72 lines
1.8 KiB
YAML
72 lines
1.8 KiB
YAML
|
|
# NetworkPolicies for the shared apps-pg cnpg cluster (RAILIANCE-WP-0003).
|
||
|
|
# The databases namespace has a default-deny-all policy; each cluster
|
||
|
|
# needs explicit egress-to-kube-api, ingress-from-cnpg-operator, and
|
||
|
|
# ingress-from-app-namespace policies.
|
||
|
|
#
|
||
|
|
# Unlike gitea-db (which hard-codes `default` as the consumer ns), this
|
||
|
|
# triplet uses a label-based opt-in: any namespace carrying the label
|
||
|
|
# `railiance.io/postgres-client=apps-pg` may connect on TCP/5432. The
|
||
|
|
# shared cluster cannot know its consumer namespaces in advance, so it
|
||
|
|
# expects each consumer to add this label as part of its onboarding.
|
||
|
|
---
|
||
|
|
apiVersion: networking.k8s.io/v1
|
||
|
|
kind: NetworkPolicy
|
||
|
|
metadata:
|
||
|
|
name: allow-egress-kube-api-apps-pg
|
||
|
|
namespace: databases
|
||
|
|
spec:
|
||
|
|
podSelector:
|
||
|
|
matchLabels:
|
||
|
|
cnpg.io/cluster: apps-pg
|
||
|
|
policyTypes:
|
||
|
|
- Egress
|
||
|
|
egress:
|
||
|
|
- ports:
|
||
|
|
- port: 6443
|
||
|
|
protocol: TCP
|
||
|
|
---
|
||
|
|
apiVersion: networking.k8s.io/v1
|
||
|
|
kind: NetworkPolicy
|
||
|
|
metadata:
|
||
|
|
name: allow-ingress-from-cnpg-operator-apps-pg
|
||
|
|
namespace: databases
|
||
|
|
spec:
|
||
|
|
podSelector:
|
||
|
|
matchLabels:
|
||
|
|
cnpg.io/cluster: apps-pg
|
||
|
|
policyTypes:
|
||
|
|
- Ingress
|
||
|
|
ingress:
|
||
|
|
- from:
|
||
|
|
- namespaceSelector:
|
||
|
|
matchLabels:
|
||
|
|
kubernetes.io/metadata.name: cnpg-system
|
||
|
|
ports:
|
||
|
|
- port: 5432
|
||
|
|
protocol: TCP
|
||
|
|
- port: 8000
|
||
|
|
protocol: TCP
|
||
|
|
- port: 9187
|
||
|
|
protocol: TCP
|
||
|
|
---
|
||
|
|
apiVersion: networking.k8s.io/v1
|
||
|
|
kind: NetworkPolicy
|
||
|
|
metadata:
|
||
|
|
name: allow-ingress-from-app-namespaces-apps-pg
|
||
|
|
namespace: databases
|
||
|
|
spec:
|
||
|
|
podSelector:
|
||
|
|
matchLabels:
|
||
|
|
cnpg.io/cluster: apps-pg
|
||
|
|
policyTypes:
|
||
|
|
- Ingress
|
||
|
|
ingress:
|
||
|
|
- from:
|
||
|
|
- namespaceSelector:
|
||
|
|
matchLabels:
|
||
|
|
railiance.io/postgres-client: apps-pg
|
||
|
|
podSelector: {}
|
||
|
|
ports:
|
||
|
|
- port: 5432
|
||
|
|
protocol: TCP
|