }}
+  {{- end }}
+{{- end }}
@@ -288,6 +288,41 @@ controller:
   # -- Additional containers to run alongside the Alloy container and initContainers.
   extraContainers: []
 
+networkPolicy:
+  enabled: false
+  flavor: kubernetes
+
+  ingress:
+    # Allow ingress from all pods in the cluster
+    - from:
+      - podSelector: {}
+    # Allow ingress from the internet (Faro)
+    - from:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+  egress:
+    # Allow egress to the kube-apiserver (default port)
+    # Not all cloud providers use the same labels on kube-apiserver pod
+    - to:
+      - ports:
+        - protocol: TCP
+          port: 6443
+    # Allow egress to all pods in the cluster
+    - to:
+      - podSelector: {}
+    # Allow egress to the internet
+    - to:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          except:
+            - 10.0.0.0/8
+            - 172.16.0.0/12
+            - 192.168.0.0/16
+      - ipBlock:
+          cidr: ::/0 
+          except:
+            - fc00::/7
+
 service:
   # -- Creates a Service for the controller's pods.
   enabled: true

@@ -0,0 +1,43 @@
+---
+# Source: alloy/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: alloy
+  labels:
+    helm.sh/chart: alloy
+    app.kubernetes.io/name: alloy
+    app.kubernetes.io/instance: alloy
+    app.kubernetes.io/version: "vX.Y.Z"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: config
+data:
+  config.alloy: |-
+    logging {
+    	level  = "info"
+    	format = "logfmt"
+    }
+
+    discovery.kubernetes "pods" {
+    	role = "pod"
+    }
+
+    discovery.kubernetes "nodes" {
+    	role = "node"
+    }
+
+    discovery.kubernetes "services" {
+    	role = "service"
+    }
+
+    discovery.kubernetes "endpoints" {
+    	role = "endpoints"
+    }
+
+    discovery.kubernetes "endpointslices" {
+    	role = "endpointslice"
+    }
+
+    discovery.kubernetes "ingresses" {
+    	role = "ingress"
+    }
@@ -0,0 +1,75 @@
+---
+# Source: alloy/templates/controllers/daemonset.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: alloy
+  labels:
+    helm.sh/chart: alloy
+    app.kubernetes.io/name: alloy
+    app.kubernetes.io/instance: alloy
+    app.kubernetes.io/version: "vX.Y.Z"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  minReadySeconds: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: alloy
+      app.kubernetes.io/instance: alloy
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: alloy
+      labels:
+        app.kubernetes.io/name: alloy
+        app.kubernetes.io/instance: alloy
+    spec:
+      serviceAccountName: alloy
+      containers:
+        - name: alloy
+          image: docker.io/grafana/alloy:v1.6.1
+          imagePullPolicy: IfNotPresent
+          args:
+            - run
+            - /etc/alloy/config.alloy
+            - --storage.path=/tmp/alloy
+            - --server.http.listen-addr=0.0.0.0:12345
+            - --server.http.ui-path-prefix=/
+            - --stability.level=generally-available
+          env:
+            - name: ALLOY_DEPLOY_MODE
+              value: "helm"
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 12345
+              name: http-metrics
+          readinessProbe:
+            httpGet:
+              path: /-/ready
+              port: 12345
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: config
+              mountPath: /etc/alloy
+        - name: config-reloader
+          image: ghcr.io/jimmidyson/configmap-reload:v0.14.0
+          args:
+            - --volume-dir=/etc/alloy
+            - --webhook-url=http://localhost:12345/-/reload
+          volumeMounts:
+            - name: config
+              mountPath: /etc/alloy
+          resources:
+            requests:
+              cpu: 1m
+              memory: 5Mi
+      dnsPolicy: ClusterFirst
+      volumes:
+        - name: config
+          configMap:
+            name: alloy
@@ -0,0 +1,46 @@
+---
+# Source: alloy/templates/networkpolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: alloy
+  namespace: default
+  labels:
+    helm.sh/chart: alloy
+    app.kubernetes.io/name: alloy
+    app.kubernetes.io/instance: alloy
+    app.kubernetes.io/version: "vX.Y.Z"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: networking
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: alloy
+      app.kubernetes.io/instance: alloy
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+      - podSelector: {}
+    - from:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+  egress:
+    - to:
+      - ports:
+        - port: 6443
+          protocol: TCP
+    - to:
+      - podSelector: {}
+    - to:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          except:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+      - ipBlock:
+          cidr: ::/0
+          except:
+          - fc00::/7