NetworkPolicy Profile

A NetworkPolicy profile is a named preset that expands into a complete set of ingress/egress rules and policy types at reconcile time.

You write a profile name. Orkestra writes the rules.

Profiles

Usage

Set profile on any networkPolicies entry:

onCreate:
  networkPolicies:
    - name: "{{ .metadata.name }}-baseline"
      podSelector: {}
      profile: deny-all
      reconcile: true

Profiles compose by declaring multiple policies:

onCreate:
  networkPolicies:
    - name: "{{ .metadata.name }}-deny-all"
      podSelector: {}
      profile: deny-all
      reconcile: true
    - name: "{{ .metadata.name }}-allow-dns"
      podSelector: {}
      profile: allow-dns-egress
      reconcile: true

This is the standard layered approach: start with deny-all, then add back only what the workload needs.

How deny-all works

Kubernetes interprets an empty ingress or egress slice as “block all”. The deny-all profile sets:

policyTypes:
  - Ingress
  - Egress
ingress: []
egress: []

The explicit policyTypes declaration is required — without it, an empty egress slice does not block egress traffic.

Rules

Profile or explicit — not both.

profile and explicit ingress/egress/policyTypes fields cannot coexist on the same NetworkPolicy entry. If both are set, the profile takes precedence and the explicit fields are ignored.

podSelector is independent of profile.

The profile only sets the traffic rules. You still control which pods the policy applies to via podSelector. An empty map ({}) selects all pods in the namespace.

networkPolicies:
  - name: deny-all
    podSelector: {}          # applies to all pods
    profile: deny-all

  - name: deny-worker-egress
    podSelector:
      role: worker           # applies only to pods with role=worker
    profile: deny-all-egress

Unknown profiles log a warning and skip the resource. A typo does not cause a reconcile failure.

Choosing a profile