2.8 to 2.9

Upgraded Kustomize Version

Note that bundled Kustomize version has been upgraded from 5.1.0 to 5.2.1.

Egress NetworkPolicy for argocd-redis and argocd-redis-ha-haproxy

Starting with Argo CD 2.9.16, the NetworkPolicy for the argocd-redis and argocd-redis-ha-haproxy dropped Egress restrictions. This change was made to allow access to the Kubernetes API to create a secret to secure Redis access.

To retain similar networking restrictions as before 2.9.16, you can add an Egress rule to allow access only to the Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your Kubernetes setup. The access for Redis itself can be allowed by adding the following to the argocd-redis-network-policy NetworkPolicy:

  1. kind: NetworkPolicy
  2. apiVersion: networking.k8s.io/v1
  3. metadata:
  4.   name: argocd-redis-network-policy
  5. spec:
  6.   policyTypes:
  7.   - Ingress
  8. +  - Egress
  9. +  egress:
  10. +  - ports:
  11. +    - port: 53
  12. +      protocol: UDP
  13. +    - port: 53
  14. +      protocol: TCP
  1. kind: NetworkPolicy
  2. apiVersion: networking.k8s.io/v1
  3. metadata:
  4.   name: argocd-redis-ha-haproxy
  5. spec:
  6.   policyTypes:
  7.   - Ingress
  8. +  - Egress
  9. +  egress:
  10. +  - ports:
  11. +    - port: 6379
  12. +      protocol: TCP
  13. +    - port: 26379
  14. +      protocol: TCP
  15. +    to:
  16. +    - podSelector:
  17. +        matchLabels:
  18. +          app.kubernetes.io/name: argocd-redis-ha
  19. +  - ports:
  20. +    - port: 53
  21. +      protocol: UDP
  22. +    - port: 53
  23. +      protocol: TCP