Skip to content

10 files changed

+161
-77
lines changed
 

‎docs/operator-manual/upgrading/2.10-2.11.md

+54-1
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,57 @@
22

33
## initiatedBy added in Application CRD
44

5-
In order to address [argoproj/argo-cd#16612](https://github.com/argoproj/argo-cd/issues/16612), initiatedBy has been added in the Application CRD.
5+
In order to address [argoproj/argo-cd#16612](https://github.com/argoproj/argo-cd/issues/16612), initiatedBy has been added in the Application CRD.
6+
7+
## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
8+
9+
Starting with Argo CD 2.11.2, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
10+
to allow access to the Kubernetes API to create a secret to secure Redis access.
11+
12+
To retain similar networking restrictions as before 2.11.2, you can add an Egress rule to allow access only to the
13+
Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
14+
Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
15+
`argocd-redis-network-policy` NetworkPolicy:
16+
17+
```diff
18+
kind: NetworkPolicy
19+
apiVersion: networking.k8s.io/v1
20+
metadata:
21+
name: argocd-redis-network-policy
22+
spec:
23+
policyTypes:
24+
- Ingress
25+
+ - Egress
26+
+ egress:
27+
+ - ports:
28+
+ - port: 53
29+
+ protocol: UDP
30+
+ - port: 53
31+
+ protocol: TCP
32+
```
33+
34+
```diff
35+
kind: NetworkPolicy
36+
apiVersion: networking.k8s.io/v1
37+
metadata:
38+
name: argocd-redis-ha-haproxy
39+
spec:
40+
policyTypes:
41+
- Ingress
42+
+ - Egress
43+
+ egress:
44+
+ - ports:
45+
+ - port: 6379
46+
+ protocol: TCP
47+
+ - port: 26379
48+
+ protocol: TCP
49+
+ to:
50+
+ - podSelector:
51+
+ matchLabels:
52+
+ app.kubernetes.io/name: argocd-redis-ha
53+
+ - ports:
54+
+ - port: 53
55+
+ protocol: UDP
56+
+ - port: 53
57+
+ protocol: TCP
58+
```

‎docs/operator-manual/upgrading/2.8-2.9.md

+53
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,56 @@
33
## Upgraded Kustomize Version
44

55
Note that bundled Kustomize version has been upgraded from 5.1.0 to 5.2.1.
6+
7+
## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
8+
9+
Starting with Argo CD 2.9.16, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
10+
to allow access to the Kubernetes API to create a secret to secure Redis access.
11+
12+
To retain similar networking restrictions as before 2.9.16, you can add an Egress rule to allow access only to the
13+
Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
14+
Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
15+
`argocd-redis-network-policy` NetworkPolicy:
16+
17+
```diff
18+
kind: NetworkPolicy
19+
apiVersion: networking.k8s.io/v1
20+
metadata:
21+
name: argocd-redis-network-policy
22+
spec:
23+
policyTypes:
24+
- Ingress
25+
+ - Egress
26+
+ egress:
27+
+ - ports:
28+
+ - port: 53
29+
+ protocol: UDP
30+
+ - port: 53
31+
+ protocol: TCP
32+
```
33+
34+
```diff
35+
kind: NetworkPolicy
36+
apiVersion: networking.k8s.io/v1
37+
metadata:
38+
name: argocd-redis-ha-haproxy
39+
spec:
40+
policyTypes:
41+
- Ingress
42+
+ - Egress
43+
+ egress:
44+
+ - ports:
45+
+ - port: 6379
46+
+ protocol: TCP
47+
+ - port: 26379
48+
+ protocol: TCP
49+
+ to:
50+
+ - podSelector:
51+
+ matchLabels:
52+
+ app.kubernetes.io/name: argocd-redis-ha
53+
+ - ports:
54+
+ - port: 53
55+
+ protocol: UDP
56+
+ - port: 53
57+
+ protocol: TCP
58+
```

‎docs/operator-manual/upgrading/2.9-2.10.md

+53
Original file line numberDiff line numberDiff line change
@@ -14,3 +14,56 @@ before enabling `managedNamespaceMetadata` on an existing namespace.
1414
## Upgraded Helm Version
1515

1616
Note that bundled Helm version has been upgraded from 3.13.2 to 3.14.3.
17+
18+
## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
19+
20+
Starting with Argo CD 2.10.11, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
21+
to allow access to the Kubernetes API to create a secret to secure Redis access.
22+
23+
To retain similar networking restrictions as before 2.10.11, you can add an Egress rule to allow access only to the
24+
Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
25+
Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
26+
`argocd-redis-network-policy` NetworkPolicy:
27+
28+
```diff
29+
kind: NetworkPolicy
30+
apiVersion: networking.k8s.io/v1
31+
metadata:
32+
name: argocd-redis-network-policy
33+
spec:
34+
policyTypes:
35+
- Ingress
36+
+ - Egress
37+
+ egress:
38+
+ - ports:
39+
+ - port: 53
40+
+ protocol: UDP
41+
+ - port: 53
42+
+ protocol: TCP
43+
```
44+
45+
```diff
46+
kind: NetworkPolicy
47+
apiVersion: networking.k8s.io/v1
48+
metadata:
49+
name: argocd-redis-ha-haproxy
50+
spec:
51+
policyTypes:
52+
- Ingress
53+
+ - Egress
54+
+ egress:
55+
+ - ports:
56+
+ - port: 6379
57+
+ protocol: TCP
58+
+ - port: 26379
59+
+ protocol: TCP
60+
+ to:
61+
+ - podSelector:
62+
+ matchLabels:
63+
+ app.kubernetes.io/name: argocd-redis-ha
64+
+ - ports:
65+
+ - port: 53
66+
+ protocol: UDP
67+
+ - port: 53
68+
+ protocol: TCP
69+
```

‎manifests/base/redis/argocd-redis-network-policy.yaml

-7
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ spec:
88
app.kubernetes.io/name: argocd-redis
99
policyTypes:
1010
- Ingress
11-
- Egress
1211
ingress:
1312
- from:
1413
- podSelector:
@@ -23,9 +22,3 @@ spec:
2322
ports:
2423
- protocol: TCP
2524
port: 6379
26-
egress:
27-
- ports:
28-
- port: 53
29-
protocol: UDP
30-
- port: 53
31-
protocol: TCP

‎manifests/core-install.yaml

-7
Original file line numberDiff line numberDiff line change
@@ -21989,12 +21989,6 @@ kind: NetworkPolicy
2198921989
metadata:
2199021990
name: argocd-redis-network-policy
2199121991
spec:
21992-
egress:
21993-
- ports:
21994-
- port: 53
21995-
protocol: UDP
21996-
- port: 53
21997-
protocol: TCP
2199821992
ingress:
2199921993
- from:
2200021994
- podSelector:
@@ -22014,7 +22008,6 @@ spec:
2201422008
app.kubernetes.io/name: argocd-redis
2201522009
policyTypes:
2201622010
- Ingress
22017-
- Egress
2201822011
---
2201922012
apiVersion: networking.k8s.io/v1
2202022013
kind: NetworkPolicy

‎manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml

+1-16
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ spec:
88
app.kubernetes.io/name: argocd-redis-ha-haproxy
99
policyTypes:
1010
- Ingress
11-
- Egress
1211
ingress:
1312
- from:
1413
- podSelector:
@@ -25,18 +24,4 @@ spec:
2524
protocol: TCP
2625
- port: 26379
2726
protocol: TCP
28-
egress:
29-
- to:
30-
- podSelector:
31-
matchLabels:
32-
app.kubernetes.io/name: argocd-redis-ha
33-
ports:
34-
- port: 6379
35-
protocol: TCP
36-
- port: 26379
37-
protocol: TCP
38-
- ports:
39-
- port: 53
40-
protocol: UDP
41-
- port: 53
42-
protocol: TCP
27+

‎manifests/ha/install.yaml

-16
Original file line numberDiff line numberDiff line change
@@ -24192,21 +24192,6 @@ kind: NetworkPolicy
2419224192
metadata:
2419324193
name: argocd-redis-ha-proxy-network-policy
2419424194
spec:
24195-
egress:
24196-
- ports:
24197-
- port: 6379
24198-
protocol: TCP
24199-
- port: 26379
24200-
protocol: TCP
24201-
to:
24202-
- podSelector:
24203-
matchLabels:
24204-
app.kubernetes.io/name: argocd-redis-ha
24205-
- ports:
24206-
- port: 53
24207-
protocol: UDP
24208-
- port: 53
24209-
protocol: TCP
2421024195
ingress:
2421124196
- from:
2421224197
- podSelector:
@@ -24228,7 +24213,6 @@ spec:
2422824213
app.kubernetes.io/name: argocd-redis-ha-haproxy
2422924214
policyTypes:
2423024215
- Ingress
24231-
- Egress
2423224216
---
2423324217
apiVersion: networking.k8s.io/v1
2423424218
kind: NetworkPolicy

‎manifests/ha/namespace-install.yaml

-16
Original file line numberDiff line numberDiff line change
@@ -3313,21 +3313,6 @@ kind: NetworkPolicy
33133313
metadata:
33143314
name: argocd-redis-ha-proxy-network-policy
33153315
spec:
3316-
egress:
3317-
- ports:
3318-
- port: 6379
3319-
protocol: TCP
3320-
- port: 26379
3321-
protocol: TCP
3322-
to:
3323-
- podSelector:
3324-
matchLabels:
3325-
app.kubernetes.io/name: argocd-redis-ha
3326-
- ports:
3327-
- port: 53
3328-
protocol: UDP
3329-
- port: 53
3330-
protocol: TCP
33313316
ingress:
33323317
- from:
33333318
- podSelector:
@@ -3349,7 +3334,6 @@ spec:
33493334
app.kubernetes.io/name: argocd-redis-ha-haproxy
33503335
policyTypes:
33513336
- Ingress
3352-
- Egress
33533337
---
33543338
apiVersion: networking.k8s.io/v1
33553339
kind: NetworkPolicy

‎manifests/install.yaml

-7
Original file line numberDiff line numberDiff line change
@@ -23030,12 +23030,6 @@ kind: NetworkPolicy
2303023030
metadata:
2303123031
name: argocd-redis-network-policy
2303223032
spec:
23033-
egress:
23034-
- ports:
23035-
- port: 53
23036-
protocol: UDP
23037-
- port: 53
23038-
protocol: TCP
2303923033
ingress:
2304023034
- from:
2304123035
- podSelector:
@@ -23055,7 +23049,6 @@ spec:
2305523049
app.kubernetes.io/name: argocd-redis
2305623050
policyTypes:
2305723051
- Ingress
23058-
- Egress
2305923052
---
2306023053
apiVersion: networking.k8s.io/v1
2306123054
kind: NetworkPolicy

‎manifests/namespace-install.yaml

-7
Original file line numberDiff line numberDiff line change
@@ -2151,12 +2151,6 @@ kind: NetworkPolicy
21512151
metadata:
21522152
name: argocd-redis-network-policy
21532153
spec:
2154-
egress:
2155-
- ports:
2156-
- port: 53
2157-
protocol: UDP
2158-
- port: 53
2159-
protocol: TCP
21602154
ingress:
21612155
- from:
21622156
- podSelector:
@@ -2176,7 +2170,6 @@ spec:
21762170
app.kubernetes.io/name: argocd-redis
21772171
policyTypes:
21782172
- Ingress
2179-
- Egress
21802173
---
21812174
apiVersion: networking.k8s.io/v1
21822175
kind: NetworkPolicy

0 commit comments

Comments
 (0)
Please sign in to comment.