60 lines
1.8 KiB
YAML
60 lines
1.8 KiB
YAML
{{- if .Values.crds.install }}
|
|
{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumNetworkPolicy" }}
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
metadata:
|
|
name: {{ include "crdInstall" . }}
|
|
namespace: {{ .Release.Namespace | quote }}
|
|
annotations:
|
|
# create hook dependencies in the right order
|
|
"helm.sh/hook-weight": "-7"
|
|
{{- include "crdInstallAnnotations" . | nindent 4 }}
|
|
labels:
|
|
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
|
|
{{- include "labels.selector" . | nindent 4 }}
|
|
role: {{ include "crdInstallSelector" . | quote }}
|
|
spec:
|
|
egress:
|
|
- toEntities:
|
|
- kube-apiserver
|
|
endpointSelector: {}
|
|
{{- else }}
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: {{ include "crdInstall" . }}
|
|
namespace: {{ .Release.Namespace | quote }}
|
|
annotations:
|
|
# create hook dependencies in the right order
|
|
"helm.sh/hook-weight": "-7"
|
|
{{- include "crdInstallAnnotations" . | nindent 4 }}
|
|
labels:
|
|
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
|
|
{{- include "labels.selector" . | nindent 4 }}
|
|
role: {{ include "crdInstallSelector" . | quote }}
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
|
|
{{- include "labels.selector" . | nindent 6 }}
|
|
# allow egress traffic to the Kubernetes API
|
|
egress:
|
|
- ports:
|
|
- port: 443
|
|
protocol: TCP
|
|
# legacy port kept for compatibility
|
|
- port: 6443
|
|
protocol: TCP
|
|
to:
|
|
{{- range tuple "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" }}
|
|
- ipBlock:
|
|
cidr: {{ . }}
|
|
{{- end }}
|
|
# deny ingress traffic
|
|
ingress: []
|
|
policyTypes:
|
|
- Egress
|
|
- Ingress
|
|
{{- end }}
|
|
{{- end }}
|