browsertrix/chart/templates/networkpolicies.yaml

{{- if .Values.crawler_enable_network_policy -}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: crawler-limit-egress
  namespace: {{ .Values.crawler_namespace }}
spec:
  podSelector:
    matchLabels:
      network-policy: limit-crawler-egress
  policyTypes:
    - Egress
  egress:
  {{- if .Values.crawler_network_policy_additional_egress | default false -}}
  {{- .Values.crawler_network_policy_additional_egress | toYaml | nindent 4 -}}
  {{- end -}}
  {{- if .Values.crawler_network_policy_egress | default false -}}
  {{- .Values.crawler_network_policy_egress | toYaml | nindent 4 -}}
  {{- else }}
    # allow WWW
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except: # Exclude traffic to Kubernetes service IPs and pods
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/16

    # allow frontend access for QA runs
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: {{ .Release.Namespace }}
        podSelector:
          matchLabels:
            role: frontend

      ports:
        - port: 80
          protocol: TCP

      # allow DNS
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP


    # allow other redis
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: {{ .Values.crawler_namespace }}
        podSelector:
          matchLabels:
            role: redis

      ports:
        - port: 6379
          protocol: TCP


    {{ if .Values.minio_local }}
    # allow minio
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: {{ .Release.Namespace }}
        podSelector:
          matchLabels:
            app: local-minio

      ports:
        - port: 9000
          protocol: TCP

    {{- end -}}


    {{ if .Values.signer.enabled }}
    # allow auth signer
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: {{ .Release.Namespace }}
        podSelector:
          matchLabels:
            app: auth-signer

      ports:
        - port: {{ .Values.signer.port | default "5053" }}
          protocol: TCP

    {{- end -}}
  {{- end -}}
{{- end -}}