From 383e66c2318b24b44f3e9536dcdbe3973a0fb0f8 Mon Sep 17 00:00:00 2001
From: Kevin Lefevre <lefevre.kevin@gmail.com>
Date: Mon, 7 Sep 2020 20:35:56 +0200
Subject: [PATCH] fix: default network policy for admission webhook

Signed-off-by: Kevin Lefevre <lefevre.kevin@gmail.com>
---
 nginx-ingress.tf | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/nginx-ingress.tf b/nginx-ingress.tf
index ac79c14..e8b9ce6 100644
--- a/nginx-ingress.tf
+++ b/nginx-ingress.tf
@@ -13,6 +13,7 @@ locals {
       ingress_cidr           = "0.0.0.0/0"
       chart_version          = "2.15.0"
       version                = "0.35.0"
+      allowed_cidrs          = ["0.0.0.0/0"]
     },
     var.nginx_ingress
   )
@@ -174,6 +175,42 @@ resource "kubernetes_network_policy" "nginx_ingress_allow_ingress" {
   }
 }
 
+resource "kubernetes_network_policy" "nginx_ingress_allow_control_plane" {
+  count = local.nginx_ingress["enabled"] && local.nginx_ingress["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]}-allow-control-plane"
+    namespace = kubernetes_namespace.nginx_ingress.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+      match_expressions {
+        key      = "app.kubernetes.io/name"
+        operator = "In"
+        values   = ["ingress-nginx"]
+      }
+    }
+
+    ingress {
+      ports {
+        port     = "8443"
+        protocol = "TCP"
+      }
+
+      dynamic "from" {
+        for_each = local.nginx_ingress["allowed_cidrs"]
+        content {
+          ip_block {
+            cidr = from.value
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
 output "nginx_ingress" {
   value = map(
     "name", local.nginx_ingress["name"],