From 246bfdb85c75c77e041547584524aa71b2b61b61 Mon Sep 17 00:00:00 2001
From: JenTing Hsiao <jenting.hsiao@suse.com>
Date: Wed, 12 Jan 2022 10:15:07 +0800
Subject: [PATCH] example: add longhorn webhook server network policy yaml
 manifest

The traffic from/to the longhorn webhook server is the kube-apiserver.
The only way we could add restriction is to add the network policy of
the ingress port because we can't know each Kubernetes distro default
kube-apiserver Pod's label. Therefore, we can't add the label selector
in the network policy rule to restrict the traffic that comes from the
kube-apiserver is able to access to the longhorn webhook server.

Longhorn 3513

Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
(cherry picked from commit 769e85bc80b6351a081a79ddf83ab181cf956e23)
---
 .../network-policy/webhook-network-policy.yaml    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 examples/network-policy/webhook-network-policy.yaml

diff --git a/examples/network-policy/webhook-network-policy.yaml b/examples/network-policy/webhook-network-policy.yaml
new file mode 100644
index 0000000..f6a0cdf
--- /dev/null
+++ b/examples/network-policy/webhook-network-policy.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: longhorn-webhook
+  namespace: longhorn-system
+spec:
+  podSelector:
+    matchLabels:
+      app: longhorn-webhook
+  policyTypes:
+  - Ingress
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9443