NetworkPolicy: A Commodore component to manage NetworkPolicy

NetworkPolicy: A Commodore component to manage NetworkPolicy provides the tooling to manage a set of NetworkPolicies in all the namespaces on a cluster. The intention is to create a safe default. This is done by isolating the network of a namespace. The created policies will allow only traffic from pods within the same network. They will also allow traffic from selected namespaces. The latter is needed for ingress and monitoring to work.

This component assumes that a cluster was set up with a network plugin that supports NetworkPolicies.

An Espejo SyncConfig is used to create the policies. The SyncConfig is configured to ignore namespaces having the label network-policies.syn.tools/no-defaults (the value doesn’t matter).

The content of the created NetworkPolicies is enforced. Changes from other sources will be overwritten. If changes to the default policies are required, add the ignore label and create them on your own.

This component also allows to exclude a set of namespaces. Those namespaces will receive the network-policies.syn.tools/no-defaults=true and network-policies.syn.tools/purge-defaults=true labels.

The label network-policies.syn.tools/purge-defaults=true results in the active removal of those default policies.

Removing the NetworkPolicies from namespaces labeled network-policies.syn.tools/purge-defaults=true is done by name. The names removed are allow-from-same-namespace and allow-from-other-namespaces. If similar rules are created in those namespaces, they must have different names. Otherwise, they will be removed.