From 66cda5eb15576e1349d3c1b475e28299b0e8d712 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Wed, 29 May 2019 20:32:36 +0200
Subject: [PATCH] Make it possible to disallow any internal communications

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 roles/openshift/project/defaults/main.yml          | 1 +
 roles/openshift/project/templates/egresspolicy.yml | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/roles/openshift/project/defaults/main.yml b/roles/openshift/project/defaults/main.yml
index 694a8aea0b..58027c6bdf 100644
--- a/roles/openshift/project/defaults/main.yml
+++ b/roles/openshift/project/defaults/main.yml
@@ -1,2 +1,3 @@
 ---
 allow_fas_db: false
+allow_phx2: true
diff --git a/roles/openshift/project/templates/egresspolicy.yml b/roles/openshift/project/templates/egresspolicy.yml
index 5cb161b4a5..2526281af4 100644
--- a/roles/openshift/project/templates/egresspolicy.yml
+++ b/roles/openshift/project/templates/egresspolicy.yml
@@ -15,6 +15,14 @@ spec:
     to:
       cidrSelector: "10.5.126.99/32"
 {% endif %}
+{% endif %}
+{% if not allow_phx2 %}
+  - type: Deny
+    to:
+      cidrSelector: "10.0.0.0/8"
+  - type: Deny
+    to:
+      cidrSelector: "209.132.181.0/25"
 {% endif %}
   - type: Allow
     to: