From 17beda8688c8a4c049a1a34d9206ed04ac891c1a Mon Sep 17 00:00:00 2001
From: Simon Weald <7832341+glitchcrab@users.noreply.github.com>
Date: Tue, 19 Dec 2023 10:37:53 +0000
Subject: [PATCH] add Cilium network policy (#31)

* add Cilium network policy

* flip network policy to enabled by default
---
 CHANGELOG.md                                     |  4 ++++
 .../templates/cilium-network-policy.yaml         | 16 ++++++++++++++++
 helm/pss-operator/values.yaml                    |  3 +++
 3 files changed, 23 insertions(+)
 create mode 100644 helm/pss-operator/templates/cilium-network-policy.yaml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2f52a59..bbdaebd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add `ciliumnetworkpolicy` (enabled by default).
+
 ### Changed
 
 - Configure `gsoci.azurecr.io` as the default container image registry.
diff --git a/helm/pss-operator/templates/cilium-network-policy.yaml b/helm/pss-operator/templates/cilium-network-policy.yaml
new file mode 100644
index 0000000..7137bf6
--- /dev/null
+++ b/helm/pss-operator/templates/cilium-network-policy.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.ciliumNetworkPolicy.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "resource.default.name"  . }}
+  namespace: {{ include "resource.default.namespace"  . }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  egress:
+  - toEntities:
+    - kube-apiserver
+  endpointSelector:
+    matchLabels:
+      {{- include "labels.selector" . | nindent 6 }}
+{{- end }}
diff --git a/helm/pss-operator/values.yaml b/helm/pss-operator/values.yaml
index 102f78d..65109f7 100644
--- a/helm/pss-operator/values.yaml
+++ b/helm/pss-operator/values.yaml
@@ -1,3 +1,6 @@
+ciliumNetworkPolicy:
+  enabled: true
+
 registry:
   domain: gsoci.azurecr.io