Skip to content

Commit a167f4f

Browse files
olevskileafty
andauthored
fix(chart): modify network policy for session pods (#4484)
Co-authored-by: Flora Thiebaut <flora.thiebaut@sdsc.ethz.ch>
1 parent c6ee8b8 commit a167f4f

2 files changed

Lines changed: 59 additions & 6 deletions

File tree

helm-chart/renku/values.yaml

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -217,6 +217,21 @@ networkPolicies:
217217
- 10.0.0.0/8
218218
- 172.16.0.0/12
219219
- 192.168.0.0/16
220+
## Depending on the ingress controller in your cluster you will need an
221+
## additional network policy like the one below. The example below is for ingress nginx.
222+
## This resolves issues with hairpinning where a session pod is accessing
223+
## a service that runs in the cluster but through its public URL.
224+
## Without this the session pods cannot reach services (Keycloak, data services) on the public URL.
225+
# - to:
226+
# - namespaceSelector:
227+
# matchLabels:
228+
# kubernetes.io/metadata.name: app-routing-system
229+
# podSelector:
230+
# matchLabels:
231+
# app: nginx
232+
# ports:
233+
# - port: 443
234+
# protocol: TCP
220235
## Alerts configuration
221236
alerts:
222237
## Alertmanager webhook authentication
@@ -823,8 +838,7 @@ dlf-chart:
823838
enabled: false
824839
dataset-operator-chart:
825840
enabled: true
826-
csi-rclone:
827-
{}
841+
csi-rclone: {}
828842
# This section is only relevant if you are installing csi-rclone as part of Renku
829843
## Name of the csi storage class to use for RClone/Cloudstorage. Should be unique per cluster.
830844
# storageClassName: csi-rclone
@@ -885,12 +899,12 @@ notebooks:
885899
## '["https://domain-a.example.org/*", "https://domain-b.example.net/*"]'
886900
## Each URI should follow the format expected by Keycloak in the Redirect
887901
## URIs field of a keycloak client.
888-
extraRedirectUris: '[]'
902+
extraRedirectUris: "[]"
889903
## This value is a yaml string of a json list of URIs strings, i.e.
890904
## '["https://domain-a.example.org/*", "https://domain-b.example.net/*"]'
891905
## Each URI should follow the format expected by Keycloak in the Web Origins
892906
## field of a keycloak client.
893-
extraWebOrigins: '[]'
907+
extraWebOrigins: "[]"
894908
sessionIngress:
895909
host:
896910
## If you want to use the default cluster tls cert, set the flag below to true.
@@ -1256,8 +1270,7 @@ dataService:
12561270
## The name of the BuildStrategy to use for image builds.
12571271
strategyName: renku-buildpacks-v3
12581272
## Configuration overrides for specific target platforms
1259-
platformOverrides:
1260-
{}
1273+
platformOverrides: {}
12611274
# linux/arm64:
12621275
# builderImage: "ghcr.io/swissdatasciencecenter/renku-frontend-buildpacks/cuda-selector:0.8.0"
12631276
# runImage: "ghcr.io/swissdatasciencecenter/renku-frontend-buildpacks/cuda-run-image:0.8.0"

minimal-deployment/minimal-deployment-values.yaml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,46 @@ keycloakx:
6363
memory: 600Mi
6464
limits:
6565
memory: 600Mi
66+
networkPolicies:
67+
sessions:
68+
egress:
69+
- to:
70+
# DNS resolution
71+
- namespaceSelector:
72+
matchLabels:
73+
kubernetes.io/metadata.name: kube-system
74+
podSelector:
75+
matchLabels:
76+
k8s-app: kube-dns
77+
ports:
78+
- port: 53
79+
protocol: UDP
80+
- port: 53
81+
protocol: TCP
82+
- to:
83+
# Allow access to any port/protocol as long as it is directed
84+
# outside the cluster. This is done by excluding
85+
# IP ranges which are reserved for private networking from
86+
# the allowed range.
87+
- ipBlock:
88+
cidr: 0.0.0.0/0
89+
except:
90+
- 10.0.0.0/8
91+
- 172.16.0.0/12
92+
- 192.168.0.0/16
93+
- to:
94+
# This resolves issues with hairpinning where a session pod is accessing
95+
# a service that runs in the cluster but through its public URL.
96+
# Without this the session pods cannot reach services (Keycloak, data services) on the public URL.
97+
- namespaceSelector:
98+
matchLabels:
99+
kubernetes.io/metadata.name: app-routing-system
100+
podSelector:
101+
matchLabels:
102+
app: nginx
103+
ports:
104+
- port: 443
105+
protocol: TCP
66106
notebooks:
67107
oidc:
68108
allowUnverifiedEmail: true

0 commit comments

Comments
 (0)