{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}

{{- if ((.this.security).cni).defaultIngressPolicy }}
{{- if eq ((.this.security).cni).defaultIngressPolicy "deny" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .component.prefix }}default-deny-ingress
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
spec:
  podSelector:
    matchLabels:
      nplus/group: {{ .instance.group }}
  policyTypes:
  - Ingress
{{- end }}
---
{{- if eq ((.this.security).cni).defaultIngressPolicy "allow" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .component.prefix }}default-allow-ingress
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
spec:
  podSelector:
    matchLabels:
      nplus/group: {{ .instance.group }}
  policyTypes:
  - Ingress
  ingress:
  - {}
{{- end }}

{{- end }}
---
{{- if ((.this.security).cni).defaultEgressPolicy }}
{{- if eq ((.this.security).cni).defaultEgressPolicy "deny" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .component.prefix }}default-deny-egress
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
spec:
  podSelector:
    matchLabels:
      nplus/group: {{ .instance.group }}
  policyTypes:
  - Egress
{{- end }}
---
{{- if eq ((.this.security).cni).defaultEgressPolicy "allow" }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .component.prefix }}default-allow-egress
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
spec:
  podSelector:
    matchLabels:
      nplus/group: {{ .instance.group }}
  policyTypes:
  - Egress
  ingress:
  - {}
{{- end }}

{{- end }}




---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: {{ .component.prefix }}allow-dns
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
spec:
  podSelector:
    matchLabels:
      nplus/group: {{ .instance.group }}
  policyTypes:
    - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
      - protocol: UDP
        port: 53
      - protocol: TCP
        port: 53


{{- end }}