{{- if .Values.networkPolicy.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ include "lions-app.name" . }} namespace: {{ .Release.Namespace }} labels: {{- include "lions-app.labels" . | nindent 4 }} spec: podSelector: matchLabels: {{- include "lions-app.selectorLabels" . | nindent 6 }} policyTypes: - Ingress - Egress ingress: # Ingress depuis les namespaces autorisés {{- range .Values.networkPolicy.allowIngressFrom }} - from: - namespaceSelector: matchLabels: {{- toYaml .namespaceSelector | nindent 14 }} {{- with .ports }} ports: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} # Ingress depuis pods du même namespace (pour communication intra-ns) - from: - podSelector: {} egress: # DNS (CoreDNS dans kube-system) {{- if .Values.networkPolicy.allowEgressDNS }} - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP {{- end }} # K8s API (nécessaire si l'app utilise l'API via ServiceAccount) {{- if .Values.networkPolicy.allowEgressKubeAPI }} - to: - ipBlock: cidr: 10.96.0.0/12 # service CIDR ports: - port: 443 protocol: TCP - port: 6443 protocol: TCP {{- end }} # Egress spécifique de l'app (Postgres, Keycloak, Kafka, etc.) {{- range .Values.networkPolicy.allowEgressTo }} - to: - namespaceSelector: matchLabels: {{- toYaml .namespaceSelector | nindent 14 }} {{- with .ports }} ports: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} # Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs, ingress hairpin) # Inclut le node IP lui-même pour résoudre les URLs publiques (ex: security.lions.dev) # qui reviennent vers ingress-nginx via hairpin NAT - to: - ipBlock: cidr: 0.0.0.0/0 ports: - port: 443 protocol: TCP - port: 80 protocol: TCP # Egress additionnels définis par l'app (pour accès cluster-internal) {{- range .Values.networkPolicy.allowEgressExtra }} - to: {{- toYaml .to | nindent 8 }} {{- with .ports }} ports: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} {{- end }}