amplify-fusion/templates/inbound-worker/calico.netpol.yaml

{{- if .Values.inboundWorker.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: {{ template "inbound-worker.appName" .}}
  namespace: {{ .Release.Namespace }}
spec:
  order: 10
  selector: dplane == 'inbound-worker'
  types:
    - Ingress
    - Egress
  ingress:
    ### traffic from inbound-worker & orchestrator,ingress###
    - action: Allow
      protocol: TCP
      source:
        selector: dplane == 'orchestrator' || dplane == 'inbound-worker' || dplane == 'envoy'
        namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
      destination:
        ports:
          {{- range .Values.inboundWorker.service.ports}}
          - {{ .targetPort }}
          {{- end}}
  egress:
    # allow to communicate to DNS pods
    - action: Allow
      protocol: UDP
      destination:
        namespaceSelector: projectcalico.org/name == 'kube-system'
        ports:
          - 53
    - action: Allow
      protocol: TCP
      destination:
        namespaceSelector: projectcalico.org/name == 'kube-system'
        ports:
          - 53
    ### Traffic to Valkey ###
    {{- if .Values.valkey.enabled }}
    - action: Allow
      protocol: TCP
      destination:
      {{- if and .Values.valkey.internal.enabled .Values.valkey.internal.calicoNetpol.enabled }}
        selector: dplane == 'valkey'
        namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
      {{- else if and .Values.valkey.external.enabled .Values.valkey.external.calicoNetpol.enabled }}
        ports:
          {{- include "dataplane.collectPorts" (dict "hosts" .Values.valkey.hosts "defaultPort" 6379) | trim | nindent 10 }}
        {{- $rule := .Values.valkey.external.calicoNetpol.outboundRule }}
        {{- if $rule.nets }}
        nets:
          {{- range $rule.nets }}
          - {{ . }}
          {{- end }}
        {{- else if $rule.selector }}
        selector: {{ $rule.selector }}
        {{- else }}
        namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
        {{- end }}
      {{- end }}
    {{- end }}
    ### traffic to the orchestrator ###
    - action: Allow
      protocol: TCP
      destination:
        selector: dplane == 'orchestrator'
        namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
    # allow to communicate with k8s api server
    - action: Allow
      destination:
        services:
          name: kubernetes
          namespace: default
      protocol: TCP
    ### Traffic to the internet ###
    - action: Allow
      protocol: TCP
      destination: {{ toYaml .Values.inboundWorker.calicoNetpol.outboundRule | nindent 8 }}
{{- end }}