feat: refactor redis-ha NetworkPolicy to include egress rules (#10226)

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
2026-04-21 17:07:16 +00:00 · 2022-08-08 12:04:47 -07:00 · 2022-08-08 12:04:47 -07:00 · 2260c79d8f
commit 2260c79d8f
parent fd8ecf49b2
4 changed files with 135 additions and 9 deletions
--- a/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml
+++ b/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml
@ -8,6 +8,7 @@ spec:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  policyTypes:
  - Ingress
+  - Egress
  ingress:
    - from:
      - podSelector:
@ -19,7 +20,25 @@ spec:
      - podSelector:
          matchLabels:
            app.kubernetes.io/name: argocd-application-controller
-      # Redis HA server need to talk to proxy as well
+      ports:
+        - port: 6379
+          protocol: TCP
+        - port: 26379
+          protocol: TCP
+  egress:
+    - to:
      - podSelector:
          matchLabels:
            app.kubernetes.io/name: argocd-redis-ha
+      ports:
+        - port: 6379
+          protocol: TCP
+        - port: 26379
+          protocol: TCP
+    - to:
+      - namespaceSelector: {}
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
--- a/manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml
+++ b/manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml
@ -8,13 +8,34 @@ spec:
      app.kubernetes.io/name: argocd-redis-ha
  policyTypes:
  - Ingress
+  - Egress
  ingress:
    - from:
      - podSelector:
          matchLabels:
            app.kubernetes.io/name: argocd-redis-ha-haproxy
-      # Redis HA server pods need to talk to each other
      - podSelector:
          matchLabels:
            app.kubernetes.io/name: argocd-redis-ha
-
+      ports:
+        - port: 6379
+          protocol: TCP
+        - port: 26379
+          protocol: TCP
+  egress:
+    - to:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-redis-ha
+      ports:
+        - port: 6379
+          protocol: TCP
+        - port: 26379
+          protocol: TCP
+    - to:
+      - namespaceSelector: {}
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@ -12151,6 +12151,23 @@ kind: NetworkPolicy
 metadata:
  name: argocd-redis-ha-proxy-network-policy
 spec:
+  egress:
+  - ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+    to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+    to:
+    - namespaceSelector: {}
  ingress:
  - from:
    - podSelector:
@ -12162,20 +12179,40 @@ spec:
    - podSelector:
        matchLabels:
          app.kubernetes.io/name: argocd-application-controller
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  policyTypes:
  - Ingress
+  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: argocd-redis-ha-server-network-policy
 spec:
+  egress:
+  - ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+    to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+    to:
+    - namespaceSelector: {}
  ingress:
  - from:
    - podSelector:
@ -12184,11 +12221,17 @@ spec:
    - podSelector:
        matchLabels:
          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-redis-ha
  policyTypes:
  - Ingress
+  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@ -2854,6 +2854,23 @@ kind: NetworkPolicy
 metadata:
  name: argocd-redis-ha-proxy-network-policy
 spec:
+  egress:
+  - ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+    to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+    to:
+    - namespaceSelector: {}
  ingress:
  - from:
    - podSelector:
@ -2865,20 +2882,40 @@ spec:
    - podSelector:
        matchLabels:
          app.kubernetes.io/name: argocd-application-controller
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  policyTypes:
  - Ingress
+  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: argocd-redis-ha-server-network-policy
 spec:
+  egress:
+  - ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+    to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+    to:
+    - namespaceSelector: {}
  ingress:
  - from:
    - podSelector:
@ -2887,11 +2924,17 @@ spec:
    - podSelector:
        matchLabels:
          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-redis-ha
  policyTypes:
  - Ingress
+  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy