---
manifests:
  network_policy: true
network_policy:
  keystone:
    ingress:
      - from:
        - podSelector:
            matchLabels:
              application: ceph
        - podSelector:
            matchLabels:
              application: ingress
        - podSelector:
            matchLabels:
              application: keystone
        - podSelector:
            matchLabels:
              application: heat
        - podSelector:
            matchLabels:
              application: glance
        - podSelector:
            matchLabels:
              application: cinder
        - podSelector:
            matchLabels:
              application: congress
        - podSelector:
            matchLabels:
              application: barbican
        - podSelector:
            matchLabels:
              application: ceilometer
        - podSelector:
            matchLabels:
              application: horizon
        - podSelector:
            matchLabels:
              application: ironic
        - podSelector:
            matchLabels:
              application: magnum
        - podSelector:
            matchLabels:
              application: mistral
        - podSelector:
            matchLabels:
              application: nova
        - podSelector:
            matchLabels:
              application: neutron
        - podSelector:
            matchLabels:
              application: senlin
        - podSelector:
            matchLabels:
              application: placement
        - podSelector:
            matchLabels:
              application: prometheus-openstack-exporter
        ports:
        - protocol: TCP
          port: 5000
        - protocol: TCP
          port: 35357
    egress:
      - to:
        - ipBlock:
            cidr: %%%REPLACE_API_ADDR%%%/32
        ports:
          - protocol: TCP
            port: %%%REPLACE_API_PORT%%%
...