{{- if .Values.pepServer.calicoNetpol.enabled }} apiVersion: projectcalico.org/v3 kind: NetworkPolicy metadata: name: {{ template "pep-server.appName" .}} namespace: {{ .Release.Namespace }} spec: order: 10 selector: dplane == 'pep-server' types: - Ingress - Egress ingress: ### traffic from ingress### - action: Allow protocol: TCP source: selector: dplane == 'envoy' || dplane == 'pep-server' namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}' destination: ports: {{- range .Values.pepServer.service.ports}} - {{ .targetPort }} {{- end}} egress: # allow to communicate to DNS pods - action: Allow protocol: UDP destination: namespaceSelector: projectcalico.org/name == 'kube-system' ports: - 53 - action: Allow protocol: TCP destination: namespaceSelector: projectcalico.org/name == 'kube-system' ports: - 53 # allow to communicate with k8s api server - action: Allow destination: services: name: kubernetes namespace: default protocol: TCP ### Traffic to Valkey ### {{- if .Values.valkey.enabled }} - action: Allow protocol: TCP destination: {{- if and .Values.valkey.internal.enabled .Values.valkey.internal.calicoNetpol.enabled }} selector: dplane == 'valkey' namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}' {{- else if and .Values.valkey.external.enabled .Values.valkey.external.calicoNetpol.enabled }} ports: {{- include "dataplane.collectPorts" (dict "hosts" .Values.valkey.hosts "defaultPort" 6379) | trim | nindent 10 }} {{- $rule := .Values.valkey.external.calicoNetpol.outboundRule }} {{- if $rule.nets }} nets: {{- range $rule.nets }} - {{ . }} {{- end }} {{- else if $rule.selector }} selector: {{ $rule.selector }} {{- else }} namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}' {{- end }} {{- end }} {{- end }} {{- end }}