feat(metallb): Add policy to allow webhook access

This patch provides a new shared-config that can be used to allow access from kube-system and uses this NetworkPolicy to allow access to the new metallb AdmissionWebhook.

feat(metallb): Add policy to allow webhook access
c22ffdca · Sheogorath · 73c31a4b · c22ffdca · c22ffdca · c22ffdca
Verified Commit c22ffdca authored 2 years ago by Sheogorath
--- a/infrastructure/metallb/kustomization.yaml
+++ b/infrastructure/metallb/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
  - release.yaml
  - ../../shared/networkpolicies/allow-from-same-namespace.yaml
  - ../../shared/networkpolicies/allow-from-monitoring.yaml
+  - ../../shared/networkpolicies/allow-from-kube-system.yaml
 patchesStrategicMerge:
  - networkpolicy.yaml
 configMapGenerator:

--- a/infrastructure/metallb/networkpolicy.yaml
+++ b/infrastructure/metallb/networkpolicy.yaml
@@ -8,3 +8,14 @@ spec:
    matchLabels:
      app.kubernetes.io/instance: metallb
      app.kubernetes.io/name: metallb
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-kube-system
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: metallb
+      app.kubernetes.io/name: metallb
+      app.kubernetes.io/component: controller
--- a/shared/networkpolicies/allow-from-kube-system.yaml
+++ b/shared/networkpolicies/allow-from-kube-system.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-kube-system
+spec:
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+  - from:
+    - ipBlock:
+        cidr: 192.168.100.0/24 # Kubernetes hosts
+    - ipBlock:
+        cidr: 10.96.0.1/32 # KubeAPI