{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .component.fullName }}
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
spec:
  podSelector:
    matchLabels:
      {{- include "nplus.selectorLabels" . | nindent 6 }}

  ingress:
  {{- if ( include "nplus.ingressEnabled" . ) }}
  {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }}
  {{- end }}

  - from:
    - ipBlock:
        cidr: {{ ((.this.security).cni).adminIpRange | quote }}
    {{- if ((.this.security).cni).excludeUnusedPorts }}
    ports:
    {{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
    {{- end }}

  policyTypes:
  - Egress
  - Ingress

  egress:
  - ports:
      # -- Possible K8s API
      - protocol: TCP
        port: 16443
      # -- Possible K8s API
      - protocol: TCP
        port: 443
      # -- Access DNS
      - protocol: TCP
        port: 53
      # -- Access DNS
      - protocol: UDP
        port: 53
{{- end }}