c3e085b800
This change adds two network policy zuul checks, one for the compute-kit, and one for cinder/ceph, to test network policy for each OpenStack service. These checks will be non-voting initially. The network policy rules for each service will initially allow all traffic. These ingress/egress rules will be defined in future changes to only explicitly allow traffic between services that are explicitly allowed to communicate, other traffic will be denied. Depends-On: https://review.opendev.org/#/c/685130/ Change-Id: Ide2998ebb2af2832f24ca7abc398a82e4a6d70e3
85 lines
2.2 KiB
YAML
85 lines
2.2 KiB
YAML
manifests:
|
|
network_policy: true
|
|
#NOTE(gagehugo): Test the below whitelist after netpol gate works
|
|
#network_policy:
|
|
# keystone:
|
|
# ingress:
|
|
# - from:
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: ceph
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: ingress
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: keystone
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: heat
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: glance
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: cinder
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: congress
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: barbican
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: ceilometer
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: horizon
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: ironic
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: magnum
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: mistral
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: nova
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: neutron
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: senlin
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: placement
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: prometheus-openstack-exporter
|
|
# ports:
|
|
# - protocol: TCP
|
|
# port: 80
|
|
# - protocol: TCP
|
|
# port: 443
|
|
# - protocol: TCP
|
|
# port: 5000
|
|
# - protocol: TCP
|
|
# port: 35357
|
|
# egress:
|
|
# - to:
|
|
# - namespaceSelector:
|
|
# matchLabels:
|
|
# name: ceph
|
|
# - to:
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: ceph
|
|
# - ports:
|
|
# - port: 53
|
|
# protocol: UDP
|
|
# - port: 53
|
|
# protocol: TCP
|