From 01700876cff72fbcb121dbf7c1e03cfe861501c7 Mon Sep 17 00:00:00 2001
From: Erik Brakkee <erik@brakkee.org>
Date: Thu, 2 Jan 2025 19:30:31 +0100
Subject: [PATCH] now also supporting linkerd and some cleanup

---
 .../templates/netpol/namespace/linkerd.yaml   | 41 ++++++++++++++++---
 .../templates/netpol/pod/apiserver.yaml       |  2 +
 cmd/policygen/templates/netpol/pod/pod.yaml   |  2 +-
 example/config.yaml                           |  3 +-
 4 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/cmd/policygen/templates/netpol/namespace/linkerd.yaml b/cmd/policygen/templates/netpol/namespace/linkerd.yaml
index 684665c..fdb0e70 100644
--- a/cmd/policygen/templates/netpol/namespace/linkerd.yaml
+++ b/cmd/policygen/templates/netpol/namespace/linkerd.yaml
@@ -1,6 +1,37 @@
+{{- if not .Open }}
 ---
-####################################################################################
-# LINKERD NETPOL TBD
-####################################################################################
-
-
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-linkerd # required for OCSP
+  namespace: {{ .Name }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - linkerd-viz
+    - ports:
+        - port: linkerd-admin
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          # podSelector prometheus
+  egress:
+    - to:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - linkerd
+                  - linkerd-jaeger
+  {{- end }}
\ No newline at end of file
diff --git a/cmd/policygen/templates/netpol/pod/apiserver.yaml b/cmd/policygen/templates/netpol/pod/apiserver.yaml
index 70c37e8..991f3fe 100644
--- a/cmd/policygen/templates/netpol/pod/apiserver.yaml
+++ b/cmd/policygen/templates/netpol/pod/apiserver.yaml
@@ -1,3 +1,4 @@
+{{- if not .app.Namespace.Open }}
 ---
 kind: CiliumNetworkPolicy
 apiVersion: cilium.io/v2
@@ -24,3 +25,4 @@ spec:
             protocol: TCP
   {{- end }}
 
+  {{- end }}
\ No newline at end of file
diff --git a/cmd/policygen/templates/netpol/pod/pod.yaml b/cmd/policygen/templates/netpol/pod/pod.yaml
index 878eafe..3c51a3d 100644
--- a/cmd/policygen/templates/netpol/pod/pod.yaml
+++ b/cmd/policygen/templates/netpol/pod/pod.yaml
@@ -1,4 +1,3 @@
----
 {{- define "ports" }}
           {{- range $port := . }}
           - port: {{ $port.Port }}
@@ -36,6 +35,7 @@
 {{- end }}
 
 {{- if not .app.Namespace.Open }}
+---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
diff --git a/example/config.yaml b/example/config.yaml
index ef5dac5..6a6f763 100644
--- a/example/config.yaml
+++ b/example/config.yaml
@@ -14,7 +14,7 @@ networks:
 
 namespaces:
   - name: wamblee-org
-    open: false
+    #open: true
     capabilities:
       - linkerd
     applications:
@@ -29,6 +29,7 @@ namespaces:
           app: nexus-server
 
   - name: exposure
+    open: false
     applications:
       - name: httpd-wamblee-org
         matchLabels: