(chore): adds network-policy

abhijith-darshan · abhijith-darshan · commit dc0e245edab4 · 2025-09-29T13:15:05.000+02:00
Signed-off-by: abhijith-darshan &lt;abhijith.darshan@hotmail.com&gt;

(chore): adds network-policy default values

Signed-off-by: abhijith-darshan &lt;abhijith.darshan@hotmail.com&gt;

(chore): bump chart version

Signed-off-by: abhijith-darshan &lt;abhijith.darshan@hotmail.com&gt;

(chore): set ingress rules to empty

Signed-off-by: abhijith-darshan &lt;abhijith.darshan@hotmail.com&gt;
diff --git a/system/secrets-injector/Chart.yaml b/system/secrets-injector/Chart.yaml
@@ -3,7 +3,7 @@ name: secrets-injector
 description: Secrets Injector
 
 type: application
-version: 1.1.17
+version: 1.1.18
 appVersion: "0.1.0"
 
 dependencies:
diff --git a/system/secrets-injector/templates/networkpolicy.yaml b/system/secrets-injector/templates/networkpolicy.yaml
@@ -0,0 +1,48 @@
+{{- if .Values.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: secrets-injector-allow
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: secrets-injector
+  policyTypes:
+    - Ingress
+  {{- if .Values.networkPolicy.ingress }}
+  ingress:
+  {{- range $rule := .Values.networkPolicy.ingress }}
+    - from:
+      {{- range $src := $rule.from }}
+        - {{- if $src.namespaceSelector }}
+          namespaceSelector:
+            matchLabels:
+            {{- range $k, $v := $src.namespaceSelector.matchLabels }}
+              {{ $k }}: {{ $v | quote }}
+            {{- end }}
+          {{- end }}
+          {{- if $src.podSelector }}
+          podSelector:
+            matchLabels:
+            {{- range $k, $v := $src.podSelector.matchLabels }}
+              {{ $k }}: {{ $v | quote }}
+            {{- end }}
+          {{- end }}
+      {{- end }}
+  {{- end }}
+  {{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: secrets-injector-deny
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: secrets-injector
+  policyTypes:
+    - Ingress
+  # no ingress rules => deny all
+{{- end }}
diff --git a/system/secrets-injector/values.yaml b/system/secrets-injector/values.yaml
@@ -30,4 +30,14 @@ alerts:
   enabled: true
   ruleSelector:
     prometheus: kubernetes
-
+networkPolicy:
+  create: false
+  ingress: []
+# Example allowing only from kube-system/vpn-shoot pod:
+#    - from:
+#        - namespaceSelector:
+#            matchLabels:
+#              kubernetes.io/metadata.name: kube-system
+#          podSelector:
+#            matchLabels:
+#              app: vpn-shoot
