charts
charts copied to clipboard
truenas
Add network policy support
Hello,
I would like to know if you could add support for k8s network policies, it would allow for extra security for those who wish to go the extra mile and configure them. They are working fine in Truecharts apps running in Truenas Scale, with the following config options:
https://github.com/truecharts/charts/blob/master/templates/questions/general/advanced.yaml#L53
Thanks
I did a test and added network policies to a fork of truenas charts and it worked without issue within my truenas: https://github.com/x-cimo/charts/blob/master/charts/emby/app_versions.json
Can you please describe how you tested that it's working?
Because neither the old or the new library have support for network policies.
You are right the chart I linked aren't the complete solution. I'm missing something. What I did only add the questions for network policies in the UI.
I am not sure what truechart did to apply network policies but it does work on their charts when running on a vanilla Truenas.
Here is what it looks like for a truechat app
k3s kubectl get networkpolicy --namespace=ix-emby
NAME POD-SELECTOR AGE
emby app.kubernetes.io/instance=emby,app.kubernetes.io/name=emby 30d
emby-1 app.kubernetes.io/instance=emby,app.kubernetes.io/name=emby 30d
emby-2 app.kubernetes.io/instance=emby,app.kubernetes.io/name=emby 30d
emby-3 app.kubernetes.io/instance=emby,app.kubernetes.io/name=emby 30d
k3s kubectl describe networkpolicy emby-3 --namespace=ix-emby
Name: emby-3
Namespace: ix-emby
Created on: 2023-12-08 22:00:03 -0500 EST
Labels: app=emby-17.1.7
app.kubernetes.io/instance=emby
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=emby
app.kubernetes.io/version=4.7.14.0
helm-revision=22
helm.sh/chart=emby-17.1.7
release=emby
Annotations: meta.helm.sh/release-name: emby
meta.helm.sh/release-namespace: ix-emby
Spec:
PodSelector: app.kubernetes.io/instance=emby,app.kubernetes.io/name=emby
Not affecting ingress traffic
Allowing egress traffic:
To Port: 5004/TCP
To: <any> (traffic not restricted by destination)
Policy Types: Egress
Unfortunatly, I don't know the process that apps go thought to be deployed by truenas and where the network policy are applied during deployment :(
Still would be a great feature to have in truenas apps.
You are right the chart I linked aren't the complete solution. I'm missing something. What I did only add the questions for network policies in the UI.
Unfortunately adding only the questions is not enough as you realized. Needs additional development on the library side.
I am not sure what truechart did to apply network policies but it does work on their charts when running on a vanilla Truenas.
TrueCharts have implemented the NetPolicies in their library.
Unfortunatly, I don't know the process that apps go thought to be deployed by truenas and where the network policy are applied during deployment :(
It's not so much about the process, but adding support for it. (Implementing the feature, adding tests, etc in the chart library)
Still would be a great feature to have in truenas apps.
Of course! Will add the appropriate label, and I'll leave this issue open, so you can track progress when something is being worked on!