chore(mysql-cluster): modify networkpolicy (#8)

* chore(mysql-cluster): modify networkpolicy

* fix(prometheus): fix typo

Author: EamonZhang

addons/mysql-cluster/8.0/chart/mysql-cluster/templates/networkpolicy.yaml

@@ -23,23 +23,24 @@ spec:
   ingress:
     # Allow inbound connections
     - ports:
-        - port: {{ .Values.primary.service.ports.mysql }}
-      {{- if not .Values.networkPolicy.allowExternal }}
+      - port: {{ .Values.router.service.portrw }}
+      - port: {{ .Values.router.service.portro }}
+      {{- if and .Values.metrics.enabled }}
+      - port: {{ .Values.metrics.service.port }}
+      {{ end }} 
+      {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
       from:
-        - podSelector:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
             matchLabels:
-              {{ template "common.names.fullname" . }}-client: "true"
-          {{- if .Values.networkPolicy.explicitNamespacesSelector }}
-          namespaceSelector:
-{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }}
-          {{- end }}
-        - podSelector:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+        - namespaceSelector:
             matchLabels:
-            {{- include "common.labels.matchLabels" . | nindent 14 }}
+              kubernetes.io/metadata.name: {{ $namespace }}
       {{- end }}
-    {{- if .Values.metrics.enabled }}
-    # Allow prometheus scrapes
-    - ports:
-        - port: 9104
-    {{- end }}
+      {{- end }}
+  {{- end }}
 {{- end }}

addons/mysql-cluster/8.0/chart/mysql-cluster/values.yaml

@@ -971,28 +971,16 @@ rbac:
 networkPolicy:
   ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
   ##
-  enabled: false
+  enabled: true
   ## @param networkPolicy.allowExternal The Policy model to apply.
   ## When set to false, only pods with the correct
   ## client label will have network access to the port MySQL is listening
   ## on. When true, MySQL will accept connections from any source
   ## (with the correct destination port).
   ##
-  allowExternal: true
-  ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed to MySQL
-  ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
-  ## and that match other criteria, the ones that have the good label, can reach the DB.
-  ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this
-  ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
-  ##
-  ## Example:
-  ## explicitNamespacesSelector:
-  ##   matchLabels:
-  ##     role: frontend
-  ##   matchExpressions:
-  ##    - {key: role, operator: In, values: [frontend]}
-  ##
-  explicitNamespacesSelector: {}
+  allowCurrentNamespace: true
+  allowNamespaces: []
+  
 
 ## @section Volume Permissions parameters
 
@@ -1035,7 +1023,7 @@ volumePermissions:
 metrics:
   ## @param metrics.enabled Start a side-car prometheus exporter
   ##
-  enabled: false
+  enabled: true
   ## @param metrics.image.registry Exporter image registry
   ## @param metrics.image.repository Exporter image repository
   ## @param metrics.image.tag Exporter image tag (immutable tags are recommended)
@@ -1132,6 +1120,17 @@ metrics:
     ##    cpu: 100m
     ##    memory: 256Mi
     requests: {}
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    runAsGroup: 0
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
   ## Mysqld Prometheus exporter liveness probe
   ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
   ## @param metrics.livenessProbe.enabled Enable livenessProbe