create_network_policy.yml

---
# This playbook creates a NetworkPolicy to isolate a namespace
# from other namespaces and only allow incoming traffic from
# ingresses.

- name: Create network policies
  hosts: local
  gather_facts: false

  pre_tasks:
    - name: Check configuration
      ansible.builtin.import_tasks: tasks/check_configuration.yml

  tasks:
    - name: Display playbook name
      ansible.builtin.debug: msg="==== Starting create_network_policy playbook ===="
      tags: deploy

    - name: Set vars
      ansible.builtin.import_tasks: tasks/set_vars.yml

    - name: Make sure the network policy exists and is up-to-date
      when: network_policy_per_namespace_enabled and network_policy_rule_ingress_controller is defined
      kubernetes.core.k8s:
        state: present
        definition:
          apiVersion: networking.k8s.io/v1
          kind: NetworkPolicy
          metadata:
            name: default-deny-external-ns-ingress
            namespace: "{{ namespace_name }}"
          spec:
            podSelector: {}
            policyTypes:
              - Ingress
            ingress:
              - from:
                  - namespaceSelector:
                      matchLabels:
                        name: "{{ namespace_name }}"
              - from: "{{ network_policy_rule_ingress_controller }}"