{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitIngress }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ include "grafana.fullname" . }}-image-renderer-ingress namespace: {{ include "grafana.namespace" . }} annotations: comment: Limit image-renderer ingress traffic from grafana spec: podSelector: matchLabels: {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} {{- with .Values.imageRenderer.podLabels }} {{- toYaml . | nindent 6 }} {{- end }} policyTypes: - Ingress ingress: - ports: - port: {{ .Values.imageRenderer.service.targetPort }} protocol: TCP from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: {{ include "grafana.namespace" . }} podSelector: matchLabels: {{- include "grafana.selectorLabels" . | nindent 14 }} {{- with .Values.podLabels }} {{- toYaml . | nindent 14 }} {{- end }} {{- with .Values.imageRenderer.networkPolicy.extraIngressSelectors -}} {{ toYaml . | nindent 8 }} {{- end }} {{- end }} {{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitEgress }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ include "grafana.fullname" . }}-image-renderer-egress namespace: {{ include "grafana.namespace" . }} annotations: comment: Limit image-renderer egress traffic to grafana spec: podSelector: matchLabels: {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} {{- with .Values.imageRenderer.podLabels }} {{- toYaml . | nindent 6 }} {{- end }} policyTypes: - Egress egress: # allow dns resolution - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP # talk only to grafana - ports: - port: {{ .Values.service.targetPort }} protocol: TCP to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: {{ include "grafana.namespace" . }} podSelector: matchLabels: {{- include "grafana.selectorLabels" . | nindent 14 }} {{- with .Values.podLabels }} {{- toYaml . | nindent 14 }} {{- end }} {{- end }}