Add network policy for vm operator

YuryHrytsuk · YuryHrytsuk · commit 6d20c40047a1 · 2025-10-29T16:04:46.000+01:00
diff --git a/charts/calico-configuration/templates/globalpolicy.yaml b/charts/calico-configuration/templates/globalpolicy.yaml
@@ -8,7 +8,7 @@ spec:
   # "calico-system", "calico-apiserver", "tigera-operator" -- calico namespaces (when installed via scripts [local deployment])
   # TODO: other namespaces are to be removed from this list (once appropriate network policies are created)
   namespaceSelector:
-    kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn", "victoria-metrics-operator"}
+    kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn"}
   types:
     - Ingress
     - Egress
diff --git a/charts/victoria-metrics-operator/values.yaml.gotmpl b/charts/victoria-metrics-operator/values.yaml.gotmpl
@@ -6,3 +6,20 @@ admissionWebhooks:
   certManager:
     # avoid new cert generation on every helm run
     enabled: true
+
+extraObjects:
+- apiVersion: projectcalico.org/v3
+  kind: NetworkPolicy
+  metadata:
+    name: victoria-metrics-operator-network-policy
+  spec:
+    egress:
+      - action: Allow
+        protocol: TCP
+        destination:
+          nets:
+            - 10.0.0.0/8
+            - 172.16.0.0/12
+            - 192.168.0.0/16
+          ports:
+            - 6443
