From db607aff1628e22ed34f7e76b465428489fd520b Mon Sep 17 00:00:00 2001
From: Volodymyr Stoiko <me@volodymyrstoiko.com>
Date: Thu, 7 Mar 2024 16:37:13 +0200
Subject: [PATCH] Add network policies for kubeshark components (#1513)

* Add explicit network policies for kubeshark components

* allow exact ports

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
---
 helm-chart/templates/16-network-policies.yaml | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 helm-chart/templates/16-network-policies.yaml

diff --git a/helm-chart/templates/16-network-policies.yaml b/helm-chart/templates/16-network-policies.yaml
new file mode 100644
index 000000000..772c7ae7d
--- /dev/null
+++ b/helm-chart/templates/16-network-policies.yaml
@@ -0,0 +1,58 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kubeshark-hub-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.co/app: hub
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 80
+  egress:
+    - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kubeshark-front-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.co/app: front
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 80
+  egress:
+    - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kubeshark-worker-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.co/app: worker
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: {{ .Values.tap.proxy.worker.srvPort }}
+        - protocol: TCP
+          port: {{ .Values.tap.metrics.port }}
+  egress:
+    - {}