forked from bcgov/networkpolicy-migration-workshop
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathquickstart.yaml
74 lines (74 loc) · 2.06 KB
/
quickstart.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
---
apiVersion: template.openshift.io/v1
kind: Template
labels:
template: quickstart-network-security-policy
metadata:
name: quickstart-network-security-policy
objects:
- kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny-by-default
spec:
# The default posture for a security first namespace is to
# deny all traffic. If not added this rule will be added
# by Platform Services during environment cut-over.
podSelector: {}
ingress: []
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
# This policy allows any pod with a route & service combination
# to accept traffic from the OpenShift router pods. This is
# required for things outside of OpenShift (like the Internet)
# to reach your pods.
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
podSelector: {}
policyTypes:
- Ingress
- kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-same-namespace
spec:
# Allow all pods within the current namespace to communicate
# to one another.
podSelector:
ingress:
- from:
- podSelector: {}
- apiVersion: security.devops.gov.bc.ca/v1alpha1
kind: NetworkSecurityPolicy
metadata:
name: any-to-any
spec:
description: |
allow all pods to communicate
source:
- - "$namespace=${NAMESPACE}"
destination:
- - "$namespace=*"
- apiVersion: security.devops.gov.bc.ca/v1alpha1
kind: NetworkSecurityPolicy
metadata:
name: any-to-external
spec:
description: |
Allow all pods to talk to external systems
source:
- - "$namespace=${NAMESPACE}"
destination:
- - "ext:network=any"
parameters:
- name: NAMESPACE
displayName: Namespace
description: |
The namespace this policy is being deployed to;
required: true