|
| 1 | +# NOTE: NetworkPolicy behaviour for hostNetwork pods (tuned) is undefined |
| 2 | +# https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-and-hostnetwork-pods |
| 3 | +# Add rules for tuned pods even though most network plugins are unable to |
| 4 | +# distinguish hostNetwork pod traffic from all other traffic. |
| 5 | + |
| 6 | +# The "default" policy for a namespace which denies all ingress and egress traffic. |
| 7 | +# This ensures that even pods that aren't selected by any other NetworkPolicy will |
| 8 | +# not be allowed ingress or egress traffic. |
| 9 | +--- |
| 10 | +apiVersion: networking.k8s.io/v1 |
| 11 | +kind: NetworkPolicy |
| 12 | +metadata: |
| 13 | + name: default-deny-all |
| 14 | +spec: |
| 15 | + podSelector: {} |
| 16 | + policyTypes: |
| 17 | + - Ingress |
| 18 | + - Egress |
| 19 | + |
| 20 | +# Allow access to the API server. |
| 21 | +--- |
| 22 | +apiVersion: networking.k8s.io/v1 |
| 23 | +kind: NetworkPolicy |
| 24 | +metadata: |
| 25 | + name: allow-egress-to-api-server |
| 26 | + namespace: openshift-cluster-node-tuning-operator |
| 27 | +spec: |
| 28 | + egress: |
| 29 | + - ports: |
| 30 | + - port: 6443 |
| 31 | + protocol: TCP |
| 32 | + podSelector: |
| 33 | + matchExpressions: |
| 34 | + - { key: name, operator: In, values: [cluster-node-tuning-operator, tuned] } |
| 35 | + policyTypes: |
| 36 | + - Egress |
| 37 | + |
| 38 | +# Allow access to the metrics server from openshift-monitoring namespace. |
| 39 | +--- |
| 40 | +apiVersion: networking.k8s.io/v1 |
| 41 | +kind: NetworkPolicy |
| 42 | +metadata: |
| 43 | + name: allow-metrics-traffic |
| 44 | + namespace: openshift-cluster-node-tuning-operator |
| 45 | +spec: |
| 46 | + ingress: |
| 47 | + - ports: |
| 48 | + - port: 60000 |
| 49 | + protocol: TCP |
| 50 | + # In theory, only access from the openshift-monitoring namespace is needed. |
| 51 | + # However, our e2e tests access the server from ns/openshift-cluster-node-tuning-operator. |
| 52 | + # from: |
| 53 | + # - namespaceSelector: |
| 54 | + # matchLabels: |
| 55 | + # name: openshift-monitoring |
| 56 | + podSelector: |
| 57 | + matchLabels: |
| 58 | + name: cluster-node-tuning-operator |
| 59 | + policyTypes: |
| 60 | + - Ingress |
| 61 | + |
| 62 | +# Allow access to the webhook server. |
| 63 | +--- |
| 64 | +apiVersion: networking.k8s.io/v1 |
| 65 | +kind: NetworkPolicy |
| 66 | +metadata: |
| 67 | + name: allow-webhook-traffic |
| 68 | + namespace: openshift-cluster-node-tuning-operator |
| 69 | +spec: |
| 70 | + ingress: |
| 71 | + - ports: |
| 72 | + - port: 4343 |
| 73 | + protocol: TCP |
| 74 | + podSelector: |
| 75 | + matchLabels: |
| 76 | + name: cluster-node-tuning-operator |
| 77 | + policyTypes: |
| 78 | + - Ingress |
0 commit comments