cscott/amplify-fusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0ffe8d613866b8c4b2c98d168898e0cbccebbc75
amplify-fusion/templates/orchestrator/calico.netpol.yaml
Conan Scott bd1ed71ac4 first commit
2026-01-21 17:37:42 +11:00

81 lines
2.6 KiB
YAML
Raw Blame History

{{- if .Values.orchestrator.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: {{ template "orchestrator.appName" .}}
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'orchestrator'
types:
- Ingress
- Egress
ingress:
### traffic from inbound-worker & orchestrator###
- action: Allow
protocol: TCP
source:
selector: dplane == 'orchestrator' || dplane == 'inbound-worker' || dplane == 'envoy'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
destination:
ports:
{{- range .Values.orchestrator.service.ports}}
- {{ .targetPort }}
{{- end}}
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
### Traffic to Valkey ###
{{- if .Values.valkey.enabled }}
- action: Allow
protocol: TCP
destination:
{{- if and .Values.valkey.internal.enabled .Values.valkey.internal.calicoNetpol.enabled }}
selector: dplane == 'valkey'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
{{- else if and .Values.valkey.external.enabled .Values.valkey.external.calicoNetpol.enabled }}
ports:
{{- include "dataplane.collectPorts" (dict "hosts" .Values.valkey.hosts "defaultPort" 6379) | trim | nindent 10 }}
{{- $rule := .Values.valkey.external.calicoNetpol.outboundRule }}
{{- if $rule.nets }}
nets:
{{- range $rule.nets }}
- {{ . }}
{{- end }}
{{- else if $rule.selector }}
selector: {{ $rule.selector }}
{{- else }}
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
{{- end }}
{{- end }}
{{- end }}
### Traffic to inbound-worker ###
- action: Allow
protocol: TCP
destination:
selector: dplane == 'inbound-worker'
namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
### Traffic to the internet ###
- action: Allow
protocol: TCP
destination: {{ toYaml .Values.orchestrator.calicoNetpol.outboundRule | nindent 8 }}
{{- end}}
Reference in New Issue View Git Blame Copy Permalink