Remove GS network policies (#233)

* remove defaultPolicies and extraPolicies templates

Signed-off-by: Matias Charriere <[email protected]>

* add changelog

Signed-off-by: Matias Charriere <[email protected]>

* update changelog

Signed-off-by: Matias Charriere <[email protected]>

---------

Signed-off-by: Matias Charriere <[email protected]>
Co-authored-by: Gerald Pape <[email protected]>

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Removed
+
+- Delete defaultPolicies and extraPolicies templates.
+
 ## [0.29.0] - 2024-11-12
 
 ### Changed

diffs/helm__cilium__values.yaml.tmpl.patch

@@ -1,33 +1,24 @@
 diff --git a/vendor/cilium/install/kubernetes/cilium/values.yaml.tmpl b/helm/cilium/values.yaml.tmpl
-index 7c18e03..f207696 100644
+index 7c18e03..e3c9940 100644
 --- a/vendor/cilium/install/kubernetes/cilium/values.yaml.tmpl
 +++ b/helm/cilium/values.yaml.tmpl
-@@ -136,6 +136,16 @@ serviceAccounts:
+@@ -136,6 +136,7 @@ serviceAccounts:
      name: hubble-generate-certs
      automount: true
      annotations: {}
-+  defaultPolicies:
-+    create: true
-+    name: cilium-default-policies
-+    automount: true
-+    annotations: {}
-+  extraPolicies:
-+    create: true
-+    name: cilium-extra-policies
-+    annotations: {}
 +
  # -- Configure termination grace period for cilium-agent DaemonSet.
  terminationGracePeriodSeconds: 1
  # -- Install the cilium agent resources.
-@@ -146,6 +156,7 @@ name: cilium
+@@ -146,6 +147,7 @@ name: cilium
  rollOutCiliumPods: false
  # -- Agent container image.
  image:
 +  registry: gsoci.azurecr.io
    # @schema
    # type: [null, string]
    # @schema
-@@ -487,7 +498,7 @@ bpf:
+@@ -487,7 +489,7 @@ bpf:
    # @schema
    # type: [null, integer]
    # @schema
@@ -36,7 +27,7 @@ index 7c18e03..f207696 100644
    # @schema
    # type: [null, number]
    # @schema
-@@ -1003,11 +1014,9 @@ socketLB:
+@@ -1003,11 +1005,9 @@ socketLB:
    # -- Enable socket LB
    enabled: false
    # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules.
@@ -49,7 +40,7 @@ index 7c18e03..f207696 100644
  # -- Configure certificate generation for Hubble integration.
  # If hubble.tls.auto.method=cronJob, these values are used
  # for the Kubernetes CronJob which will be scheduled regularly to
-@@ -1021,7 +1030,7 @@ certgen:
+@@ -1021,7 +1021,7 @@ certgen:
      repository: "${CERTGEN_REPO}"
      tag: "${CERTGEN_VERSION}"
      digest: "${CERTGEN_DIGEST}"
@@ -58,7 +49,7 @@ index 7c18e03..f207696 100644
      pullPolicy: "${PULL_POLICY}"
    # -- Seconds after which the completed job pod will be deleted
    ttlSecondsAfterFinished: 1800
-@@ -1277,10 +1286,7 @@ hubble:
+@@ -1277,10 +1277,7 @@ hubble:
        # - certmanager:  This method use cert-manager to generate & rotate certificates.
        method: helm
        # -- Generated certificates validity duration in days.
@@ -70,7 +61,7 @@ index 7c18e03..f207696 100644
        # -- Schedule for certificates regeneration (regardless of their expiration date).
        # Only used if method is "cronJob". If nil, then no recurring job will be created.
        # Instead, only the one-shot job is deployed to generate the certificates at
-@@ -1313,7 +1319,7 @@ hubble:
+@@ -1313,7 +1310,7 @@ hubble:
        extraIpAddresses: []
    relay:
      # -- Enable Hubble Relay (requires hubble.enabled=true)
@@ -79,7 +70,7 @@ index 7c18e03..f207696 100644
      # -- Roll out Hubble Relay pods automatically when configmap is updated.
      rollOutPods: false
      # -- Hubble-relay container image.
-@@ -1354,11 +1360,14 @@ hubble:
+@@ -1354,11 +1351,14 @@ hubble:
      # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
      tolerations: []
      # -- Additional hubble-relay environment variables.
@@ -96,7 +87,7 @@ index 7c18e03..f207696 100644
      # -- Labels to be added to hubble-relay pods
      podLabels: {}
      # PodDisruptionBudget settings
-@@ -1390,21 +1399,28 @@ hubble:
+@@ -1390,21 +1390,28 @@ hubble:
          # @schema
          maxUnavailable: 1
      # -- Additional hubble-relay volumes.
@@ -131,7 +122,7 @@ index 7c18e03..f207696 100644
      # -- hubble-relay service configuration.
      service:
        # --- The type of service used for Hubble Relay access, either ClusterIP or NodePort.
-@@ -1489,7 +1505,7 @@ hubble:
+@@ -1489,7 +1496,7 @@ hubble:
      # -- Enable prometheus metrics for hubble-relay on the configured port at
      # /metrics
      prometheus:
@@ -140,7 +131,7 @@ index 7c18e03..f207696 100644
        port: 9966
        serviceMonitor:
          # -- Enable service monitors.
-@@ -1528,7 +1544,7 @@ hubble:
+@@ -1528,7 +1535,7 @@ hubble:
        port: 6062
    ui:
      # -- Whether to enable the Hubble UI.
@@ -149,7 +140,7 @@ index 7c18e03..f207696 100644
      standalone:
        # -- When true, it will allow installing the Hubble UI only, without checking dependencies.
        # It is useful if a cluster already has cilium and Hubble relay installed and you just
-@@ -1574,10 +1590,20 @@ hubble:
+@@ -1574,10 +1581,20 @@ hubble:
          repository: "${HUBBLE_UI_BACKEND_REPO}"
          tag: "${HUBBLE_UI_BACKEND_VERSION}"
          digest: "${HUBBLE_UI_BACKEND_DIGEST}"
@@ -172,7 +163,7 @@ index 7c18e03..f207696 100644
        # -- Additional hubble-ui backend environment variables.
        extraEnv: []
        # -- Additional hubble-ui backend volumes.
-@@ -1608,10 +1634,20 @@ hubble:
+@@ -1608,10 +1625,20 @@ hubble:
          repository: "${HUBBLE_UI_FRONTEND_REPO}"
          tag: "${HUBBLE_UI_FRONTEND_VERSION}"
          digest: "${HUBBLE_UI_FRONTEND_DIGEST}"
@@ -195,7 +186,7 @@ index 7c18e03..f207696 100644
        # -- Additional hubble-ui frontend environment variables.
        extraEnv: []
        # -- Additional hubble-ui frontend volumes.
-@@ -1635,7 +1671,8 @@ hubble:
+@@ -1635,7 +1662,8 @@ hubble:
      # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui)
      annotations: {}
      # -- Annotations to be added to hubble-ui pods
@@ -205,7 +196,7 @@ index 7c18e03..f207696 100644
      # -- Labels to be added to hubble-ui pods
      podLabels: {}
      # PodDisruptionBudget settings
-@@ -1681,9 +1718,13 @@ hubble:
+@@ -1681,9 +1709,13 @@ hubble:
          maxUnavailable: 1
      # -- Security context to be added to Hubble UI pods
      securityContext:
@@ -220,7 +211,7 @@ index 7c18e03..f207696 100644
      # -- hubble-ui service configuration.
      service:
        # -- Annotations to be added for the Hubble UI service
-@@ -1901,9 +1942,9 @@ l2NeighDiscovery:
+@@ -1901,9 +1933,9 @@ l2NeighDiscovery:
  # -- Enable Layer 7 network policy.
  l7Proxy: true
  # -- Enable Local Redirect Policy.
@@ -232,7 +223,7 @@ index 7c18e03..f207696 100644
 
  # logOptions allows you to define logging options. eg:
  # logOptions:
-@@ -2081,7 +2122,7 @@ pprof:
+@@ -2081,7 +2113,7 @@ pprof:
    port: 6060
  # -- Configure prometheus metrics on the configured port at /metrics
  prometheus:
@@ -241,7 +232,7 @@ index 7c18e03..f207696 100644
    port: 9962
    serviceMonitor:
      # -- Enable service monitors.
-@@ -2118,7 +2159,8 @@ prometheus:
+@@ -2118,7 +2150,8 @@ prometheus:
    # The list is expected to be separated by a space. (+metric_foo to enable
    # metric_foo , -metric_bar to disable metric_bar).
    # ref: https://docs.cilium.io/en/stable/observability/metrics/
@@ -251,7 +242,7 @@ index 7c18e03..f207696 100644
    # --- Enable controller group metrics for monitoring specific Cilium
    # subsystems. The list is a list of controller group names. The special
    # values of "all" and "none" are supported. The set of controller
-@@ -2145,9 +2187,7 @@ envoy:
+@@ -2145,9 +2178,7 @@ envoy:
    # type: [null, boolean]
    # @schema
    # -- Enable Envoy Proxy in standalone DaemonSet.
@@ -262,7 +253,7 @@ index 7c18e03..f207696 100644
    # -- (int)
    # Set Envoy'--base-id' to use when allocating shared memory regions.
    # Only needs to be changed if multiple Envoy instances will run on the same node and may have conflicts. Supported values: 0 - 4294967295. Defaults to '0'
-@@ -2182,7 +2222,7 @@ envoy:
+@@ -2182,7 +2213,7 @@ envoy:
      tag: "${CILIUM_ENVOY_VERSION}"
      pullPolicy: "${PULL_POLICY}"
      digest: "${CILIUM_ENVOY_DIGEST}"
@@ -271,15 +262,15 @@ index 7c18e03..f207696 100644
    # -- Additional containers added to the cilium Envoy DaemonSet.
    extraContainers: []
    # -- Additional envoy container arguments.
-@@ -2462,6 +2502,7 @@ routingMode: ""
+@@ -2462,6 +2493,7 @@ routingMode: ""
  # @default -- Port 8472 for VXLAN, Port 6081 for Geneve
  tunnelPort: 0
  # -- Configure what the response should be to traffic for a service without backends.
 +# "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop".
  # Possible values:
  #  - reject (default)
  #  - drop
-@@ -2556,7 +2597,9 @@ operator:
+@@ -2556,7 +2588,9 @@ operator:
    # -- Additional cilium-operator container arguments.
    extraArgs: []
    # -- Additional cilium-operator environment variables.
@@ -290,7 +281,7 @@ index 7c18e03..f207696 100644
    # -- Additional cilium-operator hostPath mounts.
    extraHostPathMounts: []
    # - name: host-mnt-data
-@@ -2567,15 +2610,22 @@ operator:
+@@ -2567,15 +2601,22 @@ operator:
    #   mountPropagation: HostToContainer
 
    # -- Additional cilium-operator volumes.
@@ -316,7 +307,7 @@ index 7c18e03..f207696 100644
    # -- Annotations to be added to cilium-operator pods
    podAnnotations: {}
    # -- Labels to be added to cilium-operator pods
-@@ -2584,7 +2634,7 @@ operator:
+@@ -2584,7 +2625,7 @@ operator:
    podDisruptionBudget:
      # -- enable PodDisruptionBudget
      # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
@@ -325,7 +316,7 @@ index 7c18e03..f207696 100644
      # @schema
      # type: [null, integer, string]
      # @schema
-@@ -2607,8 +2657,17 @@ operator:
+@@ -2607,8 +2648,17 @@ operator:
    #     memory: 128Mi
 
    # -- Security context to be added to cilium-operator pods
@@ -345,7 +336,7 @@ index 7c18e03..f207696 100644
 
    # -- Interval for endpoint garbage collection.
    endpointGCInterval: "5m0s"
-@@ -2697,7 +2756,7 @@ nodeinit:
+@@ -2697,7 +2747,7 @@ nodeinit:
      repository: "${CILIUM_NODEINIT_REPO}"
      tag: "${CILIUM_NODEINIT_VERSION}"
      digest: "${CILIUM_NODEINIT_DIGEST}"
@@ -354,7 +345,7 @@ index 7c18e03..f207696 100644
      pullPolicy: "${PULL_POLICY}"
    # -- The priority class to use for the nodeinit pod.
    priorityClassName: ""
-@@ -3438,7 +3497,7 @@ authentication:
+@@ -3438,7 +3488,7 @@ authentication:
            repository: "${SPIRE_INIT_REPO}"
            tag: "${SPIRE_INIT_VERSION}"
            digest: "${SPIRE_INIT_DIGEST}"
@@ -363,7 +354,7 @@ index 7c18e03..f207696 100644
            pullPolicy: "${PULL_POLICY}"
          # SPIRE agent configuration
          agent:
-@@ -3451,7 +3510,7 @@ authentication:
+@@ -3451,7 +3501,7 @@ authentication:
              repository: "${SPIRE_AGENT_REPO}"
              tag: "${SPIRE_AGENT_VERSION}"
              digest: "${SPIRE_AGENT_DIGEST}"
@@ -372,7 +363,7 @@ index 7c18e03..f207696 100644
              pullPolicy: "${PULL_POLICY}"
            # -- SPIRE agent service account
            serviceAccount:
-@@ -3502,7 +3561,7 @@ authentication:
+@@ -3502,7 +3552,7 @@ authentication:
              repository: "${SPIRE_SERVER_REPO}"
              tag: "${SPIRE_SERVER_VERSION}"
              digest: "${SPIRE_SERVER_DIGEST}"
@@ -381,39 +372,11 @@ index 7c18e03..f207696 100644
              pullPolicy: "${PULL_POLICY}"
            # -- SPIRE server service account
            serviceAccount:
-@@ -3580,3 +3639,39 @@ authentication:
+@@ -3580,3 +3630,11 @@ authentication:
        agentSocketPath: /run/spire/sockets/agent/agent.sock
        # -- SPIRE connection timeout
        connectionTimeout: 30s
 +
-+defaultPolicies:
-+  enabled: false
-+  remove: false
-+  # -- Node tolerations for default-policies job scheduling to nodes with taints
-+  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-+  tolerations:
-+  - operator: Exists
-+
-+extraPolicies:
-+  remove: false
-+
-+  allowEgressToCoreDNS:
-+    enabled: false
-+    namespaces:
-+      - giantswarm
-+      - kube-system
-+
-+  allowEgressToProxy:
-+    enabled: false
-+    httpProxy: ""
-+    httpsProxy: ""
-+    namespaces:
-+      - giantswarm
-+      - kube-system
-+
-+  tolerations:
-+    - operator: Exists
-+
 +# If true, it adds an initContainer to cilium-agent pods that cleans up any legacy kube-proxy iptables rules from the node before running cilium.
 +# Only makes sense when `kubeProxyReplacement` is enabled (i.e. not set to 'disabled').
 +cleanupKubeProxy: false

helm/cilium/README.md

@@ -284,9 +284,6 @@ contributors across the globe, there is almost always someone available to help.
 | dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for cilium-agent grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards |
 | debug.enabled | bool | `false` | Enable debug logging |
 | debug.verbose | string | `nil` | Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is for enabling debug messages emitted per request, message and connection. Multiple values can be set via a space-separated string (e.g. "datapath envoy").  Applicable values: - flow - kvstore - envoy - datapath - policy |
-| defaultPolicies.enabled | bool | `false` |  |
-| defaultPolicies.remove | bool | `false` |  |
-| defaultPolicies.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for default-policies job scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | directRoutingSkipUnreachable | bool | `false` | Enable skipping of PodCIDR routes between worker nodes if the worker nodes are in a different L2 network segment. |
 | disableEndpointCRD | bool | `false` | Disable the usage of CiliumEndpoint CRD. |
 | dnsPolicy | string | `""` | DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
@@ -413,16 +410,6 @@ contributors across the globe, there is almost always someone available to help.
 | extraEnv | list | `[]` | Additional agent container environment variables. |
 | extraHostPathMounts | list | `[]` | Additional agent hostPath mounts. |
 | extraInitContainers | list | `[]` | Additional initContainers added to the cilium Daemonset. |
-| extraPolicies.allowEgressToCoreDNS.enabled | bool | `false` |  |
-| extraPolicies.allowEgressToCoreDNS.namespaces[0] | string | `"giantswarm"` |  |
-| extraPolicies.allowEgressToCoreDNS.namespaces[1] | string | `"kube-system"` |  |
-| extraPolicies.allowEgressToProxy.enabled | bool | `false` |  |
-| extraPolicies.allowEgressToProxy.httpProxy | string | `""` |  |
-| extraPolicies.allowEgressToProxy.httpsProxy | string | `""` |  |
-| extraPolicies.allowEgressToProxy.namespaces[0] | string | `"giantswarm"` |  |
-| extraPolicies.allowEgressToProxy.namespaces[1] | string | `"kube-system"` |  |
-| extraPolicies.remove | bool | `false` |  |
-| extraPolicies.tolerations[0].operator | string | `"Exists"` |  |
 | extraVolumeMounts | list | `[]` | Additional agent volumeMounts. |
 | extraVolumes | list | `[]` | Additional agent volumes. |
 | forceDeviceDetection | bool | `false` | Forces the auto-detection of devices, even if specific devices are explicitly listed |