# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny-all namespace: ns # kpt-set: ${tenant-name} spec: podSelector: {} policyTypes: - Ingress - Egress --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: # kpt-merge: allow-within-own-namespace name: allow-within-own-namespace namespace: ns # kpt-set: ${tenant-name} spec: podSelector: {} policyTypes: - Ingress - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ns # kpt-set: ${tenant-name} ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ns # kpt-set: ${tenant-name} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-egress-metadata-server namespace: ns # kpt-set: ${tenant-name} spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: # For GKE dataplane v2 cidr: 169.254.169.254/32 ports: - protocol: TCP port: 80 - to: - ipBlock: cidr: 169.254.169.252/32 - ipBlock: cidr: 127.0.0.1/32 ports: - protocol: TCP port: 988 --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-egress-istio-system namespace: ns # kpt-set: ${tenant-name} spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: istio-system --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-egress-istio-egress namespace: ns # kpt-set: ${tenant-name} spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: istio-egress --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-egress-kube-system-dns namespace: ns # kpt-set: ${tenant-name} spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-egress-to-private-google-apis namespace: ns # kpt-set: ${tenant-name} spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 199.36.153.8/30