openshift/project: define default egress policy to prevent fas db access

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

roles/openshift/project/tasks/main.yml

@@ -57,3 +57,10 @@
   vars:
     objectname: appowners.yml
     template_fullpath: "{{roles_path}}/openshift/project/templates/appowners.yml"
+
+- name: ergresspolicy.yml
+  include_role:
+    name: openshift/object
+  vars:
+    objectname: egresspolicy.yml
+    template_fullpath: "{{roles_path}}/openshift/project/templates/egresspolicy.yml"

roles/openshift/project/templates/egresspolicy.yml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: EgressNetworkPolicy
+metadata:
+  name: default
+spec:
+  egress:
+{% if not allow_fas_db or env != "production" %}
+  - type: Deny
+    to:
+      cidrSelector: "10.5.126.99/32"
+{% endif %}
+{% if not allow_fas_db or env != "staging" %}
+  - type: Deny
+    to:
+      cidrSelector: "10.5.128.96/32"
+{% endif %}
+  - type: Allow
+    to:
+      cidrSelector: "0.0.0.0/0"

roles/openshift/project/vars/default.yml

@@ -0,0 +1,2 @@
+---
+allow_fas_db: false