{{- define "ports" }}
{{- range $port := . }}
- port: {{ $port.Port }}
{{- if $port.Protocol }}
protocol: {{ $port.Protocol }}
{{- end }}
{{- end }}
{{- end }}
{{- define "peers" }}
{{- range .Applications }}
- {{.Rule}}:
# {{ .Application.Namespace.Name }}/{{ .Application.Name }}
- podSelector:
matchLabels: {{ .Application.MatchLabels | toJson }}
matchExpressions: {{ .Application.MatchExpressions | toJson }}
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
{{- if .Ports }}
ports:
{{- template "ports" .Ports }}
{{- end }}
{{- end }}
{{- end }}
{{- define "networks" }}
{{- range .Networks }}
{{- if .Network.CIDR }}
- {{.Rule}}:
# {{ .Network.Name }}
- ipBlock:
cidr: {{ .Network.CIDR}}
except:
{{- range $except := .Network.Except }}
- {{ $except }}
{{- end }}
{{- end }}
{{- if .Ports }}
{{- if .Network.CIDR }}
ports:
{{- else }}
- ports:
{{- end }}
{{- template "ports" .Ports }}
{{- end }}
{{- end }}
{{- end }}
{{- if not .app.Namespace.Open }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: "{{.app.Name}}"
namespace: "{{.app.Namespace.Name }}"
labels: {{ .labels | toJson }}
spec:
# {{ .app.Namespace.Name }}/{{ .app.Name }}
podSelector:
matchLabels: {{ .app.MatchLabels | toJson }}
matchExpressions: {{ .app.MatchExpressions | toJson }}
policyTypes:
{{- if or .ingress.Applications .ingress.Networks }}
- Ingress
{{- end }}
{{- if or .egress.Applications .egress.Networks }}
- Egress
{{- end }}
{{- if or .ingress.Applications .ingress.Networks }}
ingress:
{{- template "peers" .ingress }}
{{- template "networks" .ingress }}
{{- end }}
{{- if or .egress.Applications .egress.Networks }}
egress:
{{- template "peers" .egress }}
{{- template "networks" .egress }}
{{- end }}
{{- end }}