Merge pull request #1408 from pikasTech/fix/1400-webui-trigger-egress

fix(web-sentinel): allow dashboard trigger apiserver egress
This commit is contained in:
Lyon
2026-07-01 19:51:37 +08:00
committed by GitHub
2 changed files with 18 additions and 1 deletions
@@ -34,6 +34,11 @@ baselines:
tracesEndpoint: http://otel-collector.platform-infra.svc.cluster.local:4318/v1/traces
sampler: parentbased_traceidratio
samplerArg: "1"
kubernetesApi:
egress:
enabled: true
cidr: 10.43.0.1/32
port: 443
scheduler15m: &scheduler-15m
intervalMs: 900000
heartbeatStaleSeconds: 900
+13 -1
View File
@@ -1075,6 +1075,7 @@ function renderSentinelManifests(
const pvcStorage = stringAt(runtime, "pvcStorage");
const stateRoot = stringAt(runtime, "stateRoot");
const sentinelEnv = sentinelContainerEnv(sentinelId, runtime, cicd, secrets);
const kubernetesApiEgress = sentinelKubernetesApiEgress(runtime);
const cadenceJob = sentinelCadenceCronJobPlan(spec, sentinelId, runtime, cicd, scenarios, image.ref, sentinelEnv);
if (cadenceJob !== null) {
emitWebProbeSentinelSpan({
@@ -1221,7 +1222,10 @@ function renderSentinelManifests(
podSelector: { matchLabels: { "app.kubernetes.io/name": deploymentName } },
policyTypes: ["Ingress", "Egress"],
ingress: [{ from: [{ namespaceSelector: {} }], ports: [{ protocol: "TCP", port: servicePort }] }],
egress: [{ to: [{ namespaceSelector: {} }] }],
egress: [
{ to: [{ namespaceSelector: {} }] },
...kubernetesApiEgress,
],
},
},
{
@@ -1242,6 +1246,14 @@ function renderSentinelManifests(
];
}
function sentinelKubernetesApiEgress(runtime: Record<string, unknown>): readonly Record<string, unknown>[] {
if (booleanAtNullable(runtime, "kubernetesApi.egress.enabled") !== true) return [];
return [{
to: [{ ipBlock: { cidr: stringAt(runtime, "kubernetesApi.egress.cidr") } }],
ports: [{ protocol: "TCP", port: numberAt(runtime, "kubernetesApi.egress.port") }],
}];
}
function sentinelContainerEnv(sentinelId: string, runtime: Record<string, unknown>, cicd: Record<string, unknown>, secrets: Record<string, unknown>): readonly Record<string, unknown>[] {
const env: Record<string, unknown>[] = [{ name: "UNIDESK_WEB_PROBE_SENTINEL_ID", value: sentinelId }];
const otelEnabled = booleanAtNullable(runtime, "observability.otel.enabled") ?? booleanAtNullable(cicd, "observability.otel.enabled") ?? false;