now also supporting linkerd

and some cleanup

cmd/policygen/templates/netpol/namespace/linkerd.yaml

@@ -1,6 +1,37 @@
+{{- if not .Open }}
 ---
-####################################################################################
-# LINKERD NETPOL TBD
-####################################################################################
-
-
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-linkerd # required for OCSP
+  namespace: {{ .Name }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - linkerd-viz
+    - ports:
+        - port: linkerd-admin
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          # podSelector prometheus
+  egress:
+    - to:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - linkerd
+                  - linkerd-jaeger
+  {{- end }}

cmd/policygen/templates/netpol/pod/apiserver.yaml

@@ -1,3 +1,4 @@
+{{- if not .app.Namespace.Open }}
 ---
 kind: CiliumNetworkPolicy
 apiVersion: cilium.io/v2
@@ -24,3 +25,4 @@ spec:
             protocol: TCP
   {{- end }}
 
+  {{- end }}

cmd/policygen/templates/netpol/pod/pod.yaml

@@ -1,4 +1,3 @@
----
 {{- define "ports" }}
           {{- range $port := . }}
           - port: {{ $port.Port }}
@@ -36,6 +35,7 @@
 {{- end }}
 
 {{- if not .app.Namespace.Open }}
+---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:

example/config.yaml

@@ -14,7 +14,7 @@ networks:
 
 namespaces:
   - name: wamblee-org
-    open: false
+    #open: true
     capabilities:
       - linkerd
     applications:
@@ -29,6 +29,7 @@ namespaces:
           app: nexus-server
 
   - name: exposure
+    open: false
     applications:
       - name: httpd-wamblee-org
         matchLabels: