feat: whitelist all ingress traffic if team network policies are disa… (

#1540)
linode · Feb 29, 2024 · 6b4d70d · 6b4d70d
1 parent 0e52f19
commit 6b4d70d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/charts/team-ns/templates/networkpolicy.yaml b/charts/team-ns/templates/networkpolicy.yaml
@@ -2,7 +2,21 @@
 {{- $v := .Values | merge (dict) }}
 {{- $prometheus := dig "managedMonitoring" "prometheus" false $v }}
 {{- $alertmng := dig "managedMonitoring" "alertmanager" false $v }}
-{{- if and (not (eq $v.teamId "admin")) (dig "networkPolicy" "ingressPrivate" true $v) }}
+{{- if (not (dig "networkPolicy" "ingressPrivate" true $v)) }}
+---
+# If team network policies are disabled then we whitelist all traffic to prevent undesired blocking while deploying team workloads
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-ingress-allow-all
+  labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels: {}
+  ingress:
+  - from:
+    - namespaceSelector: {}
+{{- else if and (not (eq $v.teamId "admin")) (dig "networkPolicy" "ingressPrivate" true $v) }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

diff --git a/tests/fixtures/env/teams.yaml b/tests/fixtures/env/teams.yaml
@@ -30,7 +30,7 @@ teamConfig:
             prometheus: true
         networkPolicy:
             egressPublic: true
-            ingressPrivate: true
+            ingressPrivate: false
         oidc:
             groupMapping: somesecretvalue
         resourceQuota: