Microsegmentation

Welkin uses NetworkPolicies in order to ensure that components can only communicate with each other if absolutely necessary. It does this by first using a policy that denies all communication and then using policies to open up the required communication paths.

Our Network Policies are created using a generic generator chart in which you define a set of rules and then a set of policies using those rules.

Take the Velero values as an example. Velero is configured to allow egress traffic to the Cluster DNS, the API server, and the object storage, and Ingress from Prometheus for metrics scraping, using commonly defined rules.

velero:
    podSelectorLabels:
        app.kubernetes.io/name: velero
        name: velero
    egress:
    - rule: egress-rule-dns
    - rule: egress-rule-apiserver
    - rule: egress-rule-object-storage
    ingress:
    - rule: ingress-rule-prometheus
        ports:
        - tcp: 8085

Some of the rules in these Network Policies are configurable through the Apps configuration. The possible configuration keys are available in the schema.

The documentation below is automatically generated based on the Network Policy generator values.

Management Cluster Network Policies

Namespace: cert-manager

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: cainjector

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: cainjector

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9402

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: controller

Pod Selector: This policy applies to pods with the following labels:

app: cert-manager

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9402

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-ingress	Management Cluster subnet CIDR	TCP/443 TCP/80
4	egress-rule-letsencrypt Inline Rule	Configurable IP Block	TCP/443
5	egress-rule-http01 Inline Rule	Configurable IP Block	TCP/443 TCP/80
6	egress-rule-dns01 Inline Rule	Configurable IP Block	TCP/53 UDP/53

---

Policy: startupapicheck

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: startupapicheck

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: webhook

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: webhook

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/10250
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9402

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Namespace: dex

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: allow-cert-manager-resolver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: dex

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: dex

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/5556
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/5558
3	ingress-rule-grafana Inline Rule	Pods with labels: app.kubernetes.io/name=grafana in namespace: monitoring	TCP/5556
4	ingress-rule-opensearch Inline Rule	Pods with labels: app.kubernetes.io/instance=opensearch-master in namespace: opensearch-system Pods with labels: app.kubernetes.io/instance=opensearch-dashboards in namespace: opensearch-system	TCP/5556

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	egress-rule-connectors Inline Rule	Configurable IP Block	TCP/443

---

Namespace: falco

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: falco

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: falco

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8765

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	egress-rule-falco-sidekick Inline Rule	Pods with labels: app.kubernetes.io/name=falcosidekick	TCP/2801
4	egress-rule-falco-plugins Inline Rule	Configurable IP Block	TCP/443

---

Policy: falco-sidekick

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: falcosidekick

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	ingress-rule-falco Inline Rule	Pods with labels: app.kubernetes.io/name=falco	TCP/2801
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/2801

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	egress-rule-alertmanager Inline Rule	Pods with labels: app.kubernetes.io/instance=kube-prometheus-stack-alertmanager in namespace: monitoring	TCP/9093

---

Namespace: fluentd-system

Policy: aggregator

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: fluentd-aggregator

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	fluentd-forwarder Inline Rule	Pods with labels: app.kubernetes.io/instance=fluentd-forwarder	TCP/24224
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/24231
3	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/9880

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: forwarder

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: fluentd-forwarder

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/24231

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
2	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
3	fluentd-aggregator Inline Rule	Pods with labels: app.kubernetes.io/instance=fluentd-aggregator	TCP/24224

---

Policy: log-manager

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: log-manager

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Namespace: gatekeeper-system

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: audit-controller

Pod Selector: This policy applies to pods with the following labels:

control-plane: audit-controller

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8888

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: controller-manager

Pod Selector: This policy applies to pods with the following labels:

control-plane: controller-manager

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8888
2	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/9090
3	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/8443

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: templates-wait

Pod Selector: This policy applies to pods with the following labels:

job-name: gatekeeper-templates-wait

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: update-crds-hook

Pod Selector: This policy applies to pods with the following labels:

job-name: gatekeeper-update-crds-hook

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: update-namespace-label

Pod Selector: This policy applies to pods with the following labels:

job-name: gatekeeper-update-namespace-label

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Namespace: harbor

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: allow-cert-manager-resolver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: backup

Pod Selector: This policy applies to pods with the following labels:

component: backup

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-harbor-database	Pods with labels: component=database	TCP/5432
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: cert-manager-http01-solver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: cleanup

Pod Selector: This policy applies to pods with the following labels:

component: cleanup

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: core

Pod Selector: This policy applies to pods with the following labels:

component: core

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8001
2	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8080
3	ingress-http Inline Rule	Pods with labels: component=exporter Pods with labels: component=jobservice Pods with labels: component=trivy Pods with labels: job-name=init-harbor-job	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-ingress	Management Cluster subnet CIDR	TCP/443 TCP/8443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443
4	Reference to: egress-rule-harbor-portal	Pods with labels: component=portal	TCP/8080
5	Reference to: egress-rule-harbor-registry	Pods with labels: component=registry	TCP/5000 TCP/8080
6	Reference to: egress-rule-harbor-redis	Pods with labels: component=redis	TCP/6379
7	Reference to: egress-rule-harbor-database	Pods with labels: component=database	TCP/5432
8	Reference to: egress-rule-harbor-trivy	Pods with labels: component=trivy	TCP/8080
9	Reference to: egress-rule-harbor-jobservice	Pods with labels: component=jobservice	TCP/8080
10	Reference to: egress-rule-harbor-external-registries	Configurable IP Block	TCP/443

---

Policy: database

Pod Selector: This policy applies to pods with the following labels:

component: database

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Inline Rule	Pods with labels: component=core Pods with labels: component=jobservice Pods with labels: component=registry Pods with labels: component=exporter Pods with labels: component=backup	TCP/5432

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Policy: exporter

Pod Selector: This policy applies to pods with the following labels:

component: exporter

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8001

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-harbor-core	Pods with labels: component=core	TCP/8080
3	Reference to: egress-rule-harbor-redis	Pods with labels: component=redis	TCP/6379
4	Reference to: egress-rule-harbor-database	Pods with labels: component=database	TCP/5432

---

Policy: init

Pod Selector: This policy applies to pods with the following labels:

job-name: init-harbor-job

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-harbor-core	Pods with labels: component=core	TCP/8080

---

Policy: jobservice

Pod Selector: This policy applies to pods with the following labels:

component: jobservice

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8001
2	ingress-rule-harbor-core Inline Rule	Pods with labels: component=core	All ports

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-harbor-core	Pods with labels: component=core	TCP/8080
3	Reference to: egress-rule-harbor-redis	Pods with labels: component=redis	TCP/6379
4	Reference to: egress-rule-harbor-database	Pods with labels: component=database	TCP/5432
5	Reference to: egress-rule-harbor-trivy	Pods with labels: component=trivy	TCP/8080
6	Reference to: egress-rule-harbor-registry	Pods with labels: component=registry	TCP/5000 TCP/8080
7	Reference to: egress-rule-harbor-external-registries	Configurable IP Block	TCP/443
8	Reference to: egress-rule-harbor-jobservice	Pods with labels: component=jobservice	TCP/8080
9	Reference to: egress-rule-harbor-external-jobservice	Configurable IP Block	TCP/443

---

Policy: portal

Pod Selector: This policy applies to pods with the following labels:

component: portal

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Inline Rule	Pods with labels: component=core	All ports
2	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Policy: redis

Pod Selector: This policy applies to pods with the following labels:

component: redis

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Inline Rule	Pods with labels: component=core Pods with labels: component=jobservice Pods with labels: component=trivy Pods with labels: component=registry Pods with labels: component=exporter	TCP/6379

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Policy: registry

Pod Selector: This policy applies to pods with the following labels:

component: registry

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8001
2	Inline Rule	Pods with labels: component=core Pods with labels: component=jobservice	TCP/5000 TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443
3	Reference to: egress-rule-harbor-redis	Pods with labels: component=redis	TCP/6379

---

Policy: trivy

Pod Selector: This policy applies to pods with the following labels:

component: trivy

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Inline Rule	Pods with labels: component=core Pods with labels: component=jobservice	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-harbor-core	Pods with labels: component=core	TCP/8080
3	Reference to: egress-rule-harbor-redis	Pods with labels: component=redis	TCP/6379
4	Reference to: egress-rule-harbor-external-trivy	Configurable IP Block	TCP/443

---

Namespace: ingress-nginx

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: controller

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: controller

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress-controller	Management Cluster subnet CIDR	TCP/80 TCP/443
2	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/8443
3	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/80 TCP/443 TCP/8443
4	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10254

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-ingress	Management Cluster subnet CIDR	TCP/80 TCP/443
4	egress-rule-grafana Inline Rule	Pods with labels: app.kubernetes.io/name=grafana in namespace: monitoring	TCP/3000
5	egress-rule-opensearch-dashboards Inline Rule	Pods with labels: app.kubernetes.io/instance=opensearch-dashboards in namespace: opensearch-system	TCP/5601
6	egress-rule-opensearch Inline Rule	Pods with labels: app.kubernetes.io/component=opensearch-master in namespace: opensearch-system	TCP/9200
7	egress-rule-harbor Inline Rule	Pods with labels: component=core in namespace: harbor Pods with labels: component=portal in namespace: harbor	TCP/8080
8	egress-rule-dex Inline Rule	Pods with labels: app.kubernetes.io/name=dex in namespace: dex	TCP/5556
9	egress-rule-thanos Inline Rule	Pods with labels: app.kubernetes.io/component=receive-distributor in namespace: thanos	TCP/10902 TCP/19291
10	egress-rule-default-backend Inline Rule	Pods with labels: app.kubernetes.io/component=default-backend	TCP/8080
11	egress-rule-cert-manager Inline Rule	Pods with labels: acme.cert-manager.io/http01-solver=true	TCP/8089

---

Policy: default-backend

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: default-backend

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8080

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: webhook

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: admission-webhook

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Namespace: kube-system

Policy: coredns

Pod Selector: This policy applies to pods with the following labels:

k8s-app: kube-dns

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	ingress-rule-dns Inline Rule	Any source	TCP/53 UDP/53
2	ingress-rule-kube-dns Inline Rule	Pods with labels: k8s-app=kube-dns	All ports
3	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9153

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-nodes	Management Cluster subnet CIDR	TCP/53 UDP/53
4	egress-rule-service-ip Inline Rule	Configurable IP Block	TCP/53 UDP/53
5	egress-rule-external-dns Inline Rule	Configurable IP Block	TCP/53 UDP/53

---

Policy: dns-autoscaler

Pod Selector: This policy applies to pods with the following labels:

k8s-app: dns-autoscaler

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/8080
2	Reference to: egress-rule-nodes	Management Cluster subnet CIDR	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: metrics-server

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: metrics-server

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/8443

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-nodes	Management Cluster subnet CIDR	TCP/10250

---

Policy: snapshot-controller

Pod Selector: This policy applies to pods with the following labels:

app: snapshot-controller

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Namespace: monitoring

Policy: alertmanager

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: alertmanager

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	All ports
2	ingress-rule-alertmanager Inline Rule	Pods with labels: app.kubernetes.io/name=alertmanager	All ports
3	ingress-rule-alert-generators Inline Rule	Pods with labels: app.kubernetes.io/name=falcosidekick in namespace: falco Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring Pods with labels: app.kubernetes.io/component=ruler in namespace: thanos	TCP/9093 TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	egress-rule-alertmanager Inline Rule	Pods with labels: app.kubernetes.io/name=alertmanager	All ports
3	egress-rule-alert-receivers Inline Rule	Configurable IP Block	TCP/443

---

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: allow-cert-manager-resolver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: cert-manager-http01-solver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: grafana

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: grafana

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/3000
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/3000

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	egress-rule-prometheus Inline Rule	Pods with labels: app.kubernetes.io/name=prometheus Pods with labels: app=grafana-label-enforcer	TCP/9090
4	egress-rule-thanos Inline Rule	Pods with labels: app.kubernetes.io/component=query-frontend in namespace: thanos	TCP/9090
5	egress-rule-dex Inline Rule	Pods with labels: app.kubernetes.io/name=dex in namespace: dex	TCP/5556
6	egress-rule-external-dashboards Inline Rule	Configurable IP Block	TCP/443

---

Policy: grafana-label-enforcer

Pod Selector: This policy applies to pods with the following labels:

app: grafana-label-enforcer

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	ingress-rule-grafana-datasource Inline Rule	Pods with labels: app.kubernetes.io/name=grafana	TCP/9090

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	egress-rule-thanos-query-frontend Inline Rule	Pods with labels: app.kubernetes.io/component=query-frontend in namespace: thanos	TCP/9090

---

Policy: kube-state-metrics

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: kube-state-metrics

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8080 TCP/8081

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: node-collector

Pod Selector: This policy applies to pods with the following labels:

app: node-collector

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: prometheus

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: prometheus

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/9090
2	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/9090
3	ingress-rule-metrics-collection Inline Rule	Pods with labels: app.kubernetes.io/name=prometheus Pods with labels: app.kubernetes.io/name=grafana	TCP/9090

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-nodes	Management Cluster subnet CIDR	All ports
4	egress-rule-metrics-collection Inline Rule		All ports

---

Policy: prometheus-admission-create

Pod Selector: This policy applies to pods with the following labels:

app: kube-prometheus-stack-admission-create

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: prometheus-admission-patch

Pod Selector: This policy applies to pods with the following labels:

app: kube-prometheus-stack-admission-patch

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: prometheus-blackbox-exporter

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: prometheus-blackbox-exporter

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9115

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-nodes	Management Cluster subnet CIDR	All ports
3	Reference to: egress-rule-ingress	Management Cluster subnet CIDR	TCP/443 TCP/8443
4	Reference to: egress-rule-wc-ingress	Workload Cluster Ingress CIDR	TCP/443 TCP/8443
5	egress-rule-probe Inline Rule		All ports

---

Policy: prometheus-crds-upgrade

Pod Selector: This policy applies to pods with the following labels:

job-name: prometheus-crds-upgrade

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: prometheus-node-exporter

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: prometheus-node-exporter

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9010

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: prometheus-operator

Pod Selector: This policy applies to pods with the following labels:

app: kube-prometheus-stack-operator

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/10250
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10250

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Policy: trivy-operator

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/name: trivy-operator

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
2	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
3	Reference to: egress-rule-trivy	Configurable IP Block	TCP/443 TCP/80

---

Policy: trivy-vulnerability-report-scanner

Pod Selector: This policy applies to pods with the following labels:

vulnerabilityReport.scanner: Trivy

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-trivy	Configurable IP Block	TCP/443 TCP/80

---

Namespace: opensearch-system

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: allow-cert-manager-resolver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: client

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: opensearch-client

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-egress-rule-opensearch	Pods with labels: app.kubernetes.io/component=opensearch-master Pods with labels: app.kubernetes.io/component=opensearch-data Pods with labels: app.kubernetes.io/component=opensearch-client	TCP/9300
2	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/9200

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: ingress-egress-rule-opensearch	Pods with labels: app.kubernetes.io/component=opensearch-master Pods with labels: app.kubernetes.io/component=opensearch-data Pods with labels: app.kubernetes.io/component=opensearch-client	TCP/9300
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443
3	Reference to: egress-rule-plugins	Configurable IP Block	TCP/443
4	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Policy: configurer

Pod Selector: This policy applies to pods with the following labels:

app: configurer

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dashboards	Pods with labels: app.kubernetes.io/name=opensearch-dashboards	TCP/5601
2	Reference to: egress-rule-master	Pods with labels: app.kubernetes.io/component=opensearch-master	TCP/9200
3	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Policy: curator

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: opensearch-curator

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-master	Pods with labels: app.kubernetes.io/component=opensearch-master	TCP/9200
2	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Policy: dashboard

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: opensearch-dashboards

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/5601
2	ingress-rule-configurer Inline Rule	Pods with labels: app=configurer	TCP/5601

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-master	Pods with labels: app.kubernetes.io/component=opensearch-master	TCP/9200
2	Reference to: egress-rule-ingress	Management Cluster subnet CIDR	TCP/443 TCP/8443
3	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
4	Reference to: egress-rule-dex	Pods with labels: app.kubernetes.io/instance=dex app.kubernetes.io/name=dex	TCP/5556

---

Policy: data

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: opensearch-data

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-egress-rule-opensearch	Pods with labels: app.kubernetes.io/component=opensearch-master Pods with labels: app.kubernetes.io/component=opensearch-data Pods with labels: app.kubernetes.io/component=opensearch-client	TCP/9300

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: ingress-egress-rule-opensearch	Pods with labels: app.kubernetes.io/component=opensearch-master Pods with labels: app.kubernetes.io/component=opensearch-data Pods with labels: app.kubernetes.io/component=opensearch-client	TCP/9300
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443
3	Reference to: egress-rule-plugins	Configurable IP Block	TCP/443
4	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Policy: master

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: opensearch-master

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-egress-rule-opensearch	Pods with labels: app.kubernetes.io/component=opensearch-master Pods with labels: app.kubernetes.io/component=opensearch-data Pods with labels: app.kubernetes.io/component=opensearch-client	TCP/9300
2	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/9200
3	ingress-rule-common-master Inline Rule	Pods with labels: app.kubernetes.io/instance=opensearch-curator Pods with labels: app.kubernetes.io/name=opensearch-dashboards Pods with labels: app.kubernetes.io/name=prometheus-elasticsearch-exporter Pods with labels: app=configurer Pods with labels: app.kubernetes.io/instance=opensearch-securityadmin	TCP/9200

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: ingress-egress-rule-opensearch	Pods with labels: app.kubernetes.io/component=opensearch-master Pods with labels: app.kubernetes.io/component=opensearch-data Pods with labels: app.kubernetes.io/component=opensearch-client	TCP/9300
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443
3	Reference to: egress-rule-ingress	Management Cluster subnet CIDR	TCP/443 TCP/8443
4	Reference to: egress-rule-plugins	Configurable IP Block	TCP/443
5	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
6	Reference to: egress-rule-dex	Pods with labels: app.kubernetes.io/instance=dex app.kubernetes.io/name=dex	TCP/5556

---

Policy: prometheus-exporter

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: prometheus-elasticsearch-exporter

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9108

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-master	Pods with labels: app.kubernetes.io/component=opensearch-master	TCP/9200
2	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Policy: security-admin

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: opensearch-securityadmin

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-master	Pods with labels: app.kubernetes.io/component=opensearch-master	TCP/9200
2	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53

---

Namespace: thanos

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: allow-cert-manager-resolver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: cert-manager-http01-solver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: thanos-bucketweb

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: bucketweb

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: thanos-compactor

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: compactor

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10902

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: thanos-query

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: query

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/10902
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10902
3	ingress-rule-query-api Inline Rule	Pods with labels: app.kubernetes.io/component=query-frontend Pods with labels: app.kubernetes.io/component=ruler	TCP/10902

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	egress-rule-store-api Inline Rule	Pods with labels: app.kubernetes.io/component=storegateway Pods with labels: app.kubernetes.io/component=receive Pods with labels: app.kubernetes.io/component=ruler	TCP/10901

---

Policy: thanos-query-frontend

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: query-frontend

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/9090
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9090
3	ingress-rule-grafana-datasource Inline Rule	Pods with labels: app.kubernetes.io/name=grafana in namespace: monitoring Pods with labels: app=grafana-label-enforcer in namespace: monitoring	TCP/9090

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-query	Pods with labels: app.kubernetes.io/component=query	TCP/10902

---

Policy: thanos-receive

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: receive

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10902
2	Reference to: ingress-rule-query	Pods with labels: app.kubernetes.io/component=query	TCP/10901
3	ingress-rule-receive-distributor Inline Rule	Pods with labels: app.kubernetes.io/component=receive-distributor	TCP/10901 TCP/19391

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: thanos-receive-distributor

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: receive-distributor

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/10902
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10902 TCP/19291
3	Reference to: ingress-rule-ingress	Management Cluster subnet CIDR	TCP/19291

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	egress-rule-receive Inline Rule	Pods with labels: app.kubernetes.io/component=receive	TCP/10901 TCP/19391

---

Policy: thanos-ruler

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: ruler

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10902
2	Reference to: ingress-rule-query	Pods with labels: app.kubernetes.io/component=query	TCP/10901

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443
3	Reference to: egress-rule-query	Pods with labels: app.kubernetes.io/component=query	TCP/10902
4	egress-rule-alertmanager Inline Rule	Pods with labels: app.kubernetes.io/name=alertmanager in namespace: monitoring	TCP/9093

---

Policy: thanos-storegateway

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: storegateway

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10902
2	Reference to: ingress-rule-query	Pods with labels: app.kubernetes.io/component=query	TCP/10901

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Namespace: traefik-system

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: traefik

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: traefik

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress-controller	Management Cluster subnet CIDR	TCP/8000 TCP/8443
2	Reference to: ingress-rule-apiserver	Management Cluster API Server CIDR	TCP/8443
3	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/8000 TCP/8443
4	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9100

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-ingress	Management Cluster subnet CIDR	TCP/8000 TCP/8443
4	egress-rule-grafana Inline Rule	Pods with labels: app.kubernetes.io/name=grafana in namespace: monitoring	TCP/3000
5	egress-rule-opensearch-dashboards Inline Rule	Pods with labels: app.kubernetes.io/instance=opensearch-dashboards in namespace: opensearch-system	TCP/5601
6	egress-rule-opensearch Inline Rule	Pods with labels: app.kubernetes.io/component=opensearch-master in namespace: opensearch-system	TCP/9200
7	egress-rule-harbor Inline Rule	Pods with labels: component=core in namespace: harbor Pods with labels: component=portal in namespace: harbor	TCP/8080
8	egress-rule-dex Inline Rule	Pods with labels: app.kubernetes.io/name=dex in namespace: dex	TCP/5556
9	egress-rule-thanos Inline Rule	Pods with labels: app.kubernetes.io/component=receive-distributor in namespace: thanos	TCP/10902 TCP/19291
10	egress-rule-cert-manager Inline Rule	Pods with labels: acme.cert-manager.io/http01-solver=true in namespace: ``	TCP/8089

---

Namespace: velero

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: velero

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: velero
name: velero

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8085

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: velero-data-mover

Pod Selector: This policy applies to pods with the following labels:

velero.io/exposer-pod-group: snapshot-exposer

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: velero-maintenance-job

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: velero-node-agent

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: velero
name: node-agent

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: velero-upgrade-crds

Pod Selector: This policy applies to pods with the following labels:

job-name: velero-upgrade-crds

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Management Cluster API Server CIDR	TCP/6443

---

Workload Cluster Network Policies

Namespace: alertmanager

Policy: alertmanager

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: alertmanager

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/9093
2	ingress-rule-alertmanager Inline Rule	Pods with labels: app.kubernetes.io/name=alertmanager	All ports
3	ingress-rule-alert-generators Inline Rule	Pods with labels: app.kubernetes.io/name=falcosidekick in namespace: falco Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9093
4	ingress-rule-user-namespaces Inline Rule		TCP/9093

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	egress-rule-alertmanager Inline Rule	Pods with labels: app.kubernetes.io/name=alertmanager	All ports
3	egress-rule-alert-receivers Inline Rule	Configurable IP Block	TCP/443

---

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Namespace: cert-manager

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: cainjector

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: cainjector

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9402

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: controller

Pod Selector: This policy applies to pods with the following labels:

app: cert-manager

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9402

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-ingress	Workload Cluster subnet CIDR	TCP/443 TCP/80
4	egress-rule-letsencrypt Inline Rule	Configurable IP Block	TCP/443
5	egress-rule-http01 Inline Rule	Configurable IP Block	TCP/443 TCP/80
6	egress-rule-dns01 Inline Rule	Configurable IP Block	TCP/53 UDP/53

---

Policy: startupapicheck

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: startupapicheck

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: webhook

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: webhook

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/10250
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9402

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Namespace: falco

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: falco

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: falco

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8765

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	egress-rule-falco-sidekick Inline Rule	Pods with labels: app.kubernetes.io/name=falcosidekick	TCP/2801
4	egress-rule-falco-plugins Inline Rule	Configurable IP Block	TCP/443

---

Policy: falco-sidekick

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: falcosidekick

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/2801
2	ingress-rule-falco Inline Rule	Pods with labels: app.kubernetes.io/name=falco	TCP/2801
3	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/2801

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	egress-rule-alertmanager Inline Rule	Pods with labels: app.kubernetes.io/name=alertmanager in namespace: alertmanager	TCP/9093

---

Namespace: fluentd

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: forwarder

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: fluentd-elasticsearch

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/24231

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
2	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
3	Reference to: egress-rule-sc-ingress	Management Cluster Ingress CIDR	TCP/443 TCP/8443
4	fluentd-aggregator Inline Rule	Pods with labels: app.kubernetes.io/instance=fluentd-aggregator in namespace: fluentd-system	TCP/24224

---

Namespace: fluentd-system

Policy: aggregator

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: fluentd-aggregator

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	fluentd-forwarder Inline Rule	Pods with labels: app.kubernetes.io/instance=fluentd-forwarder	TCP/24224
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/24231
3	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/9880

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: aggregator-from-user

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: fluentd-aggregator

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	fluentd-elasticsearch Inline Rule	Pods with labels: app.kubernetes.io/name=fluentd-elasticsearch in namespace: fluentd	TCP/24224

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: forwarder

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: fluentd-forwarder

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/24231

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
2	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
3	fluentd-aggregator Inline Rule	Pods with labels: app.kubernetes.io/instance=fluentd-aggregator	TCP/24224

---

Policy: forwarder-to-opensearch

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: fluentd-forwarder

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-sc-ingress	Management Cluster Ingress CIDR	TCP/443 TCP/8443

---

Namespace: gatekeeper-system

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: audit-controller

Pod Selector: This policy applies to pods with the following labels:

control-plane: audit-controller

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8888

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: controller-manager

Pod Selector: This policy applies to pods with the following labels:

control-plane: controller-manager

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8888
2	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/9090
3	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/8443

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: templates-wait

Pod Selector: This policy applies to pods with the following labels:

job-name: gatekeeper-templates-wait

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: update-crds-hook

Pod Selector: This policy applies to pods with the following labels:

job-name: gatekeeper-update-crds-hook

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: update-namespace-label

Pod Selector: This policy applies to pods with the following labels:

job-name: gatekeeper-update-namespace-label

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Namespace: hnc-system

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: controller-manager

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: hnc-controller-manager

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: webhook

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: hnc-webhook

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/9443

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Namespace: ingress-nginx

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: cert-manager-http01-solver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Workload Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: controller

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: controller

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress-controller	Workload Cluster subnet CIDR	TCP/80 TCP/443
2	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/8443
3	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/80 TCP/443 TCP/8443
4	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10254

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-ingress	Workload Cluster subnet CIDR	TCP/80 TCP/443
4	Reference to: egress-rule-namespaces	Any destination	All ports
5	egress-rule-kube-system-api Inline Rule	Pods with labels: component=kube-apiserver	TCP/3000
6	egress-rule-default-backend Inline Rule	Pods with labels: app.kubernetes.io/component=default-backend	TCP/8080
7	egress-rule-cert-manager Inline Rule	Pods with labels: acme.cert-manager.io/http01-solver=true in namespace: ``	TCP/8089

---

Policy: default-backend

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: default-backend

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Workload Cluster subnet CIDR	TCP/8080

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: webhook

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/component: admission-webhook

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Namespace: kube-system

Policy: coredns

Pod Selector: This policy applies to pods with the following labels:

k8s-app: kube-dns

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	ingress-rule-dns Inline Rule	Any source	TCP/53 UDP/53
2	ingress-rule-kube-dns Inline Rule	Pods with labels: k8s-app=kube-dns	All ports
3	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9153

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-nodes	Workload Cluster subnet CIDR	TCP/53 UDP/53
4	egress-rule-service-ip Inline Rule	Configurable IP Block	TCP/53 UDP/53
5	egress-rule-external-dns Inline Rule	Configurable IP Block	TCP/53 UDP/53

---

Policy: dns-autoscaler

Pod Selector: This policy applies to pods with the following labels:

k8s-app: dns-autoscaler

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/8080
2	Reference to: egress-rule-nodes	Workload Cluster subnet CIDR	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: metrics-server

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: metrics-server

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/8443

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-nodes	Workload Cluster subnet CIDR	TCP/10250

---

Policy: snapshot-controller

Pod Selector: This policy applies to pods with the following labels:

app: snapshot-controller

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Namespace: monitoring

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: kube-state-metrics

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: kube-state-metrics

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8080 TCP/8081

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: node-collector

Pod Selector: This policy applies to pods with the following labels:

app: node-collector

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: prometheus

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: prometheus

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/9090
2	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/9090
3	ingress-rule-metrics-collection Inline Rule	Pods with labels: app.kubernetes.io/name=prometheus	TCP/9090

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-nodes	Workload Cluster subnet CIDR	All ports
4	Reference to: egress-rule-sc-ingress	Management Cluster Ingress CIDR	TCP/443 TCP/8443
5	egress-rule-metrics-collection Inline Rule		All ports

---

Policy: prometheus-admission-create

Pod Selector: This policy applies to pods with the following labels:

app: kube-prometheus-stack-admission-create

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: prometheus-admission-patch

Pod Selector: This policy applies to pods with the following labels:

app: kube-prometheus-stack-admission-patch

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: prometheus-blackbox-exporter

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: prometheus-blackbox-exporter

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9115

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-nodes	Workload Cluster subnet CIDR	All ports
3	Reference to: egress-rule-ingress	Workload Cluster subnet CIDR	TCP/443 TCP/8443
4	Reference to: egress-rule-sc-ingress	Management Cluster Ingress CIDR	TCP/443 TCP/8443
5	egress-rule-probe Inline Rule		All ports

---

Policy: prometheus-crds-upgrade

Pod Selector: This policy applies to pods with the following labels:

job-name: prometheus-crds-upgrade

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: prometheus-node-exporter

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: prometheus-node-exporter

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9010

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Policy: prometheus-operator

Pod Selector: This policy applies to pods with the following labels:

app: kube-prometheus-stack-operator

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/10250
2	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/10250

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---

Policy: trivy-operator

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/name: trivy-operator

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8080

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
2	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
3	Reference to: egress-rule-trivy	Configurable IP Block	TCP/443 TCP/80

---

Policy: trivy-vulnerability-report-scanner

Pod Selector: This policy applies to pods with the following labels:

vulnerabilityReport.scanner: Trivy

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-trivy	Configurable IP Block	TCP/443 TCP/80

---

Namespace: production

Policy: allow-cert-manager-resolver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Workload Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Namespace: set-me

Policy: allow-cert-manager-resolver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Workload Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Namespace: staging

Policy: allow-cert-manager-resolver

Pod Selector: This policy applies to pods with the following labels:

acme.cert-manager.io/http01-solver: true

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress	Workload Cluster subnet CIDR	TCP/8089

---

Egress Rules (Outgoing Traffic)

• ALLOW ALL outgoing traffic.

---

Namespace: traefik-system

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: traefik

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: traefik

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-ingress-controller	Workload Cluster subnet CIDR	TCP/8000 TCP/8443
2	Reference to: ingress-rule-apiserver	Workload Cluster API Server CIDR	TCP/8443
3	Reference to: ingress-rule-blackbox	Pods with labels: app.kubernetes.io/name=prometheus-blackbox-exporter in namespace: monitoring	TCP/8000 TCP/8443
4	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/9100

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-ingress	Workload Cluster subnet CIDR	TCP/8000 TCP/8443
4	Reference to: egress-rule-namespaces	Any destination	All ports
5	egress-rule-kube-system-api Inline Rule	Pods with labels: component=kube-apiserver	TCP/3000
6	egress-rule-cert-manager Inline Rule	Pods with labels: acme.cert-manager.io/http01-solver=true in namespace: ``	TCP/8089

---

Namespace: velero

Policy: all-deny

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• DENY ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

• DENY ALL outgoing traffic.

---

Policy: velero

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: velero
name: velero

---

Ingress Rules (Incoming Traffic)

Rule	Description	From (Peers)	To (Ports)
1	Reference to: ingress-rule-prometheus	Pods with labels: app.kubernetes.io/name=prometheus in namespace: monitoring	TCP/8085

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: velero-data-mover

Pod Selector: This policy applies to pods with the following labels:

velero.io/exposer-pod-group: snapshot-exposer

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: velero-maintenance-job

Pod Selector: This policy applies to all pods in the namespace.

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: velero-node-agent

Pod Selector: This policy applies to pods with the following labels:

app.kubernetes.io/name: velero
name: node-agent

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443
3	Reference to: egress-rule-object-storage	Object storage CIDR	TCP/443

---

Policy: velero-upgrade-crds

Pod Selector: This policy applies to pods with the following labels:

job-name: velero-upgrade-crds

---

Ingress Rules (Incoming Traffic)

• ALLOW ALL incoming traffic.

---

Egress Rules (Outgoing Traffic)

Rule	Description	To (Peers)	On (Ports)
1	Reference to: egress-rule-dns	Pods with labels: k8s-app=kube-dns in namespace: kube-system Cluster DNS Service IP	TCP/53 UDP/53
2	Reference to: egress-rule-apiserver	Workload Cluster API Server CIDR	TCP/6443

---