chore(kafka): modify networkpolicy

Author: jianxiaoguo

addons/flink/1.17/chart/flink/templates/jobmanager/networkpolicy.yaml

@@ -73,6 +73,18 @@ spec:
         - podSelector:
             matchLabels:
               {{ template "flink.jobmanager.fullname" . }}-client: "true"
+        {{- if .Values.jobmanager.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
+        {{- range $namespace := .Values.jobmanager.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.jobmanager.networkPolicy.ingressNSMatchLabels }}
         - namespaceSelector:
             matchLabels:

addons/flink/1.17/chart/flink/templates/taskmanager/headless-service.yml

@@ -1,5 +1,5 @@
 {{- /*
-Copyright VMware, Inc.
+Copyright Drycc Community.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 

addons/flink/1.17/chart/flink/templates/taskmanager/networkpolicy.yaml

@@ -1,5 +1,5 @@
 {{- /*
-Copyright VMware, Inc.
+Copyright Drycc Community.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 
@@ -49,6 +49,7 @@ spec:
     - ports:
         - port: {{ .Values.taskmanager.containerPorts.data }}
         - port: {{ .Values.taskmanager.containerPorts.rpc }}
+        - port: {{ .Values.taskmanager.containerPorts.internalMetrics }}
       to:
         - podSelector:
             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
@@ -62,16 +63,25 @@ spec:
     {{- if eq .Values.taskmanager.service.type "LoadBalancer" }}
     - {}
     {{- else }}
-    - ports:
-        - port: {{ .Values.taskmanager.containerPorts.data }}
-        - port: {{ .Values.taskmanager.containerPorts.rpc }}
-      {{- if not .Values.taskmanager.networkPolicy.allowExternal }}
-      from:
+    - from:
+        {{- if not .Values.taskmanager.networkPolicy.allowExternal }}
         - podSelector:
             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
         - podSelector:
             matchLabels:
               {{ template "flink.taskmanager.fullname" . }}-client: "true"
+        {{- if .Values.taskmanager.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
+        {{- range $namespace := .Values.taskmanager.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.taskmanager.networkPolicy.ingressNSMatchLabels }}
         - namespaceSelector:
             matchLabels:

addons/flink/1.17/chart/flink/templates/taskmanager/statefulset.yaml

@@ -1,5 +1,5 @@
 {{- /*
-Copyright VMware, Inc.
+Copyright Drycc Community.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 

addons/flink/1.17/chart/flink/values.yaml

@@ -303,10 +303,12 @@ jobmanager:
     ## on. When true, server will accept connections from any source
     ## (with the correct destination port).
     ##
-    allowExternal: true
+    allowExternal: false
     ## @param jobmanager.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
     ##
     allowExternalEgress: true
+    allowCurrentNamespace: true
+    allowNamespaces: []
     ## @param jobmanager.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
     ## e.g:
     ## extraIngress:
@@ -672,10 +674,12 @@ taskmanager:
     ## on. When true, server will accept connections from any source
     ## (with the correct destination port).
     ##
-    allowExternal: true
+    allowExternal: false
     ## @param taskmanager.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
     ##
     allowExternalEgress: true
+    allowCurrentNamespace: true
+    allowNamespaces: []
     ## @param taskmanager.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
     ## e.g:
     ## extraIngress:

addons/flink/1.17/meta.yaml

@@ -18,12 +18,18 @@ allow_parameters:
 - name: "jobmanager.service.type"
   required: false
   description: "jobmanager service type config for values.yaml"
+- name: "jobmanager.networkPolicy.allowNamespaces"
+  required: false
+  description: "jobmanager networkPolicy allowNamespaces config for values.yaml"
 - name: "jobmanager.extraEnvVars"
   required: false
   description: "jobmanager extraEnvVars config for values.yaml"
 - name: "taskmanager.service.type"
   required: false
   description: "taskmanager service type config for values.yaml"
+- name: "taskmanager.networkPolicy.allowNamespaces"
+  required: false
+  description: "taskmanager networkPolicy allowNamespaces config for values.yaml"
 - name: "taskmanager.extraEnvVars"
   required: false
   description: "taskmanager extraEnvVars config for values.yaml"