add CiliumNetworkPolicy (#181)

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add `CiliumNetworkPolicy`.
+
 ### Changed
 
 - upgrade grafana chart: 7.0.11 => 7.0.19

helm/grafana/templates/_helpers.tpl

@@ -14,6 +14,14 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | default "atlas" | quote }}
 {{- end -}}
 
+{{/*
+Selector labels
+*/}}
+{{- define "labels.selector" -}}
+app.kubernetes.io/name: {{ .Chart.Name | quote }}
+app.kubernetes.io/instance: {{ .Chart.Name | quote }}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for podSecurityPolicy.
 */}}

helm/grafana/templates/cilium-network-policy.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.ciliumNetworkPolicy.enabled -}}
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  labels:
+    {{- include "labels.selector" . | nindent 4 }}
+  name: {{ .Chart.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "labels.selector" . | nindent 6 }}
+  egress:
+    - toEntities:
+        - kube-apiserver
+        - cluster
+{{- end -}}

helm/grafana/values.schema.json

@@ -2,6 +2,14 @@
     "$schema": "http://json-schema.org/schema#",
     "type": "object",
     "properties": {
+        "ciliumNetworkPolicy": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                }
+            }
+        },
         "global": {
             "type": "object",
             "properties": {

helm/grafana/values.yaml

@@ -2,6 +2,9 @@ global:
   imageRegistry: null
   imagePullSecrets: []
 
+ciliumNetworkPolicy:
+  enabled: true
+
 grafana:
   rbac:
     create: true