github.com/verrazzano/verrazzano@v1.7.0/platform-operator/helm_config/charts/verrazzano-network-policies/templates/thirdparty-networkpolicy.yaml (about) 1 # Copyright (c) 2021, 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 {{- if .Values.weblogicOperator.enabled }} 4 --- 5 # Network policy for WebLogic operator 6 # Ingress: allow from istio-system 7 # allow connect from Prometheus to scrape Envoy stats on port 15090 8 # Egress: allow all 9 apiVersion: networking.k8s.io/v1 10 kind: NetworkPolicy 11 metadata: 12 name: weblogic-operator 13 namespace: {{ .Release.Namespace }} 14 spec: 15 podSelector: 16 matchLabels: 17 app: weblogic-operator 18 policyTypes: 19 - Ingress 20 ingress: 21 - from: 22 - namespaceSelector: 23 matchLabels: 24 verrazzano.io/namespace: istio-system 25 - from: 26 - namespaceSelector: 27 matchLabels: 28 verrazzano.io/namespace: verrazzano-monitoring 29 podSelector: 30 matchLabels: 31 app.kubernetes.io/name: prometheus 32 ports: 33 - port: 15090 34 protocol: TCP 35 {{- end }} 36 {{- if .Values.coherenceOperator.enabled }} 37 --- 38 # Network policy for Coherence Operator 39 # Ingress: allow connect from Kubernetes API server to validating webhook port 9443 40 # Egress: allow all 41 apiVersion: networking.k8s.io/v1 42 kind: NetworkPolicy 43 metadata: 44 name: coherence-operator 45 namespace: {{ .Release.Namespace }} 46 spec: 47 podSelector: 48 matchLabels: 49 control-plane: coherence 50 policyTypes: 51 - Ingress 52 ingress: 53 - ports: 54 - port: 9443 55 protocol: TCP 56 - port: 8000 57 protocol: TCP 58 {{- end }} 59 {{- if .Values.grafana.enabled}} 60 --- 61 # Network policy for VMI System Grafana 62 # Ingress: allow connect from the ingress controller to oidc port 8775 63 # allow connect from Prometheus to scrape Envoy stats on port 15090 64 # Egress: allow all 65 apiVersion: networking.k8s.io/v1 66 kind: NetworkPolicy 67 metadata: 68 name: vmi-system-grafana 69 namespace: {{ .Release.Namespace }} 70 spec: 71 podSelector: 72 matchLabels: 73 app: system-grafana 74 policyTypes: 75 - Ingress 76 ingress: 77 - from: 78 - namespaceSelector: 79 matchLabels: 80 verrazzano.io/namespace: verrazzano-system 81 podSelector: 82 matchLabels: 83 app: verrazzano-authproxy 84 ports: 85 - port: 3000 86 protocol: TCP 87 - from: 88 - namespaceSelector: 89 matchLabels: 90 verrazzano.io/namespace: verrazzano-monitoring 91 podSelector: 92 matchLabels: 93 app.kubernetes.io/name: prometheus 94 ports: 95 - port: 15090 96 protocol: TCP 97 {{- end }} 98 {{- if .Values.certManager.enabled }} 99 --- 100 # Network policy for Cert Manager 101 # Ingress: allow connect from Prometheus for scraping metrics 102 # Egress: allow all 103 apiVersion: networking.k8s.io/v1 104 kind: NetworkPolicy 105 metadata: 106 name: cert-manager 107 namespace: cert-manager 108 spec: 109 podSelector: 110 matchLabels: 111 app: cert-manager 112 policyTypes: 113 - Ingress 114 ingress: 115 # Port for scraping Prometheus metrics 116 - from: 117 - namespaceSelector: 118 matchLabels: 119 verrazzano.io/namespace: verrazzano-monitoring 120 podSelector: 121 matchLabels: 122 app.kubernetes.io/name: prometheus 123 ports: 124 - port: 9402 125 protocol: TCP 126 {{- end }} 127 {{- if .Values.externaldns.enabled }} 128 --- 129 # Network policy for External DNS 130 # Ingress: deny all 131 # Egress: allow all 132 apiVersion: networking.k8s.io/v1 133 kind: NetworkPolicy 134 metadata: 135 name: external-dns 136 namespace: {{ .Values.externaldns.namespace }} 137 spec: 138 podSelector: 139 matchLabels: 140 app.kubernetes.io/instance: external-dns 141 policyTypes: 142 - Ingress 143 {{- end }} 144 {{- if .Values.keycloak.enabled }} 145 --- 146 # Allow any pod in the keycloak namespace to have network ingress to any other pod 147 # in the keycloak namespace 148 apiVersion: networking.k8s.io/v1 149 kind: NetworkPolicy 150 metadata: 151 name: allow-same-namespace 152 namespace: keycloak 153 spec: 154 podSelector: {} 155 policyTypes: 156 - Ingress 157 ingress: 158 - from: 159 - podSelector: {} 160 --- 161 # Network policy for Keycloak 162 # Ingress: allow nginx ingress and ingress from pods in the verrazzano-system namespace 163 # allow connect from Prometheus to scrape Envoy stats on port 15090 164 # Egress: allow all 165 apiVersion: networking.k8s.io/v1 166 kind: NetworkPolicy 167 metadata: 168 name: keycloak 169 namespace: keycloak 170 spec: 171 podSelector: 172 matchLabels: 173 app.kubernetes.io/name: keycloak 174 policyTypes: 175 - Ingress 176 ingress: 177 - from: 178 - namespaceSelector: 179 matchLabels: 180 verrazzano.io/namespace: {{ .Values.ingressNGINX.namespace }} 181 - podSelector: 182 matchLabels: 183 app.kubernetes.io/instance: ingress-controller 184 ports: 185 - protocol: TCP 186 port: 8080 187 - from: 188 - namespaceSelector: 189 matchLabels: 190 verrazzano.io/namespace: {{ .Release.Namespace }} 191 ports: 192 - protocol: TCP 193 port: 8080 194 - from: 195 - namespaceSelector: 196 matchLabels: 197 verrazzano.io/namespace: keycloak 198 ports: 199 - protocol: TCP 200 port: 7800 201 - from: 202 - namespaceSelector: 203 matchLabels: 204 verrazzano.io/namespace: verrazzano-monitoring 205 podSelector: 206 matchLabels: 207 app.kubernetes.io/name: prometheus 208 ports: 209 - port: 15090 210 protocol: TCP 211 --- 212 # Network policy for Keycloak MySQL 213 # Ingress: allow port 3306 from Keycloak pods 214 # allow connect from Prometheus to scrape Envoy stats on port 15090 215 # Egress: allow all 216 apiVersion: networking.k8s.io/v1 217 kind: NetworkPolicy 218 metadata: 219 name: keycloak-mysql 220 namespace: keycloak 221 spec: 222 podSelector: 223 matchLabels: 224 tier: mysql 225 policyTypes: 226 - Ingress 227 ingress: 228 - from: 229 - podSelector: 230 matchLabels: 231 app.kubernetes.io/name: keycloak 232 ports: 233 - protocol: TCP 234 port: 3306 235 - protocol: TCP 236 port: 33060 237 - protocol: TCP 238 port: 6446 239 - protocol: TCP 240 port: 6447 241 - protocol: TCP 242 port: 6448 243 - protocol: TCP 244 port: 6449 245 - protocol: TCP 246 port: 7800 247 - from: 248 - namespaceSelector: 249 matchLabels: 250 verrazzano.io/namespace: mysql-operator 251 podSelector: 252 matchLabels: 253 name: mysql-operator 254 ports: 255 - protocol: TCP 256 port: 3306 257 - protocol: TCP 258 port: 33060 259 - protocol: TCP 260 port: 33061 261 - from: 262 - podSelector: 263 matchLabels: 264 job-name: load-dump 265 ports: 266 - protocol: TCP 267 port: 3306 268 - protocol: TCP 269 port: 33060 270 - protocol: TCP 271 port: 6446 272 - protocol: TCP 273 port: 6447 274 - protocol: TCP 275 port: 6448 276 - protocol: TCP 277 port: 6449 278 - from: 279 - podSelector: 280 matchLabels: 281 component: mysqlrouter 282 ports: 283 - protocol: TCP 284 port: 3306 285 - protocol: TCP 286 port: 33060 287 - protocol: TCP 288 port: 33061 289 - from: 290 - namespaceSelector: 291 matchLabels: 292 verrazzano.io/namespace: verrazzano-monitoring 293 podSelector: 294 matchLabels: 295 app.kubernetes.io/name: prometheus 296 ports: 297 - port: 15090 298 protocol: TCP 299 300 {{- end }} 301 {{- if .Values.rancher.enabled }} 302 --- 303 # Network policy for Rancher UI/API 304 # Ingress: allow nginx ingress 305 # Egress: allow all 306 apiVersion: networking.k8s.io/v1 307 kind: NetworkPolicy 308 metadata: 309 name: rancher 310 namespace: cattle-system 311 spec: 312 podSelector: 313 matchLabels: 314 app: rancher 315 policyTypes: 316 - Ingress 317 ingress: 318 - from: 319 - namespaceSelector: 320 matchLabels: 321 verrazzano.io/namespace: cattle-system 322 - from: 323 - namespaceSelector: 324 matchLabels: 325 kubernetes.io/metadata.name: cattle-fleet-system 326 - podSelector: 327 matchLabels: 328 app: fleet-controller 329 - from: 330 - namespaceSelector: 331 matchLabels: 332 verrazzano.io/namespace: {{ .Values.ingressNGINX.namespace }} 333 - podSelector: 334 matchLabels: 335 app.kubernetes.io/instance: ingress-controller 336 ports: 337 - protocol: TCP 338 port: 443 339 - protocol: TCP 340 port: 444 341 --- 342 # Network policy for Rancher webhook 343 # Ingress: allow access from Kubernetes API server for webhook port 9443 344 # Egress: allow all 345 apiVersion: networking.k8s.io/v1 346 kind: NetworkPolicy 347 metadata: 348 name: rancher-webhook 349 namespace: cattle-system 350 spec: 351 podSelector: 352 matchLabels: 353 app: rancher-webhook 354 policyTypes: 355 - Ingress 356 ingress: 357 - ports: 358 - port: 9443 359 protocol: TCP 360 {{- end }} 361 {{- if .Values.argocd.enabled}} 362 --- 363 # Network policy for Argo CD UI/API 364 # Ingress: allow nginx ingress 365 # Egress: allow all 366 apiVersion: networking.k8s.io/v1 367 kind: NetworkPolicy 368 metadata: 369 name: argocd 370 namespace: argocd 371 spec: 372 podSelector: 373 matchLabels: 374 app.kubernetes.io/name: argocd-server 375 policyTypes: 376 - Ingress 377 ingress: 378 - from: 379 - namespaceSelector: 380 matchLabels: 381 verrazzano.io/namespace: argocd 382 - from: 383 - namespaceSelector: 384 matchLabels: 385 verrazzano.io/namespace: {{ .Values.ingressNGINX.namespace }} 386 - podSelector: 387 matchLabels: 388 app.kubernetes.io/instance: ingress-controller 389 ports: 390 - protocol: TCP 391 port: 443 392 - protocol: TCP 393 port: 8080 394 {{- end }} 395 {{- if .Values.ingressNGINX.enabled }} 396 --- 397 # Network policy for NGINX Ingress controller 398 # Egress: allow all 399 apiVersion: networking.k8s.io/v1 400 kind: NetworkPolicy 401 metadata: 402 name: ingress-nginx-controller 403 namespace: {{ .Values.ingressNGINX.namespace }} 404 spec: 405 podSelector: 406 matchLabels: 407 app.kubernetes.io/component: controller 408 policyTypes: 409 - Ingress 410 ingress: 411 # Allow ingress to port 443 from anywhere 412 - ports: 413 - port: 443 414 protocol: TCP 415 # Allow ingress to port 80 from verrazzano-system 416 - ports: 417 - port: 80 418 protocol: TCP 419 from: 420 - namespaceSelector: 421 matchLabels: 422 verrazzano.io/namespace: verrazzano-system 423 # Allow ingress to port 10254 from Prometheus to scrape metrics 424 # Allow ingress to port 15090 from Prometheus to scrape Envoy stats 425 - ports: 426 - port: 10254 427 protocol: TCP 428 - port: 15090 429 protocol: TCP 430 from: 431 - namespaceSelector: 432 matchLabels: 433 verrazzano.io/namespace: verrazzano-monitoring 434 podSelector: 435 matchLabels: 436 app.kubernetes.io/name: prometheus 437 --- 438 # Network policy for NGINX Ingress default-backend 439 # Egress: allow all 440 apiVersion: networking.k8s.io/v1 441 kind: NetworkPolicy 442 metadata: 443 name: ingress-nginx-default-backend 444 namespace: {{ .Values.ingressNGINX.namespace }} 445 spec: 446 podSelector: 447 matchLabels: 448 app.kubernetes.io/component: default-backend 449 policyTypes: 450 - Ingress 451 ingress: 452 # Allow ingress from ingress-nginx controller 453 - from: 454 - podSelector: 455 matchLabels: 456 app.kubernetes.io/component: controller 457 ports: 458 - port: 8080 459 protocol: TCP 460 - ports: 461 - port: 15090 462 protocol: TCP 463 from: 464 - namespaceSelector: 465 matchLabels: 466 verrazzano.io/namespace: verrazzano-monitoring 467 podSelector: 468 matchLabels: 469 app.kubernetes.io/name: prometheus 470 {{- end }} 471 {{- if .Values.istio.enabled}} 472 --- 473 # Network policy for istio-system pod communication 474 # Ingress: allow all pod-to-pod communication within the namespace 475 # Egress: allow all 476 apiVersion: networking.k8s.io/v1 477 kind: NetworkPolicy 478 metadata: 479 name: allow-same-namespace 480 namespace: istio-system 481 spec: 482 podSelector: {} 483 policyTypes: 484 - Ingress 485 ingress: 486 - from: 487 - podSelector: {} 488 --- 489 # Network policy for Istio ingress gateway 490 # Ingress: allow ingress to port 8443 from anywhere 491 # allow ingress to port 15090 from Prometheus to scrape Envoy stats 492 # Egress: allow all 493 apiVersion: networking.k8s.io/v1 494 kind: NetworkPolicy 495 metadata: 496 name: istio-ingressgateway 497 namespace: istio-system 498 spec: 499 podSelector: 500 matchLabels: 501 app: istio-ingressgateway 502 policyTypes: 503 - Ingress 504 ingress: 505 - ports: 506 - port: 8443 507 protocol: TCP 508 - ports: 509 - port: 15090 510 protocol: TCP 511 from: 512 - namespaceSelector: 513 matchLabels: 514 verrazzano.io/namespace: verrazzano-monitoring 515 podSelector: 516 matchLabels: 517 app.kubernetes.io/name: prometheus 518 --- 519 # Network policy for Istio egress gateway 520 # Ingress: allow ingress to port 8443 from anywhere 521 # Egress: allow all 522 apiVersion: networking.k8s.io/v1 523 kind: NetworkPolicy 524 metadata: 525 name: istio-egressgateway 526 namespace: istio-system 527 spec: 528 podSelector: 529 matchLabels: 530 app: istio-egressgateway 531 policyTypes: 532 - Ingress 533 ingress: 534 - ports: 535 - port: 8443 536 protocol: TCP 537 - ports: 538 - port: 15090 539 protocol: TCP 540 from: 541 - namespaceSelector: 542 matchLabels: 543 verrazzano.io/namespace: verrazzano-monitoring 544 podSelector: 545 matchLabels: 546 app.kubernetes.io/name: prometheus 547 --- 548 # Network policy for Istio coredns 549 # Ingress: allow ingress to port 53 from kube-system DNS 550 # Egress: allow all 551 apiVersion: networking.k8s.io/v1 552 kind: NetworkPolicy 553 metadata: 554 name: istiocoredns 555 namespace: istio-system 556 spec: 557 podSelector: 558 matchLabels: 559 app: istiocoredns 560 policyTypes: 561 - Ingress 562 ingress: 563 - ports: 564 - port: 53 565 protocol: UDP 566 - port: 53 567 protocol: TCP 568 from: 569 - namespaceSelector: 570 matchLabels: 571 verrazzano.io/namespace: kube-system 572 podSelector: 573 matchLabels: 574 k8s-app: kube-dns 575 --- 576 # Network policy for Istiod 577 # Ingress: allow ingress to port 15012 from verrazzano-system prometheus and keycloak (for Istio proxy sidecar) 578 # allow ingress to port 15012 for application namespaces 579 # allow port 15017 for webhooks 580 # allow port 15014 from Prometheus to scrape metrics 581 # Egress: allow all 582 apiVersion: networking.k8s.io/v1 583 kind: NetworkPolicy 584 metadata: 585 name: istiod-access 586 namespace: istio-system 587 spec: 588 podSelector: 589 matchLabels: 590 app: istiod 591 policyTypes: 592 - Ingress 593 ingress: 594 - ports: 595 - port: 15012 596 protocol: TCP 597 from: 598 - namespaceSelector: 599 matchLabels: 600 verrazzano-managed: "true" 601 istio-injection: enabled 602 - namespaceSelector: 603 matchLabels: 604 verrazzano.io/namespace: {{ .Release.Namespace }} 605 podSelector: 606 matchLabels: 607 k8s-app: verrazzano-monitoring-operator 608 - ports: 609 - port: 15012 610 protocol: TCP 611 from: 612 - namespaceSelector: 613 matchLabels: 614 verrazzano-managed: "true" 615 istio-injection: enabled 616 - namespaceSelector: 617 matchLabels: 618 verrazzano.io/namespace: {{ .Release.Namespace }} 619 podSelector: 620 matchExpressions: 621 - {key: app, operator: In, values: [fluentd, verrazzano-authproxy, verrazzano-console, system-es-master, system-es-ingest, system-es-data, system-grafana, system-osd, weblogic-operator, kiali]} 622 - namespaceSelector: 623 matchLabels: 624 verrazzano.io/namespace: {{ .Release.Namespace }} 625 podSelector: 626 matchExpressions: 627 - {key: "app.kubernetes.io/name", operator: In, values: [fluent-operator, fluent-bit]} 628 - namespaceSelector: 629 matchLabels: 630 verrazzano.io/namespace: keycloak 631 podSelector: 632 matchLabels: 633 app.kubernetes.io/name: keycloak 634 - namespaceSelector: 635 matchLabels: 636 verrazzano.io/namespace: keycloak 637 podSelector: 638 matchLabels: 639 tier: mysql 640 - namespaceSelector: 641 matchLabels: 642 verrazzano.io/namespace: keycloak 643 podSelector: 644 matchLabels: 645 job-name: load-dump 646 - namespaceSelector: 647 matchLabels: 648 verrazzano.io/namespace: mysql-operator 649 podSelector: 650 matchLabels: 651 name: mysql-operator 652 - namespaceSelector: 653 matchLabels: 654 verrazzano.io/namespace: {{ .Values.ingressNGINX.namespace }} 655 podSelector: 656 matchLabels: 657 app.kubernetes.io/name: ingress-nginx 658 - namespaceSelector: 659 matchLabels: 660 verrazzano.io/namespace: verrazzano-monitoring 661 podSelector: 662 matchLabels: 663 app.kubernetes.io/name: prometheus 664 - namespaceSelector: 665 matchLabels: 666 verrazzano.io/namespace: verrazzano-monitoring 667 podSelector: 668 matchLabels: 669 app: jaeger 670 - namespaceSelector: 671 matchLabels: 672 verrazzano.io/namespace: verrazzano-monitoring 673 podSelector: 674 matchExpressions: 675 - key: app.kubernetes.io/component 676 operator: In 677 values: 678 - compactor 679 - query 680 - query-frontend 681 - ruler 682 - storegateway 683 - namespaceSelector: 684 matchLabels: 685 verrazzano.io/namespace: mysql-operator 686 podSelector: 687 matchLabels: 688 name: mysql-operator 689 - namespaceSelector: 690 matchLabels: 691 verrazzano.io/namespace: argocd 692 podSelector: 693 matchLabels: 694 app.kubernetes.io/instance: argocd 695 - namespaceSelector: 696 matchLabels: 697 verrazzano.io/namespace: verrazzano-backup 698 podSelector: 699 matchLabels: 700 app.kubernetes.io/instance: velero 701 app.kubernetes.io/name: velero 702 - namespaceSelector: 703 matchLabels: 704 verrazzano.io/namespace: verrazzano-auth 705 podSelector: 706 matchLabels: 707 app.kubernetes.io/instance: dex 708 - ports: 709 - port: 15017 710 protocol: TCP 711 - ports: 712 - port: 15014 713 protocol: TCP 714 from: 715 - namespaceSelector: 716 matchLabels: 717 verrazzano.io/namespace: verrazzano-monitoring 718 podSelector: 719 matchLabels: 720 app.kubernetes.io/name: prometheus 721 --- 722 # Network policy for Kiali 723 # Ingress: allow connect from istio-system 724 # allow connect from the ingress controller to port 20001 725 # allow connect from prometheus to port 9090 and the envoy metrics port 15090 726 # Egress: allow all 727 apiVersion: networking.k8s.io/v1 728 kind: NetworkPolicy 729 metadata: 730 name: kiali 731 namespace: {{ .Release.Namespace }} 732 spec: 733 podSelector: 734 matchLabels: 735 app: kiali 736 policyTypes: 737 - Ingress 738 ingress: 739 - from: 740 - namespaceSelector: 741 matchLabels: 742 verrazzano.io/namespace: verrazzano-system 743 podSelector: 744 matchLabels: 745 app: verrazzano-authproxy 746 ports: 747 - port: 20001 748 protocol: TCP 749 - from: 750 - namespaceSelector: 751 matchLabels: 752 verrazzano.io/namespace: verrazzano-monitoring 753 podSelector: 754 matchLabels: 755 app.kubernetes.io/name: prometheus 756 ports: 757 - port: 9090 758 protocol: TCP 759 - port: 15090 760 protocol: TCP 761 {{- end }} 762 --- 763 {{- if .Values.velero.enabled }} 764 --- 765 # Allow any pod in the verrazzano-backup namespace to have network ingress to any other pod 766 # in the verrazzano-backup namespace 767 apiVersion: networking.k8s.io/v1 768 kind: NetworkPolicy 769 metadata: 770 name: allow-same-namespace 771 namespace: verrazzano-backup 772 spec: 773 podSelector: {} 774 policyTypes: 775 - Ingress 776 ingress: 777 - from: 778 - podSelector: {} 779 --- 780 # Network policy for verrazzano-backup 781 # Ingress: allow connect from Prometheus to scrape Envoy stats on port 15090 782 # Egress: allow all 783 apiVersion: networking.k8s.io/v1 784 kind: NetworkPolicy 785 metadata: 786 name: velero 787 namespace: verrazzano-backup 788 spec: 789 podSelector: 790 matchLabels: 791 app.kubernetes.io/instance: velero 792 app.kubernetes.io/name: velero 793 policyTypes: 794 - Ingress 795 ingress: 796 - from: 797 - namespaceSelector: 798 matchLabels: 799 verrazzano.io/namespace: verrazzano-monitoring 800 podSelector: 801 matchLabels: 802 app.kubernetes.io/name: prometheus 803 ports: 804 - port: 15090 805 protocol: TCP 806 {{- end }} 807 {{- if .Values.clusterAPI.enabled }} 808 --- 809 # Network policy for capi-controller-manager 810 # Ingress: allow connection from Kubernetes API server to port 9443 811 # Egress: allow all 812 apiVersion: networking.k8s.io/v1 813 kind: NetworkPolicy 814 metadata: 815 name: capi-controller-manager 816 namespace: verrazzano-capi 817 spec: 818 podSelector: 819 matchLabels: 820 cluster.x-k8s.io/provider: cluster-api 821 control-plane: controller-manager 822 policyTypes: 823 - Ingress 824 ingress: 825 - ports: 826 - port: 9443 827 protocol: TCP 828 --- 829 # Network policy for capi-ocne-bootstrap-controller-manager 830 # Ingress: allow connection from Kubernetes API server to port 9443 831 # Egress: allow all 832 apiVersion: networking.k8s.io/v1 833 kind: NetworkPolicy 834 metadata: 835 name: capi-ocne-bootstrap-controller-manager 836 namespace: verrazzano-capi 837 spec: 838 podSelector: 839 matchLabels: 840 cluster.x-k8s.io/provider: bootstrap-ocne 841 control-plane: controller-manager 842 policyTypes: 843 - Ingress 844 ingress: 845 - ports: 846 - port: 9443 847 protocol: TCP 848 --- 849 # Network policy for capi-ocne-control-plane-controller-manager 850 # Ingress: allow connection from Kubernetes API server to port 9443 851 # Egress: allow all 852 apiVersion: networking.k8s.io/v1 853 kind: NetworkPolicy 854 metadata: 855 name: capi-ocne-control-plane-controller-manager 856 namespace: verrazzano-capi 857 spec: 858 podSelector: 859 matchLabels: 860 cluster.x-k8s.io/provider: control-plane-ocne 861 control-plane: controller-manager 862 policyTypes: 863 - Ingress 864 ingress: 865 - ports: 866 - port: 9443 867 protocol: TCP 868 --- 869 # Network policy for capoci-controller-manager 870 # Ingress: allow connection from Kubernetes API server to port 9443 871 # Egress: allow all 872 apiVersion: networking.k8s.io/v1 873 kind: NetworkPolicy 874 metadata: 875 name: capoci-controller-manager 876 namespace: verrazzano-capi 877 spec: 878 podSelector: 879 matchLabels: 880 cluster.x-k8s.io/provider: infrastructure-oci 881 control-plane: controller-manager 882 policyTypes: 883 - Ingress 884 ingress: 885 - ports: 886 - port: 9443 887 protocol: TCP 888 {{- end }} 889 {{- if .Values.dex.enabled }} 890 --- 891 # Network policy for Dex 892 # Ingress: allow nginx ingress and ingress from pods in the verrazzano-system namespace 893 # allow connect from Prometheus to scrape Envoy stats on port 15090 894 # Egress: allow all 895 apiVersion: networking.k8s.io/v1 896 kind: NetworkPolicy 897 metadata: 898 name: dex 899 namespace: verrazzano-auth 900 spec: 901 podSelector: 902 matchLabels: 903 app.kubernetes.io/name: dex 904 policyTypes: 905 - Ingress 906 ingress: 907 - from: 908 - namespaceSelector: 909 matchLabels: 910 verrazzano.io/namespace: {{ .Values.ingressNGINX.namespace }} 911 - podSelector: 912 matchLabels: 913 app.kubernetes.io/instance: ingress-controller 914 ports: 915 - protocol: TCP 916 port: 8080 917 - protocol: TCP 918 port: 5556 919 - from: 920 - namespaceSelector: 921 matchLabels: 922 verrazzano.io/namespace: {{ .Release.Namespace }} 923 ports: 924 - protocol: TCP 925 port: 8080 926 - protocol: TCP 927 port: 5556 928 - from: 929 - namespaceSelector: 930 matchLabels: 931 verrazzano.io/namespace: verrazzano-monitoring 932 podSelector: 933 matchLabels: 934 app.kubernetes.io/name: prometheus 935 ports: 936 - port: 15090 937 protocol: TCP 938 --- 939 {{- end }} 940