From c22ffdcaaff2dfecd5cd2e0bdb8044c9bc92c2f3 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 17 Sep 2022 15:56:44 +0200
Subject: [PATCH] feat(metallb): Add policy to allow webhook access

This patch provides a new shared-config that can be used to allow access
from kube-system and uses this NetworkPolicy to allow access to the new
metallb AdmissionWebhook.
---
 infrastructure/metallb/kustomization.yaml        |  1 +
 infrastructure/metallb/networkpolicy.yaml        | 11 +++++++++++
 .../networkpolicies/allow-from-kube-system.yaml  | 16 ++++++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 shared/networkpolicies/allow-from-kube-system.yaml

diff --git a/infrastructure/metallb/kustomization.yaml b/infrastructure/metallb/kustomization.yaml
index 224a24515..58fd710f5 100644
--- a/infrastructure/metallb/kustomization.yaml
+++ b/infrastructure/metallb/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
   - release.yaml
   - ../../shared/networkpolicies/allow-from-same-namespace.yaml
   - ../../shared/networkpolicies/allow-from-monitoring.yaml
+  - ../../shared/networkpolicies/allow-from-kube-system.yaml
 patchesStrategicMerge:
   - networkpolicy.yaml
 configMapGenerator:
diff --git a/infrastructure/metallb/networkpolicy.yaml b/infrastructure/metallb/networkpolicy.yaml
index 11f859b7f..3344f55a2 100644
--- a/infrastructure/metallb/networkpolicy.yaml
+++ b/infrastructure/metallb/networkpolicy.yaml
@@ -8,3 +8,14 @@ spec:
     matchLabels:
       app.kubernetes.io/instance: metallb
       app.kubernetes.io/name: metallb
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-kube-system
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: metallb
+      app.kubernetes.io/name: metallb
+      app.kubernetes.io/component: controller
diff --git a/shared/networkpolicies/allow-from-kube-system.yaml b/shared/networkpolicies/allow-from-kube-system.yaml
new file mode 100644
index 000000000..476ceaee0
--- /dev/null
+++ b/shared/networkpolicies/allow-from-kube-system.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-kube-system
+spec:
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+  - from:
+    - ipBlock:
+        cidr: 192.168.100.0/24 # Kubernetes hosts
+    - ipBlock:
+        cidr: 10.96.0.1/32 # KubeAPI
-- 
GitLab