Parameters

The parent key for all of the following parameters is networkpolicy.

`labels`

type	dictionary
default	`noDefaults: network-policies.syn.tools/no-defaults purgeDefaults: network-policies.syn.tools/purge-defaults`

Name of the labels to be used in other components.

`allowNamespaceLabels`

type	list of tuples
default	empty list

A list of labels matching namespaces to allow traffic from. Each list item can contain several key value pairs. They result in an AND condition. Individual list items will result in an OR condition.

allowNamespaceLabels:
  - my-label-a: true
    my-label-b: true
  - my-label-c: true

In the above example, traffic will be allowed if a namespaces has the label my-label-a=true AND my-label-b=true. Traffic will also be allowed if a namespace is labeled my-label-c.

`ignoredNamespaces`

type	list of strings
default	empty list

A list of namespace names where no default NetworkPolicies will be created. Default NetworkPolicies will be purged for all namespaces in this list.

`networkPlugin`

type	string
default	`''`

The network plugin installed on the cluster.

This needs to be set when using the Cilium network plugin. Otherwise some policies might not be applied correctly.

`ciliumClusterID`

type	string
default	`''`

This parameter controls whether the component isolates namespaces with the same name from each other in a Cilium cluster mesh. The default behavior if the parameter is empty is to allow connectivity between namespaces with the same name across clusters.

If this behavior isn’t desired, this parameter can be set to the cluster’s Cilium cluster ID (which is configured in parameter cilium.cilium_helm_values.cluster.name when using cluster mesh). When the parameter isn’t empty, the component will adjust the allow-from-same-namespace policy with the following snippet:

spec:
 ingress:
 - from:
   - podSelector:
       matchLabels:
         io.cilium.k8s.policy.cluster: <ciliumClusterID> (1)

1	`<ciliumClusterID>` is replaced with the string provided in this parameter

`allowFromNodeLabels`

type	dict
default	`{}`

This parameter allows users to customize the allow-from-cluster-nodes CiliumNetworkPolicy.

When this parameter is empty, this policy allow access from workloads running on all cluster nodes (including nodes of other clusters in the same cluster mesh) to workloads. This ensures that — for example — an ingress controller which is running in host-network mode can access workloads that are exposed through an Ingress.

When the parameter isn’t empty, the component uses the contents as the value for matchLabels in a fromNodes entry in the CiliumNetworkPolicy. This restricts access to workloads to the host network on nodes matching the provided label selector(s). See the Cilium documentation for details on the fromNodes policy mechanism.

When setting a value for this parameter, you must ensure that you’re using Cilium 1.16 or newer and that the Helm value nodeSelectorLabels=true is set for your Cilium installation.

The allow-from-cluster-nodes policy always allows access to workloads in the namespace from the host on which they’re running. This ensures that the Kubernetes health checks work as expected regardless of the provided label selector.

For isolating access to workloads between clusters in a Cilium cluster mesh, you can label all nodes of each cluster with the cluster’s Project Syn ID, for example with kubectl label nodes --all syn.tools/cluster-id=c-the-cluster-1234.

Then you can set this parameter as

allowFromNodeLabels:
  syn.tools/cluster-id: ${cluster:name}

Example

# Allow traffic from ingress and monitoring
allowNamespaceLabels:
  - network.openshift.io/policy-group: monitoring
  - network.openshift.io/policy-group: ingress
# Do not create the default policies in the OpenShift namespaces.
ignoredNamespaces:
  - openshift
  - openshift-apiserver
  - openshift-apiserver-operator
  - …