validatedpatterns · p-rog · Jun 12, 2026 · Jun 12, 2026
diff --git a/README.md.gotmpl b/README.md.gotmpl
@@ -26,3 +26,98 @@ This chart is used to serve as the template for Validated Patterns Charts
 <!-- markdownlint-enable MD013 MD034 MD060 -->
 
 {{ template "helm-docs.versionFooter" . }}
+
+## Network Policies
+
+This chart supports deploying Kubernetes NetworkPolicies for network isolation
+in the ZTWIM namespace. Two layers are available:
+
+### Default-deny policy
+
+A namespace-wide default-deny NetworkPolicy that blocks all ingress and egress
+traffic for every pod in the namespace unless an explicit allow policy exists.
+Enable it by setting:
+
+```yaml
+defaultDenyNetworkPolicy:
+  enabled: true
+```
+
+**Note:** The spire-agent DaemonSet uses `hostNetwork: true` and is NOT affected
+by NetworkPolicies. Agent-to-server communication uses node IPs and requires a
+port-only ingress rule on the spire-server.
+
+### Per-pod allow rules
+
+When the default-deny policy is enabled, additional NetworkPolicy templates
+allow defining fine-grained rules for each component:
+
+- `networkPolicy.spireServer` — ingress and egress rules for the spire-server
+  pod (includes the spire-controller-manager webhook container)
+- `networkPolicy.oidcDiscoveryProvider` — ingress and egress rules for the OIDC
+  discovery provider pod
+- `networkPolicy.csiDriver` — egress rules for the SPIFFE CSI driver pods
+- `networkPolicy.operator` — ingress and egress rules for the ZTWIM operator pod
+
+Example — allow spire-server ingress from agents and egress to DNS:
+
+```yaml
+defaultDenyNetworkPolicy:
+  enabled: true
+
+networkPolicy:
+  spireServer:
+    enabled: true
+    ingress:
+      - ports:
+        - protocol: TCP
+          port: 8081
+      - ports:
+        - protocol: TCP
+          port: 9443
+    egress:
+      - ports:
+        - protocol: UDP
+          port: 5353
+        - protocol: TCP
+          port: 5353
+        to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+      - ports:
+        - protocol: TCP
+          port: 6443
+  oidcDiscoveryProvider:
+    enabled: true
+    ingress:
+      - ports:
+        - protocol: TCP
+          port: 8443
+        from:
+        - namespaceSelector:
+            matchLabels:
+              policy-group.network.openshift.io/ingress: ""
+    egress:
+      - ports:
+        - protocol: UDP
+          port: 5353
+        - protocol: TCP
+          port: 5353
+        to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-dns
+  operator:
+    enabled: true
+    egress:
+      - ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 6443
+```
+
+Patterns can supply these values via `extraValueFiles` in their
+`values-hub.yaml` to keep network policy configuration separate from the main
+chart values.
diff --git a/templates/csi-driver-network-policy.yaml b/templates/csi-driver-network-policy.yaml
@@ -0,0 +1,18 @@
+{{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") (eq (.Values.networkPolicy.csiDriver.enabled | toString) "true") }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: csi-driver-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: spiffe-csi-driver
+  policyTypes:
+  - Ingress
+  - Egress
+  {{- with .Values.networkPolicy.csiDriver.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/templates/default-deny-network-policy.yaml b/templates/default-deny-network-policy.yaml
@@ -0,0 +1,12 @@
+{{- if eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true" }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-in-namespace-{{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+{{- end }}
diff --git a/templates/oidc-discovery-provider-network-policy.yaml b/templates/oidc-discovery-provider-network-policy.yaml
@@ -0,0 +1,22 @@
+{{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") (eq (.Values.networkPolicy.oidcDiscoveryProvider.enabled | toString) "true") }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: oidc-discovery-provider-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: spiffe-oidc-discovery-provider
+  policyTypes:
+  - Ingress
+  - Egress
+  {{- with .Values.networkPolicy.oidcDiscoveryProvider.ingress }}
+  ingress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.oidcDiscoveryProvider.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/templates/operator-network-policy.yaml b/templates/operator-network-policy.yaml
@@ -0,0 +1,22 @@
+{{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") (eq (.Values.networkPolicy.operator.enabled | toString) "true") }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: operator-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      name: zero-trust-workload-identity-manager
+  policyTypes:
+  - Ingress
+  - Egress
+  {{- with .Values.networkPolicy.operator.ingress }}
+  ingress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.operator.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/templates/spire-server-network-policy.yaml b/templates/spire-server-network-policy.yaml
@@ -0,0 +1,22 @@
+{{- if and (eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true") (eq (.Values.networkPolicy.spireServer.enabled | toString) "true") }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: spire-server-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: spire-server
+  policyTypes:
+  - Ingress
+  - Egress
+  {{- with .Values.networkPolicy.spireServer.ingress }}
+  ingress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.networkPolicy.spireServer.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
@@ -2,6 +2,32 @@ global:
   localClusterDomain: local.example.com
   hubClusterDomain: hub.example.com
 
+# -- Default-deny NetworkPolicy for the ZTWIM namespace.
+# When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and egress
+# for pods without an explicit allow policy. Note: spire-agent uses hostNetwork and is
+# NOT affected by NetworkPolicies.
+defaultDenyNetworkPolicy:
+  enabled: false
+
+# -- Per-pod NetworkPolicy rules for SPIRE components and the ZTWIM operator.
+# Only effective when defaultDenyNetworkPolicy is enabled.
+networkPolicy:
+  spireServer:
+    enabled: false
+    ingress: []
+    egress: []
+  oidcDiscoveryProvider:
+    enabled: false
+    ingress: []
+    egress: []
+  csiDriver:
+    enabled: false
+    egress: []
+  operator:
+    enabled: false
+    ingress: []
+    egress: []
+
 spiffe:
   csi:
     agentSocketPath: "/run/spire/agent-sockets"