c3e085b800
This change adds two network policy zuul checks, one for the compute-kit, and one for cinder/ceph, to test network policy for each OpenStack service. These checks will be non-voting initially. The network policy rules for each service will initially allow all traffic. These ingress/egress rules will be defined in future changes to only explicitly allow traffic between services that are explicitly allowed to communicate, other traffic will be denied. Depends-On: https://review.opendev.org/#/c/685130/ Change-Id: Ide2998ebb2af2832f24ca7abc398a82e4a6d70e3
36 lines
903 B
YAML
36 lines
903 B
YAML
manifests:
|
|
network_policy: true
|
|
#NOTE(gagehugo): Test this whitelist when the netpol gate works
|
|
#network_policy:
|
|
# glance:
|
|
# ingress:
|
|
# - from:
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: glance
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: nova
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: horizon
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: ingress
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: heat
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: ironic
|
|
# - podSelector:
|
|
# matchLabels:
|
|
# application: cinder
|
|
# ports:
|
|
# - protocol: TCP
|
|
# port: 80
|
|
# - protocol: TCP
|
|
# port: 9191
|
|
# - protocol: TCP
|
|
# port: 9292
|