forked from NationTech/harmony
42 lines
1.2 KiB
YAML
42 lines
1.2 KiB
YAML
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: tenant-isolation-policy
|
|
namespace: testtenant
|
|
spec:
|
|
podSelector: {} # Selects all pods in the namespace
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
- from:
|
|
- podSelector: {} # Allow from all pods in the same namespace
|
|
egress:
|
|
- to:
|
|
- podSelector: {} # Allow to all pods in the same namespace
|
|
- to:
|
|
- podSelector: {}
|
|
namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: openshift-dns # Target the openshift-dns namespace
|
|
# Note, only opening port 53 is not enough, will have to dig deeper into this one eventually
|
|
# ports:
|
|
# - protocol: UDP
|
|
# port: 53
|
|
# - protocol: TCP
|
|
# port: 53
|
|
# Allow egress to public internet only
|
|
- to:
|
|
- ipBlock:
|
|
cidr: 0.0.0.0/0
|
|
except:
|
|
- 10.0.0.0/8 # RFC1918
|
|
- 172.16.0.0/12 # RFC1918
|
|
- 192.168.0.0/16 # RFC1918
|
|
- 169.254.0.0/16 # Link-local
|
|
- 127.0.0.0/8 # Loopback
|
|
- 224.0.0.0/4 # Multicast
|
|
- 240.0.0.0/4 # Reserved
|
|
- 100.64.0.0/10 # Carrier-grade NAT
|
|
- 0.0.0.0/8 # Reserved
|