64 lines
1.3 KiB
YAML
64 lines
1.3 KiB
YAML
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: test_project-network-policy
|
|
namespace: test_project
|
|
labels:
|
|
app: test_project
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: test_project
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
# Allow ingress from same namespace
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: test_project
|
|
- podSelector:
|
|
matchLabels:
|
|
app: test_project
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8000
|
|
# Allow ingress from ingress controller
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: ingress-nginx
|
|
- podSelector:
|
|
matchLabels:
|
|
app: ingress-nginx
|
|
ports:
|
|
- protocol: TCP
|
|
port: 8000
|
|
# Allow ingress from monitoring namespace (Prometheus)
|
|
egress:
|
|
# Allow DNS resolution
|
|
- to:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- protocol: UDP
|
|
port: 53
|
|
# Allow egress to database
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: postgres
|
|
ports:
|
|
- protocol: TCP
|
|
port: 5432
|
|
# Allow egress to Redis
|
|
# Allow egress to Kafka
|
|
# Allow egress to external APIs (HTTPS)
|
|
- to:
|
|
- namespaceSelector: {}
|
|
ports:
|
|
- protocol: TCP
|
|
port: 443
|
|
# Allow egress to monitoring (Prometheus)
|
|
|