54 lines
1.5 KiB
YAML
54 lines
1.5 KiB
YAML
{{- $fullname := include "vCluster.fullname" . -}}
|
|
{{- $name := include "vCluster.fullname" . -}}
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
annotations:
|
|
kyverno.io/kyverno-version: 1.7.0
|
|
policies.kyverno.io/description: Allow egress to vcluster kube-apiserver
|
|
policies.kyverno.io/minversion: 1.7.0
|
|
policies.kyverno.io/subject: Namespace, NetworkPolicy
|
|
policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
|
|
name: generate-vcluster-apiserver-networkpolicy
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
background: true
|
|
generateExisting: true
|
|
rules:
|
|
- name: generate-vcluster-apiserver-networkpolicy
|
|
generate:
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
name: allow-vcluster-apiserver-access
|
|
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
|
|
synchronize: true
|
|
data:
|
|
metadata:
|
|
labels:
|
|
created-by: kyverno
|
|
spec:
|
|
description: Allow egress to vcluster kube-apiserver
|
|
egress:
|
|
- toEndpoints:
|
|
- matchLabels:
|
|
app: vcluster
|
|
toPorts:
|
|
- ports:
|
|
- port: "443"
|
|
protocol: TCP
|
|
endpointSelector: {}
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Namespace
|
|
names:
|
|
- {{ $fullname }}
|
|
- resources:
|
|
kinds:
|
|
- Namespace
|
|
selector:
|
|
matchLabels:
|
|
vcluster.loft.sh/vcluster-name: {{ $fullname }}
|
|
|