manifests: add optional network policy charts for ztunnel (#57680)

cam-garrison · web-flow · commit 37b7f6000f70 · 2025-10-29T13:41:56.000-04:00
[release1.27][cherry-pick]manifests: add optional network policy charts for ztunnel (#57680)
diff --git a/manifests/charts/ztunnel/templates/networkpolicy.yaml b/manifests/charts/ztunnel/templates/networkpolicy.yaml
@@ -0,0 +1,63 @@
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: ztunnel
+    app.kubernetes.io/name: ztunnel
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+    operator.istio.io/component: "Ztunnel"
+    release: {{ .Release.Name }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: ztunnel
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Readiness probe
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15021
+  # Monitoring/prometheus
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15020  # Metrics
+  # Admin interface
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15000  # Admin interface
+  # HBONE traffic
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15008
+  # Outbound traffic endpoint
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15001
+  # Traffic endpoint for inbound plaintext
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15006
+  # DNS Captures
+  - from: [ ]
+    ports:
+      - protocol: TCP
+        port: 15053
+      - protocol: UDP
+        port: 15053
+  egress:
+  # Allow all egress
+  - {}
+{{- end }}
diff --git a/manifests/charts/ztunnel/values.yaml b/manifests/charts/ztunnel/values.yaml
@@ -17,6 +17,11 @@ _internal_defaults_do_not_set:
   # corresponds to the networks in the map of mesh networks.
   network: ""
 
+  global:
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
   # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
   # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
   resourceName: ""
diff --git a/releasenotes/notes/ztunnel-networkpolicy.yaml b/releasenotes/notes/ztunnel-networkpolicy.yaml
@@ -0,0 +1,12 @@
+apiVersion: release-notes/v2
+kind: feature
+area: security
+
+issue:
+  - https://github.com/istio/api/issues/56877
+
+releaseNotes:
+  - |
+    **Added** optional NetworkPolicy deployment for ztunnel.
+
+    You can set `global.networkPolicy.enabled=true` to deploy a default NetworkPolicy for ztunnel.
diff --git a/tests/integration/iop-ambient-test-defaults.yaml b/tests/integration/iop-ambient-test-defaults.yaml
@@ -17,3 +17,6 @@ spec:
       - matchExpressions:
         - key: istio.io/test-exclude-namespace
           operator: DoesNotExist
+    global:
+      networkPolicy:
+        enabled: true
