-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
108 additions
and
283 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| --- | ||
| apiVersion: template.openshift.io/v1 | ||
| kind: Template | ||
| labels: | ||
| template: ${GROUP_NAME}-network-security-policy | ||
| metadata: | ||
| name: ${GROUP_NAME}-network-security-policy | ||
| objects: | ||
| - kind: NetworkPolicy | ||
| apiVersion: networking.k8s.io/v1 | ||
| metadata: | ||
| name: ${GROUP_NAME}-deny-by-default | ||
| labels: | ||
| app: ${GROUP_NAME} | ||
| spec: | ||
| # The default posture for a security first namespace is to | ||
| # deny all traffic. If not added this rule will be added | ||
| # by Platform Services during environment cut-over. | ||
| podSelector: {} | ||
| ingress: [] | ||
| - apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: ${GROUP_NAME}-allow-from-openshift-ingress | ||
| labels: | ||
| app: ${GROUP_NAME} | ||
| spec: | ||
| # This policy allows any pod with a route & service combination | ||
| # to accept traffic from the OpenShift router pods. This is | ||
| # required for things outside of OpenShift (like the Internet) | ||
| # to reach your pods. | ||
| ingress: | ||
| - from: | ||
| - namespaceSelector: | ||
| matchLabels: | ||
| network.openshift.io/policy-group: ingress | ||
| podSelector: {} | ||
| policyTypes: | ||
| - Ingress | ||
| - apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: ${GROUP_NAME}-allow-services-to-database | ||
| labels: | ||
| app: ${GROUP_NAME} | ||
| spec: | ||
| # Allow services to connect to the database | ||
| podSelector: | ||
| matchLabels: | ||
| role: database | ||
| ingress: | ||
| - from: | ||
| - podSelector: | ||
| matchLabels: | ||
| role: api | ||
| - podSelector: | ||
| matchLabels: | ||
| role: backup | ||
| - podSelector: | ||
| matchLabels: | ||
| role: metabase | ||
| ports: | ||
| - protocol: TCP | ||
| port: 27017 | ||
| - apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: ${GROUP_NAME}-allow-frontend-to-api | ||
| labels: | ||
| app: ${GROUP_NAME} | ||
| spec: | ||
| # Allow frontends to connect to API | ||
| podSelector: | ||
| matchLabels: | ||
| role: api | ||
| ingress: | ||
| - from: | ||
| - podSelector: | ||
| matchLabels: | ||
| role: frontend | ||
| ports: | ||
| - protocol: TCP | ||
| port: 3000 | ||
| - apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: ${GROUP_NAME}-allow-proxy-to-frontend | ||
| labels: | ||
| app: ${GROUP_NAME} | ||
| spec: | ||
| # Allow proxy to connect to the frontend | ||
| podSelector: | ||
| matchLabels: | ||
| role: frontend | ||
| ingress: | ||
| - from: | ||
| - podSelector: | ||
| matchLabels: | ||
| role: proxy | ||
| ports: | ||
| - protocol: TCP | ||
| port: 4000 # e-guides port | ||
| parameters: | ||
| - description: A name used to group objects together to identify related objects for a set of deployments | ||
| displayName: Group name | ||
| name: GROUP_NAME | ||
| required: true | ||
| value: nrpti |
197 changes: 0 additions & 197 deletions
197
tools/network-security-policies/network-security-policy-legacy.yaml
This file was deleted.
Oops, something went wrong.
86 changes: 0 additions & 86 deletions
86
tools/network-security-policies/network-security-policy-quickstart.yaml
This file was deleted.
Oops, something went wrong.