rushtehrani/add-label.yml Secret

## add-label.yml
apiVersion: v1
kind: Namespace
metadata:
  name: <user-selected-namespace> # replace with relevant namespace
  labels:
    istio-injection: enabled

## add-network-policy.yml
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  labels:
    app: onepanel
  name: default
  namespace: <user-selected-namespace> # replace with relevant namespace
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 169.254.169.254/32
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/part-of: onepanel
  podSelector: {}

## add-role.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  labels:
    app: onepanel
  name: onepanel
  namespace: <user-selected-namespace> # replace with relevant namespace
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs: ["get", "watch", "patch"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims", "services", "secrets"]
  verbs: ["get", "list", "create", "update", "delete"]
- apiGroups: ["apps"]
  resources: ["statefulsets", "deployments"]
  verbs: ["get", "list", "create", "update", "delete"]
- apiGroups:
  - "networking.istio.io"
  resources:
  - virtualservices
  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
---
# needs to be bound for each default service account
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  labels:
    app: onepanel
  name: onepanel
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: onepanel
subjects:
- kind: ServiceAccount
  name: default
  namespace: <user-selected-namespace> # replace with relevant namespace
	apiVersion: v1
	kind: Namespace
	metadata:
	name: <user-selected-namespace> # replace with relevant namespace
	labels:
	istio-injection: enabled
	apiVersion: extensions/v1beta1
	kind: NetworkPolicy
	metadata:
	labels:
	app: onepanel
	name: default
	namespace: <user-selected-namespace> # replace with relevant namespace
	spec:
	egress:
	- to:
	- ipBlock:
	cidr: 0.0.0.0/0
	except:
	- 169.254.169.254/32
	ingress:
	- from:
	- namespaceSelector:
	matchLabels:
	app.kubernetes.io/part-of: onepanel
	podSelector: {}
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: Role
	metadata:
	labels:
	app: onepanel
	name: onepanel
	namespace: <user-selected-namespace> # replace with relevant namespace
	rules:
	- apiGroups:
	- ""
	resources:
	- pods
	verbs: ["get", "watch", "patch"]
	- apiGroups: [""]
	resources: ["persistentvolumeclaims", "services", "secrets"]
	verbs: ["get", "list", "create", "update", "delete"]
	- apiGroups: ["apps"]
	resources: ["statefulsets", "deployments"]
	verbs: ["get", "list", "create", "update", "delete"]
	- apiGroups:
	- "networking.istio.io"
	resources:
	- virtualservices
	verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
	---
	# needs to be bound for each default service account
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: RoleBinding
	metadata:
	labels:
	app: onepanel
	name: onepanel
	namespace: default
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: onepanel
	subjects:
	- kind: ServiceAccount
	name: default
	namespace: <user-selected-namespace> # replace with relevant namespace