gitea_admin/application
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
282c3e52d0d6a4614b1754f0a79dac17509e4361
application/vcluster-0.21.1/templates/networkpolicy.yaml
behrooz dc18529168 rename old
2025-08-18 10:58:51 +03:30

107 lines
3.2 KiB
YAML
Raw Blame History

{{- if .Values.policies.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: vc-work-{{ .Release.Name }}
{{- if .Values.experimental.syncSettings.targetNamespace }}
namespace: {{ .Values.experimental.syncSettings.targetNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.policies.networkPolicy.labels }}
{{ toYaml .Values.policies.networkPolicy.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.networkPolicy.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
vcluster.loft.sh/managed-by: {{ .Release.Name }}
egress:
# Allows outgoing connections to the vcluster control plane
- ports:
- port: 443
- port: 8443
to:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
# Allows outgoing connections to DNS server
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allows outgoing connections to the internet or
# other vcluster workloads
- to:
- podSelector:
matchLabels:
vcluster.loft.sh/managed-by: {{ .Release.Name }}
- ipBlock:
cidr: {{ .Values.policies.networkPolicy.outgoingConnections.ipBlock.cidr }}
except:
{{- range .Values.policies.networkPolicy.outgoingConnections.ipBlock.except }}
- {{ . }}
{{- end }}
policyTypes:
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: vc-cp-{{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.policies.networkPolicy.labels }}
{{ toYaml .Values.policies.networkPolicy.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.networkPolicy.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
egress:
# Allows outgoing connections to all pods with
# port 443, 8443 or 6443. This is needed for host Kubernetes
# access
- ports:
- port: 443
- port: 8443
- port: 6443
# Allows outgoing connections to all vcluster workloads
# or kube system dns server
- to:
- podSelector: {}
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: 'kube-system'
podSelector:
matchLabels:
k8s-app: kube-dns
{{- if .Values.policies.networkPolicy.outgoingConnections.platform }}
- podSelector:
matchLabels:
app: loft
namespaceSelector: {}
{{- end }}
policyTypes:
- Egress
{{- end }}
Reference in New Issue View Git Blame Copy Permalink