From 6c49eba336985cd57fba40b8a16f346cbf1b28f0 Mon Sep 17 00:00:00 2001
From: Brad Davidson <brad.davidson@rancher.com>
Date: Fri, 2 Aug 2024 00:42:47 +0000
Subject: [PATCH] Add netpol template for traefik

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 pkg/rke2/np.go | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/pkg/rke2/np.go b/pkg/rke2/np.go
index 414cba9692..82925d94fc 100644
--- a/pkg/rke2/np.go
+++ b/pkg/rke2/np.go
@@ -85,7 +85,7 @@ var defaultKubeSystemPolicies = []policyTemplate{
 		},
 	},
 	{
-		// allows for all http and https traffic into the kube-system namespace to the ingress controller pods
+		// allows for all http and https traffic into the kube-system namespace to the ingress-nginx controller pods
 		name:          "default-network-ingress-policy",
 		annotationKey: "np.rke2.io/ingress",
 		podSelector:   metav1.LabelSelector{MatchLabels: labels.Set{"app.kubernetes.io/name": "rke2-ingress-nginx"}},
@@ -111,7 +111,7 @@ var defaultKubeSystemPolicies = []policyTemplate{
 		},
 	},
 	{
-		// allows for https traffic into the to the ingress controller webhook
+		// allows for https traffic into the to the ingress-nginx controller webhook
 		name:          "default-network-ingress-webhook-policy",
 		annotationKey: "np.rke2.io/ingress-webhook",
 		podSelector:   metav1.LabelSelector{MatchLabels: labels.Set{"app.kubernetes.io/name": "rke2-ingress-nginx"}},
@@ -129,6 +129,32 @@ var defaultKubeSystemPolicies = []policyTemplate{
 			},
 		},
 	},
+	{
+		// allows for all http and https traffic into the kube-system namespace to the traefik ingress controller pods
+		name:          "default-network-traefik-policy",
+		annotationKey: "np.rke2.io/ingress",
+		podSelector:   metav1.LabelSelector{MatchLabels: labels.Set{"app.kubernetes.io/name": "rke2-traefik"}},
+		ingress: []v1.NetworkPolicyIngressRule{
+			{
+				Ports: []v1.NetworkPolicyPort{
+					{
+						Protocol: &tcp,
+						Port: &intstr.IntOrString{
+							Type:   intstr.String,
+							StrVal: "http",
+						},
+					},
+					{
+						Protocol: &tcp,
+						Port: &intstr.IntOrString{
+							Type:   intstr.String,
+							StrVal: "https",
+						},
+					},
+				},
+			},
+		},
+	},
 	{
 		// allows for https traffic into the CSI snapshot validation webhook
 		name:          "default-network-snapshot-validation-webhook-policy",