From eac122c543cb7c54e6ba5d6ec64fabe4a596c496 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 9 May 2019 13:32:55 +0200 Subject: [PATCH] openshift/project: define default egress policy to prevent fas db access Signed-off-by: Patrick Uiterwijk --- roles/openshift/project/tasks/main.yml | 7 +++++++ .../project/templates/egresspolicy.yml | 20 +++++++++++++++++++ roles/openshift/project/vars/default.yml | 2 ++ 3 files changed, 29 insertions(+) create mode 100644 roles/openshift/project/templates/egresspolicy.yml create mode 100644 roles/openshift/project/vars/default.yml diff --git a/roles/openshift/project/tasks/main.yml b/roles/openshift/project/tasks/main.yml index 7c2c5184e9..87718c0a28 100644 --- a/roles/openshift/project/tasks/main.yml +++ b/roles/openshift/project/tasks/main.yml @@ -57,3 +57,10 @@ vars: objectname: appowners.yml template_fullpath: "{{roles_path}}/openshift/project/templates/appowners.yml" + +- name: ergresspolicy.yml + include_role: + name: openshift/object + vars: + objectname: egresspolicy.yml + template_fullpath: "{{roles_path}}/openshift/project/templates/egresspolicy.yml" diff --git a/roles/openshift/project/templates/egresspolicy.yml b/roles/openshift/project/templates/egresspolicy.yml new file mode 100644 index 0000000000..99628876d6 --- /dev/null +++ b/roles/openshift/project/templates/egresspolicy.yml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: EgressNetworkPolicy +metadata: + name: default +spec: + egress: +{% if not allow_fas_db or env != "production" %} + - type: Deny + to: + cidrSelector: "10.5.126.99/32" +{% endif %} +{% if not allow_fas_db or env != "staging" %} + - type: Deny + to: + cidrSelector: "10.5.128.96/32" +{% endif %} + - type: Allow + to: + cidrSelector: "0.0.0.0/0" diff --git a/roles/openshift/project/vars/default.yml b/roles/openshift/project/vars/default.yml new file mode 100644 index 0000000000..694a8aea0b --- /dev/null +++ b/roles/openshift/project/vars/default.yml @@ -0,0 +1,2 @@ +--- +allow_fas_db: false