diff --git a/charts/team-ns/templates/netpols/custom-network-policies.yaml b/charts/team-ns/templates/netpols/custom-network-policies.yaml index ebac8ba034..9e060aa480 100644 --- a/charts/team-ns/templates/netpols/custom-network-policies.yaml +++ b/charts/team-ns/templates/netpols/custom-network-policies.yaml @@ -28,7 +28,7 @@ spec: - namespaceSelector: matchLabels: type: team - + {{- else if eq .ruleType.ingress.mode "AllowOnly" }} --- apiVersion: networking.k8s.io/v1 diff --git a/charts/team-ns/templates/netpols/default-network-policies.yaml b/charts/team-ns/templates/netpols/default-network-policies.yaml index b0e78a37f2..9e7083217f 100644 --- a/charts/team-ns/templates/netpols/default-network-policies.yaml +++ b/charts/team-ns/templates/netpols/default-network-policies.yaml @@ -26,6 +26,25 @@ spec: policyTypes: - Ingress --- + +# https://istio.io/latest/docs/ambient/usage/networkpolicy/ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-istio +spec: + podSelector: {} + ingress: + - ports: + # Allow traffic from the Istio secure overlay + - port: 15008 + protocol: TCP + ingress: + - from: + - ipBlock: + # Allow traffic form the fixed link-local IP address (the origin of health probes) Istio ambient uses for this traffic + cidr: 169.254.7.127/32 +--- # Allow traffic from platform services apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -45,7 +64,7 @@ spec: - from: - namespaceSelector: matchLabels: - # FIXME: it seems that knative operator wipes out 'name' label, + # FIXME: it seems that knative operator wipes out 'name' label, # we can still rely on automatic k8s labeling but it has some prerequsites: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling # name: knative-serving kubernetes.io/metadata.name: knative-serving @@ -81,4 +100,4 @@ spec: app.kubernetes.io/managed-by: EventListener policyTypes: - Ingress -{{- end }} \ No newline at end of file +{{- end }}