helm-chart-lions-app/templates/networkpolicy.yaml

{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "lions-app.name" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "lions-app.labels" . | nindent 4 }}
spec:
  podSelector:
    matchLabels:
      {{- include "lions-app.selectorLabels" . | nindent 6 }}
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Ingress depuis les namespaces autorisés
    {{- range .Values.networkPolicy.allowIngressFrom }}
    - from:
        - namespaceSelector:
            matchLabels:
              {{- toYaml .namespaceSelector | nindent 14 }}
      {{- with .ports }}
      ports:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- end }}
    # Ingress depuis pods du même namespace (pour communication intra-ns)
    - from:
        - podSelector: {}
  egress:
    # DNS (CoreDNS dans kube-system)
    {{- if .Values.networkPolicy.allowEgressDNS }}
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    {{- end }}
    # K8s API (nécessaire si l'app utilise l'API via ServiceAccount)
    {{- if .Values.networkPolicy.allowEgressKubeAPI }}
    - to:
        - ipBlock:
            cidr: 10.96.0.0/12   # service CIDR
      ports:
        - port: 443
          protocol: TCP
        - port: 6443
          protocol: TCP
    {{- end }}
    # Egress spécifique de l'app (Postgres, Keycloak, Kafka, etc.)
    {{- range .Values.networkPolicy.allowEgressTo }}
    - to:
        - namespaceSelector:
            matchLabels:
              {{- toYaml .namespaceSelector | nindent 14 }}
      {{- with .ports }}
      ports:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- end }}
    # Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs, ingress hairpin)
    # Inclut le node IP lui-même pour résoudre les URLs publiques (ex: security.lions.dev)
    # qui reviennent vers ingress-nginx via hairpin NAT
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
      ports:
        - port: 443
          protocol: TCP
        - port: 80
          protocol: TCP
    # Egress additionnels définis par l'app (pour accès cluster-internal)
    {{- range .Values.networkPolicy.allowEgressExtra }}
    - to:
        {{- toYaml .to | nindent 8 }}
      {{- with .ports }}
      ports:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- end }}
{{- end }}