chore(shared): Switch network policies to matchExpressions

This patch moves from labelSelectors to matchExpressions since they are
immune to kustomize commonLabels, which prevents them from being
overwritten by accident.

References:
https://github.com/kubernetes-sigs/kustomize/issues/157
https://github.com/kubernetes-sigs/kustomize/issues/1009

shared/networkpolicies/allow-from-database.yaml

@@ -11,8 +11,11 @@ spec:
         matchLabels:
           database.shivering-isles.com/network-access-required: "true"
       podSelector:
-        matchLabels:
-          app.kubernetes.io/name: postgres-operator
+        matchExpressions:
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+              - postgres-operator
     ports:
     - port: 8008
       protocol: TCP
@@ -25,13 +28,19 @@ spec:
         matchLabels:
           monitoring.shivering-isles.com/network-access-required: "true"
       podSelector:
-        matchLabels:
-          app.kubernetes.io/name: prometheus
+        matchExpressions:
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+              - prometheus
     ports:
     - port: 9187
       protocol: TCP
     - port: 8008
       protocol: TCP
   podSelector:
-    matchLabels:
-      application: spilo
+    matchExpressions:
+      - key: application
+        operator: In
+        values:
+          - spilo

shared/networkpolicies/allow-from-ingress.yaml

@@ -9,3 +9,5 @@ spec:
     - namespaceSelector:
         matchLabels:
           ingress.shivering-isles.com/network-access-required: "true"
+  podSelector:
+    matchLabels: {}
\ No newline at end of file

shared/networkpolicies/allow-from-kube-system.yaml

@@ -9,8 +9,6 @@ spec:
     - namespaceSelector:
         matchLabels:
           kubernetes.io/metadata.name: kube-system
-      podSelector:
-          matchLabels: {}
   - from:
     - ipBlock:
         cidr: 192.168.100.0/24 # Kubernetes hosts

shared/networkpolicies/allow-from-monitoring.yaml

@@ -11,5 +11,10 @@ spec:
         matchLabels:
           monitoring.shivering-isles.com/network-access-required: "true"
       podSelector:
-        matchLabels:
-          app.kubernetes.io/name: prometheus
+        matchExpressions:
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+              - prometheus
+  podSelector:
+    matchLabels: {}
\ No newline at end of file

shared/networkpolicies/allow-from-redis.yaml

@@ -12,13 +12,19 @@ spec:
         matchLabels:
           redis.shivering-isles.com/network-access-required: "true"
       podSelector:
-        matchLabels:
-          app.kubernetes.io/name: redis-operator
+        matchExpressions:
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+              - redis-operator
     ports:
     - port: 26379
       protocol: TCP
     - port: 6379
       protocol: TCP
   podSelector:
-    matchLabels:
-      app.kubernetes.io/part-of: redis-failover
+    matchExpressions:
+      - key: app.kubernetes.io/part-of
+        operator: In
+        values:
+          - redis-failover

shared/networkpolicies/allow-to-database.yaml

@@ -18,10 +18,16 @@ spec:
         port: 9000
   - to:
       - podSelector:
-          matchLabels:
-            application: spilo
+          matchExpressions:
+          - key: application
+            operator: In
+            values:
+              - spilo
   podSelector:
-    matchLabels:
-      application: spilo
+    matchExpressions:
+      - key: application
+        operator: In
+        values:
+          - spilo
   policyTypes:
   - Egress

shared/networkpolicies/allow-to-kubedns.yaml

@@ -10,8 +10,11 @@ spec:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
         podSelector:
-            matchLabels:
-              k8s-app: kube-dns
+          matchExpressions:
+            - key: k8s-app
+              operator: In
+              values:
+                - kube-dns
       ports:
         - port: 53
           protocol: UDP
@@ -19,3 +22,5 @@ spec:
           protocol: TCP
   policyTypes:
     - Egress
+  podSelector:
+    matchLabels: {}
\ No newline at end of file

shared/networkpolicies/allow-to-mailbox-org.yaml

@@ -18,12 +18,17 @@ spec:
         matchLabels:
           kubernetes.io/metadata.name: kube-system
       podSelector:
-        matchLabels:
-          k8s-app: kube-dns
+        matchExpressions:
+          - key: k8s-app
+            operator: In
+            values:
+              - kube-dns
       ports:
         - port: 53
           protocol: UDP
         - port: 53
           protocol: TCP
+  podSelector:
+    matchLabels: {}
   policyTypes:
   - Egress

shared/networkpolicies/allow-to-public-web.yaml

@@ -10,8 +10,11 @@ spec:
         matchLabels:
           kubernetes.io/metadata.name: nginx-system
       podSelector:
-        matchLabels:
-          app.kubernetes.io/name: haproxy
+        matchExpressions:
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+              - haproxy
     ports:
       - protocol: TCP
         port: 80
@@ -36,12 +39,17 @@ spec:
         matchLabels:
           kubernetes.io/metadata.name: kube-system
       podSelector:
-        matchLabels:
-          k8s-app: kube-dns
+        matchExpressions:
+          - key: k8s-app
+            operator: In
+            values:
+              - kube-dns
       ports:
         - port: 53
           protocol: UDP
         - port: 53
           protocol: TCP
+  podSelector:
+    matchLabels: {}
   policyTypes:
   - Egress
\ No newline at end of file