refactor, remove 'default' namespace egress

andrewazores · andrewazores · commit a2465f867756 · 2025-08-28T10:18:47.000-04:00
diff --git a/charts/cryostat/templates/networkpolicy_egress.yaml b/charts/cryostat/templates/networkpolicy_egress.yaml
@@ -15,26 +15,27 @@ spec:
     - to:
       - namespaceSelector:
           matchLabels:
-            kubernetes.io/metadata.name: {{ .Release.Namespace }}
-{{- if .Values.authentication.openshift.enabled }}
-{{- $kubernetesEndpoint := lookup "v1" "Endpoints" "default" "kubernetes" }}
-{{- $kubernetesAddress := (first $kubernetesEndpoint.subsets).addresses }}
-{{- $kubernetesIP := (first $kubernetesAddress).ip }}
-    - to:
-      - ipBlock:
-          cidr: {{ $kubernetesIP }}/32
-{{- end }}
+            kubernetes.io/metadata.name: kube-system
     - to:
       - namespaceSelector:
           matchExpressions:
             - key: kubernetes.io/metadata.name
               operator: In
               values:
-                - default
-                - kube-system
-                - openshift
                 - {{ .Release.Namespace }}
                 {{- range .Values.core.discovery.kubernetes.namespaces }}
                 - {{ . }}
                 {{- end }}
+{{- if .Values.authentication.openshift.enabled }}
+{{- $kubernetesEndpoint := lookup "v1" "Endpoints" "default" "kubernetes" }}
+{{- $kubernetesAddress := (first $kubernetesEndpoint.subsets).addresses }}
+{{- $kubernetesIP := (first $kubernetesAddress).ip }}
+    - to:
+      - ipBlock:
+          cidr: {{ $kubernetesIP }}/32
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift
+{{- end }}
 {{- end }}
diff --git a/charts/cryostat/tests/networkpolicy_egress_test.yaml b/charts/cryostat/tests/networkpolicy_egress_test.yaml
@@ -35,16 +35,13 @@ tests:
             - to:
               - namespaceSelector:
                   matchLabels:
-                    kubernetes.io/metadata.name: NAMESPACE
+                    kubernetes.io/metadata.name: kube-system
             - to:
               - namespaceSelector:
                   matchExpressions:
                     - key: kubernetes.io/metadata.name
                       operator: In
                       values:
-                        - default
-                        - kube-system
-                        - openshift
                         - NAMESPACE
 
   - it: should allow additional egress to target namespaces
@@ -60,16 +57,13 @@ tests:
             - to:
               - namespaceSelector:
                   matchLabels:
-                    kubernetes.io/metadata.name: NAMESPACE
+                    kubernetes.io/metadata.name: kube-system
             - to:
               - namespaceSelector:
                   matchExpressions:
                     - key: kubernetes.io/metadata.name
                       operator: In
                       values:
-                        - default
-                        - kube-system
-                        - openshift
                         - NAMESPACE
                         - apps1
                         - apps2
