From 046029bb3d7c91a6841775231d7e3be411189b69 Mon Sep 17 00:00:00 2001
From: etwillbefine <tim.gatzemeier@gmx.de>
Date: Wed, 16 Sep 2020 17:06:31 +0200
Subject: [PATCH] allow all pods within namespace to talk to each other fine
 crained access control must be done outside of this module for now

---
 README.md           | 3 +++
 network-policies.tf | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 37b6de3..866b8e5 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,9 @@ Additionally it allows Namespaces with a Label of `someLabel=value` to send Traf
 
 **Note:** Namespace Restrictions apply on **Labels**, not on Namespace Fields!
 
+This Module can only apply Policies to all Pods within your Namespace.
+To enable fine grained Control for Apps within the created Namespace, create your own Network Policies for now.
+
 ### Context
 
 This module is used at [goci.io](https://goci.io) to provision Kubernetes Namespaces for our Customers.
diff --git a/network-policies.tf b/network-policies.tf
index 85b0670..6798e50 100644
--- a/network-policies.tf
+++ b/network-policies.tf
@@ -1,4 +1,3 @@
-
 resource "kubernetes_network_policy" "deny_all" {
   count = var.enable_network_policies && var.network_deny_all_policy ? 1 : 0
 
@@ -36,6 +35,10 @@ resource "kubernetes_network_policy" "allow" {
         }
       }
 
+      from {
+        pod_selector {}
+      }
+
       dynamic "from" {
         for_each = var.network_ingress_namespaces
 
@@ -48,6 +51,10 @@ resource "kubernetes_network_policy" "allow" {
     }
 
     egress {
+      to {
+        pod_selector {}
+      }
+
       dynamic "to" {
         for_each = var.network_egress_namespaces