Add optional NetworkPolicy templates for namespace isolation#10
Conversation
Adds a default-deny NetworkPolicy and per-pod allow rule templates for keycloak, postgresql-db, and rhbk-operator pods. All disabled by default — patterns opt in via values. The RHBK operator-managed ingress policy is left untouched; the keycloak template covers egress only. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
@minmzzhang @sabre1041 @mhjacks can you please review this and merge if no objections? It's a part of ZTVP network policies improvements and overall VP project improvements. |
mlorenzofr
left a comment
mlorenzofr
left a comment
There was a problem hiding this comment.
LGTM
PTAL to the documentation, in case we want to add the egress rule for the operator
|
I'm not including it as a change in the review, because we still need to make this chart more generic and it will be something specific to layered-zero-trust, but in the |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The realm import job runs at sync-wave 41 (same as Keycloak), and on a fresh deployment, it runs during initial setup before network policies are applied (since policies come via extraValueFiles which are applied at the same sync-wave). But in case of any re-sync, you are right, we need to add it to the ZTVP keycloak network policies. |
Adds networkPolicy.realmImport section with configurable pod selector. Patterns set the label and egress rules via extraValueFiles. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mlorenzofr I just added a generic |
3 participants
Adds a default-deny NetworkPolicy and per-pod allow rule templates for keycloak, postgresql-db, and rhbk-operator pods. All disabled by default — patterns opt in via values. The RHBK operator-managed ingress policy is left untouched; the keycloak template covers egress only.