Network Policies are actually don't block anything

[behoof4mind]

Hi Team,

As a customer I wan't to have an option to restrict access to Gdata-VaaS service inside Kubernetes cluster.
Unfortunately I have noticed, that with current helm chart implementation network policies does not block anything. Ingress rules does not have From: field, and Egress rules on the other hand does not have To: fields.

I have tried to add custom networkPolicy outside of the Helm Chart, but there is no way how I can differentiate gateway and gdscan pods, because they have completely the same labels (usually app.kubernetes.io/instance is using for this purpose).

Could you maybe fix it? Good example how it could be done is actually in the Redis helm chart here.

Thank you in advance and best regards.

[pstadermann]

Hi behoof4mind,

thank you for your feedback. We will look into

• Explicit from and to Ingress/Egress rules
• Allow selecting pods in custom networkPolicies
• Example for custom networkPolicy

A solution will be ready at the end of the week.

Cheers!

[GermanCoding]

Updated in chart version 2.1.0:

• app.kubernetes.io/name is now different for gateway and gdscan pods
• default network policy is more restrictive where possible