k8s network policies

[tschonnie]

Since it is a good practice to have a deny-all network policy in every namespace, it would be good to have the required network policies for the dynatrace oneagent documented or as a yaml in this repo. We use these helm template files to allow the communication to the k8s api server and to the dynatrace server in every namespace. What do you think about it?

{{- range $key,$val := .Values.namespaces }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-server
  namespace: {{ $key }}
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: {{ $.Values.apiServerIp }}/32
    ports:
    - protocol: TCP
      port: {{ $.Values.apiServerPort }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dynatrace
  namespace: {{ $key }}
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
  # allow dynatrace one-agent lsb148.dynatrace-managed.com
  - ports:
    - port: {{ $.Values.dynatraceServerOneAgentPort }}
      protocol: TCP
    - port: {{ $.Values.dynatraceServerDownloadPort }}
      protocol: TCP
    to:
      - ipBlock:
          cidr: {{ $.Values.dynatraceServerIp }}/32
{{- end }}
---

[DTMad]

Hey @tschonnie !

Sorry for the late reply - This looks good to me.
Would it be ok for you to have the required NetworkPolicies mentioned in the Readme?

Regards,
Marco