80 lines
2.1 KiB
YAML
80 lines
2.1 KiB
YAML
{{- if .Values.networkPolicy.enabled }}
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: {{ include "lions-app.name" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "lions-app.labels" . | nindent 4 }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
{{- include "lions-app.selectorLabels" . | nindent 6 }}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
# Ingress depuis les namespaces autorisés
|
|
{{- range .Values.networkPolicy.allowIngressFrom }}
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
{{- toYaml .namespaceSelector | nindent 14 }}
|
|
{{- with .ports }}
|
|
ports:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
# Ingress depuis pods du même namespace (pour communication intra-ns)
|
|
- from:
|
|
- podSelector: {}
|
|
egress:
|
|
# DNS (CoreDNS dans kube-system)
|
|
{{- if .Values.networkPolicy.allowEgressDNS }}
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
ports:
|
|
- port: 53
|
|
protocol: UDP
|
|
- port: 53
|
|
protocol: TCP
|
|
{{- end }}
|
|
# K8s API (nécessaire si l'app utilise l'API via ServiceAccount)
|
|
{{- if .Values.networkPolicy.allowEgressKubeAPI }}
|
|
- to:
|
|
- ipBlock:
|
|
cidr: 10.96.0.0/12 # service CIDR
|
|
ports:
|
|
- port: 443
|
|
protocol: TCP
|
|
- port: 6443
|
|
protocol: TCP
|
|
{{- end }}
|
|
# Egress spécifique de l'app (Postgres, Keycloak, Kafka, etc.)
|
|
{{- range .Values.networkPolicy.allowEgressTo }}
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
{{- toYaml .namespaceSelector | nindent 14 }}
|
|
{{- with .ports }}
|
|
ports:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
# Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs)
|
|
- to:
|
|
- ipBlock:
|
|
cidr: 0.0.0.0/0
|
|
except:
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
ports:
|
|
- port: 443
|
|
protocol: TCP
|
|
- port: 80
|
|
protocol: TCP
|
|
{{- end }}
|