From 167cf89091cc828226ad4219c26c44d811fdc263 Mon Sep 17 00:00:00 2001
From: Jonathan Yu <jonathan@coder.com>
Date: Tue, 31 Aug 2021 23:54:08 +0000
Subject: [PATCH] feat: add network policy for workspaces

---
 templates/networkpolicies.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 templates/networkpolicies.yaml

diff --git a/templates/networkpolicies.yaml b/templates/networkpolicies.yaml
new file mode 100644
index 00000000..a70c4e86
--- /dev/null
+++ b/templates/networkpolicies.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-deny-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  # Deny all ingress traffic for workspace pods. The coder agent initiates
+  # all network traffic (TURN-over-HTTPS or STUN)
+  podSelector:
+    matchLabels:
+      com.coder.resource: "true"
+  policyTypes:
+    - Ingress
+  ingress: []