feat(guacamole-chart): Add NetworkPolicy manifests to defend pods

charts/guacamole/templates/controller/controller-network.yaml

@@ -0,0 +1,27 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "guacamole.fullname" . }}-controller-network
+  labels:
+    app: {{ include "guacamole.labels.app" . }}
+    chart: {{ include "guacamole.labels.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      cnpg.io/cluster: {{ include "guacamole.fullname" . }}-controller
+  policyTypes:
+  - Ingress
+  - Egress
+
+  egress:
+    - to:
+      - podSelector:
+          matchLabels:
+            app: {{ include "guacamole.labels.app" . }}
+            component: web
+            release: {{ .Release.Name }}
+      - podSelector:
+          matchLabels:
+            cnpg.io/cluster: {{ include "guacamole.fullname" . }}-database

charts/guacamole/templates/database/database-network.yaml

@@ -0,0 +1,34 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "guacamole.fullname" . }}-database
+  labels:
+    app: {{ include "guacamole.labels.app" . }}
+    chart: {{ include "guacamole.labels.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "guacamole.labels.app" . }}
+      component: database
+      release: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ include "guacamole.labels.app" . }}
+            component: web
+            release: {{ .Release.Name }}
+      - podSelector:
+          matchLabels:
+            cnpg.io/cluster: {{ include "guacamole.fullname" . }}-database
+      - podSelector:
+          matchLabels:
+            app: {{ include "guacamole.labels.app" . }}
+            component: controller
+            release: {{ .Release.Name }}

charts/guacamole/templates/guacd/guacd-network.yaml

@@ -0,0 +1,29 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "guacamole.fullname" . }}-guacd
+  labels:
+    app: {{ include "guacamole.labels.app" . }}
+    chart: {{ include "guacamole.labels.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      matchLabels:
+      app: {{ include "guacamole.labels.app" . }}
+      component: guacd
+      release: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: {{ include "guacamole.labels.app" . }}
+              component: web
+              release: {{ .Release.Name }}
+  egress:
+    - {}

charts/guacamole/templates/web/web-network.yaml

@@ -0,0 +1,28 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "guacamole.fullname" . }}-web
+  labels:
+    app: {{ include "guacamole.labels.app" . }}
+    chart: {{ include "guacamole.labels.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "guacamole.labels.app" . }}
+      component: web
+      release: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ include "guacamole.labels.app" . }}
+            component: controller
+            release: {{ .Release.Name }}
+  egress:
+    - {}