helm-charts/gerrit-replica/templates/netpol.yaml - k8s-gerrit - Git at Google

 {{ if .Values.networkPolicies.enabled -}}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   name: {{ .Release.Name }}-default-deny-all
   labels:
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
   policyTypes:
   - Ingress
   - Egress
   ingress: []
   egress: []
 ---
 {{ if .Values.networkPolicies.dnsPorts -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ .Release.Name }}-allow-dns-access
   labels:
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
   policyTypes:
   - Egress
   egress:
   - ports:
     {{ range .Values.networkPolicies.dnsPorts -}}
     - port: {{ . }}
       protocol: UDP
     - port: {{ . }}
       protocol: TCP
     {{ end }}
 {{- end }}
 ---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   name: gerrit-replica-allow-external
   labels:
     app: gerrit-replica
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
       app: gerrit-replica
   ingress:
   - ports:
     - port: 8080
     from: []
 ---
 {{ if or .Values.gitBackend.networkPolicy.ingress -}}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   name: git-backend-custom-ingress-policies
   labels:
     app: git-backend
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   policyTypes:
   - Ingress
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
       app: git-backend
   ingress:
 {{ toYaml .Values.gitBackend.networkPolicy.ingress | indent 2 }}
 {{- end }}
 ---
 {{ if or .Values.gitBackend.networkPolicy.egress -}}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   name: git-backend-custom-egress-policies
   labels:
     app: git-backend
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   policyTypes:
   - Egress
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
       app: git-backend
   egress:
 {{ toYaml .Values.gitBackend.networkPolicy.egress | indent 2 }}
 {{- end }}
 ---
 {{ if or .Values.gerritReplica.networkPolicy.ingress -}}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   name: gerrit-replica-custom-ingress-policies
   labels:
     app: gerrit-replica
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   policyTypes:
   - Ingress
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
       app: gerrit-replica
   ingress:
 {{ toYaml .Values.gerritReplica.networkPolicy.ingress | indent 2 }}
 {{- end }}
 ---
 {{ if or .Values.gerritReplica.networkPolicy.egress -}}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   name: gerrit-replica-custom-egress-policies
   labels:
     app: gerrit-replica
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   policyTypes:
   - Egress
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
       app: gerrit-replica
   egress:
 {{ toYaml .Values.gerritReplica.networkPolicy.egress | indent 2 }}
 {{- end }}
 ---
 {{ if or .Values.istio.enabled -}}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   name: istio-proxy
   labels:
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   policyTypes:
   - Egress
   - Ingress
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
   egress:
   - ports:
     - protocol: TCP
       port: 15012
   ingress:
   - ports:
     - protocol: TCP
       port: 15012
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ .Release.Name }}-istio-ingress
   labels:
     chart: {{ template "gerrit-replica.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
   podSelector:
     matchLabels:
       chart: {{ template "gerrit-replica.chart" . }}
       release: {{ .Release.Name }}
   ingress:
   - ports:
     - protocol: TCP
       port: 80
     {{ if .Values.istio.ssh.enabled }}
     - protocol: TCP
       port: {{ .Values.gerritReplica.service.ssh.port }}
     {{- end }}
     from:
     - namespaceSelector:
         matchLabels:
           name: istio-system
     - podSelector:
         matchLabels:
           istio: ingressgateway

 {{- end }}
 {{- end }}
	{{ if .Values.networkPolicies.enabled -}}
	kind: NetworkPolicy
	apiVersion: networking.k8s.io/v1
	metadata:
	name: {{ .Release.Name }}-default-deny-all
	labels:
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	policyTypes:
	- Ingress
	- Egress
	ingress: []
	egress: []
	---
	{{ if .Values.networkPolicies.dnsPorts -}}
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: {{ .Release.Name }}-allow-dns-access
	labels:
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	policyTypes:
	- Egress
	egress:
	- ports:
	{{ range .Values.networkPolicies.dnsPorts -}}
	- port: {{ . }}
	protocol: UDP
	- port: {{ . }}
	protocol: TCP
	{{ end }}
	{{- end }}
	---
	kind: NetworkPolicy
	apiVersion: networking.k8s.io/v1
	metadata:
	name: gerrit-replica-allow-external
	labels:
	app: gerrit-replica
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	app: gerrit-replica
	ingress:
	- ports:
	- port: 8080
	from: []
	---
	{{ if or .Values.gitBackend.networkPolicy.ingress -}}
	kind: NetworkPolicy
	apiVersion: networking.k8s.io/v1
	metadata:
	name: git-backend-custom-ingress-policies
	labels:
	app: git-backend
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	policyTypes:
	- Ingress
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	app: git-backend
	ingress:
	{{ toYaml .Values.gitBackend.networkPolicy.ingress \| indent 2 }}
	{{- end }}
	---
	{{ if or .Values.gitBackend.networkPolicy.egress -}}
	kind: NetworkPolicy
	apiVersion: networking.k8s.io/v1
	metadata:
	name: git-backend-custom-egress-policies
	labels:
	app: git-backend
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	policyTypes:
	- Egress
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	app: git-backend
	egress:
	{{ toYaml .Values.gitBackend.networkPolicy.egress \| indent 2 }}
	{{- end }}
	---
	{{ if or .Values.gerritReplica.networkPolicy.ingress -}}
	kind: NetworkPolicy
	apiVersion: networking.k8s.io/v1
	metadata:
	name: gerrit-replica-custom-ingress-policies
	labels:
	app: gerrit-replica
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	policyTypes:
	- Ingress
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	app: gerrit-replica
	ingress:
	{{ toYaml .Values.gerritReplica.networkPolicy.ingress \| indent 2 }}
	{{- end }}
	---
	{{ if or .Values.gerritReplica.networkPolicy.egress -}}
	kind: NetworkPolicy
	apiVersion: networking.k8s.io/v1
	metadata:
	name: gerrit-replica-custom-egress-policies
	labels:
	app: gerrit-replica
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	policyTypes:
	- Egress
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	app: gerrit-replica
	egress:
	{{ toYaml .Values.gerritReplica.networkPolicy.egress \| indent 2 }}
	{{- end }}
	---
	{{ if or .Values.istio.enabled -}}
	kind: NetworkPolicy
	apiVersion: networking.k8s.io/v1
	metadata:
	name: istio-proxy
	labels:
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	policyTypes:
	- Egress
	- Ingress
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	egress:
	- ports:
	- protocol: TCP
	port: 15012
	ingress:
	- ports:
	- protocol: TCP
	port: 15012
	---
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: {{ .Release.Name }}-istio-ingress
	labels:
	chart: {{ template "gerrit-replica.chart" . }}
	heritage: {{ .Release.Service }}
	release: {{ .Release.Name }}
	spec:
	podSelector:
	matchLabels:
	chart: {{ template "gerrit-replica.chart" . }}
	release: {{ .Release.Name }}
	ingress:
	- ports:
	- protocol: TCP
	port: 80
	{{ if .Values.istio.ssh.enabled }}
	- protocol: TCP
	port: {{ .Values.gerritReplica.service.ssh.port }}
	{{- end }}
	from:
	- namespaceSelector:
	matchLabels:
	name: istio-system
	- podSelector:
	matchLabels:
	istio: ingressgateway

	{{- end }}
	{{- end }}