Merge pull request #1110 from vshn/fix/missing_netpol_cnpg

Add missing networkpolicy to CNPG

Author: Kidswiss

component/cnpg.jsonnet

@@ -239,6 +239,33 @@ local prometheusrule = std.prune(kube._Object('monitoring.coreos.com/v1', 'Prome
   },
 });
 
+local netpol = std.prune(kube._Object('networking.k8s.io/v1', 'NetworkPolicy', 'allow-webhook-all-namespaces') {
+  metadata+: {
+    namespace: params.namespace,
+    labels: labels,
+  },
+  spec+: {
+    policyTypes: [
+      'Ingress',
+    ],
+    ingress: [
+      {
+        ports: [
+          {
+            port: 9443,
+            protocol: 'TCP',
+          },
+        ],
+      },
+    ],
+    podSelector: {
+      matchLabels: {
+        'app.kubernetes.io/name': 'cloudnative-pg',
+      },
+    },
+  },
+});
+
 {
   '00_namespace': namespace {
     metadata+: {
@@ -247,4 +274,5 @@ local prometheusrule = std.prune(kube._Object('monitoring.coreos.com/v1', 'Prome
     },
   },
   '10_cnpg_prometheusrule': prometheusrule,
+  '11_networkpolicy': netpol,
 }

tests/golden/control-plane/appcat/appcat/cnpg/11_networkpolicy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: cnpg
+  name: allow-webhook-all-namespaces
+  namespace: syn-cnpg-system
+spec:
+  ingress:
+    - ports:
+        - port: 9443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudnative-pg
+  policyTypes:
+    - Ingress

tests/golden/defaults/appcat/appcat/cnpg/11_networkpolicy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: cnpg
+  name: allow-webhook-all-namespaces
+  namespace: syn-cnpg-system
+spec:
+  ingress:
+    - ports:
+        - port: 9443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudnative-pg
+  policyTypes:
+    - Ingress

tests/golden/dev/appcat/appcat/cnpg/11_networkpolicy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: cnpg
+  name: allow-webhook-all-namespaces
+  namespace: syn-cnpg-system
+spec:
+  ingress:
+    - ports:
+        - port: 9443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudnative-pg
+  policyTypes:
+    - Ingress

tests/golden/exodev/appcat/appcat/cnpg/11_networkpolicy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: cnpg
+  name: allow-webhook-all-namespaces
+  namespace: syn-cnpg-system
+spec:
+  ingress:
+    - ports:
+        - port: 9443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudnative-pg
+  policyTypes:
+    - Ingress

tests/golden/service-cluster/appcat/appcat/cnpg/11_networkpolicy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: cnpg
+  name: allow-webhook-all-namespaces
+  namespace: syn-cnpg-system
+spec:
+  ingress:
+    - ports:
+        - port: 9443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudnative-pg
+  policyTypes:
+    - Ingress

tests/golden/vshn-cloud/appcat/appcat/cnpg/11_networkpolicy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: cnpg
+  name: allow-webhook-all-namespaces
+  namespace: syn-cnpg-system
+spec:
+  ingress:
+    - ports:
+        - port: 9443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudnative-pg
+  policyTypes:
+    - Ingress

tests/golden/vshn-managed/appcat/appcat/cnpg/11_networkpolicy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: cnpg
+  name: allow-webhook-all-namespaces
+  namespace: syn-cnpg-system
+spec:
+  ingress:
+    - ports:
+        - port: 9443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudnative-pg
+  policyTypes:
+    - Ingress