The Goal:

Allow users to easily implement secure NetworkPolicy for chart-installed apps

Constraints

(there are always a few...)

• Principle of Least Surprise
• Security the Easy Way
• Composability with other policies in other apps

Proposal:

• Master networkPolicy.enabled value: if false, no NetworkPolicy resources are created
• Policy manifest per app component
• Optional on-by-default flag for allowing external traffic (if false/unset, allow traffic only from specifically-labeled pods)
  • Dan Osborne (@ozdanborne) is already doing these, e.g. Prometheus, Redis charts
• Optional off-by-default deny-all policy controlled by networkPolicy.defaultDenyAll

Proposed next steps:

1. Document @ozdanborne's existing practices as best practices
2. Look through stable chart NetworkPolicy implementations for other practices to add or deprecate
3. Further discussion as needed
   • Egress filtering
   • NetworkPolicy changes in Kubernetes
   • etc.

The Goal:

Treat chart aliasing, dependencies and exporting values to child charts as part of a unified whole

Basic issues

• Aliases don't work consistently with locally-stored subcharts vs. charts in a remote repo
• Creating names that are unique and consistent across a chart dependency tree is hard
• It would often be useful to set values to the same thing in a parent chart and its child charts
• These things are all part of a single system and should work in a unified way

Proposal:

• Aliased charts should always be referrable by their alias, whether local or remote
• There should be an easy way to create values that are consistent for all charts in a chart tree
• There should be a way to export values from the parent chart's value tree to child charts without repeating those values again in the child charts' value trees

Relevant GitHub issues

• Can't refer to aliased subcharts by alias names in master chart (helm#2993)
• proposal: Helm dynamic aliases (helm#3126)
• Helm should allow easier "management" of child charts placed manually in `charts` (helm#3221)
• Add 'export-values' to requirements (helm#3242)
• Ability to read the parent Chart.yaml from Dependency (helm#3307)
• [proposal] refactor aliases for subcharts (helm#3314)
• Add a new stable chart "weave-scope" (charts/#1719)
  • Discussion of things I tried to do while writing my first chart that didn't work