allow all pods within namespace to talk to each other

fine crained access control must be done outside of this module for now
goci-io · Sep 16, 2020 · 046029b · 046029b
1 parent a1e7303
commit 046029b
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -66,6 +66,9 @@ Additionally it allows Namespaces with a Label of `someLabel=value` to send Traf
 
 **Note:** Namespace Restrictions apply on **Labels**, not on Namespace Fields!
 
+This Module can only apply Policies to all Pods within your Namespace.
+To enable fine grained Control for Apps within the created Namespace, create your own Network Policies for now.
+
 ### Context
 
 This module is used at [goci.io](https://goci.io) to provision Kubernetes Namespaces for our Customers.
diff --git a/network-policies.tf b/network-policies.tf
@@ -1,4 +1,3 @@
-
 resource "kubernetes_network_policy" "deny_all" {
   count = var.enable_network_policies && var.network_deny_all_policy ? 1 : 0
 
@@ -36,6 +35,10 @@ resource "kubernetes_network_policy" "allow" {
         }
       }
 
+      from {
+        pod_selector {}
+      }
+
       dynamic "from" {
         for_each = var.network_ingress_namespaces
 
@@ -48,6 +51,10 @@ resource "kubernetes_network_policy" "allow" {
     }
 
     egress {
+      to {
+        pod_selector {}
+      }
+
       dynamic "to" {
         for_each = var.network_egress_namespaces