projectsyn · DebakelOrakel · May 7, 2026 · May 2, 2026
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -88,6 +88,13 @@ parameters:
         #increase if auth credentials change
         secretVersion: 0
 
+    networkPolicy:
+      enabled: true
+      exposedComponents:
+        - query-frontend
+        - gateway
+      allowedNamespaces: []
+
     ingress:
       enabled: false
       tls:

diff --git a/component/main.jsonnet b/component/main.jsonnet
@@ -45,6 +45,37 @@ local secrets = com.generateResources(
   }
 );
 
+local netpols = kube.NetworkPolicy('allow-from-other-namespaces') {
+  metadata+: {
+    labels+: {
+      'app.kubernetes.io/managed-by': 'commodore',
+      'app.kubernetes.io/name': 'allow-from-other-namespaces',
+    },
+    namespace: params.namespace.name,
+  },
+  spec: {
+    policyTypes: [ 'Ingress' ],
+    [if std.length(params.networkPolicy.exposedComponents) > 0 then 'podSelector']: {
+      matchExpressions: [ {
+        key: 'app.kubernetes.io/component',
+        operator: 'In',
+        values: com.renderArray(params.networkPolicy.exposedComponents),
+      } ],
+    },
+    ingress: [ {
+      from: [ {
+        namespaceSelector: {
+          matchExpressions: [ {
+            key: 'kubernetes.io/metadata.name',
+            operator: 'In',
+            values: com.renderArray(params.networkPolicy.allowedNamespaces),
+          } ],
+        },
+      } ],
+    } ],
+  },
+};
+
 
 // Define outputs below
 {
@@ -70,4 +101,6 @@ local secrets = com.generateResources(
       namespace: params.namespace.name,
     },
   },
+
+  [if params.networkPolicy.enabled && std.length(params.networkPolicy.allowedNamespaces) > 0 then '30_network_policies']: netpols,
 }
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -461,6 +461,80 @@ Zone-aware replication is the replication of data across failure domains.
 Zone-aware replication helps to avoid data loss during a domain outage. Grafana Mimir defines failure domains as zones.
 
 
+== `networkPolicy`
+
+Configure the NetworkPolicy if necessary.
+
+=== `networkPolicy.enabled`
+
+[horizontal]
+type:: boolean
+default::
++
+[source,yaml]
+----
+networkPolicy:
+  enabled: true
+----
+
+Enables or disables NetworkPolicy.
+
+[TIP]
+====
+The networkPolicy will only be deployed if it is `enabled` and has at least 1 entry in `allowedNamespaces`.
+====
+
+=== `networkPolicy.enabled`
+
+[horizontal]
+type:: dict
+default::
++
+[source,yaml]
+----
+networkPolicy:
+  exposedComponents:
+    - query-frontend
+    - gateway
+----
+example::
++
+[source,yaml]
+----
+networkPolicy:
+  exposedComponents:
+    - ~query-frontend
+----
+
+Define what components this NetworkPolicy should allow access to.
+
+The components prefixed with a tilde `~` are removed from the resulting list.
+
+=== `networkPolicy.allowedNamespaces`
+
+[horizontal]
+type:: dict
+default::
++
+[source,yaml]
+----
+networkPolicy:
+  allowedNamespaces: []
+----
+example::
++
+[source,yaml]
+----
+networkPolicy:
+  allowedNamespaces:
+    - vshn-grafana
+----
+
+Define the namespaces that should be able to access this instance.
+
+The namespaces prefixed with a tilde `~` are removed from the resulting list.
+
+
 == `ingress`
 
 Ingress configuration
@@ -474,7 +548,7 @@ If both are enabled, nginx takes precedence.
 === `ingress.enabled`
 
 [horizontal]
-type:: dict
+type:: boolean
 default::
 +
 [source,yaml]

diff --git a/tests/extra-config.yml b/tests/extra-config.yml
@@ -78,6 +78,11 @@ parameters:
       zoneAwareReplication:
         enabled: true
 
+    networkPolicy:
+      enabled: false
+      allowedNamespaces:
+        - vshn-grafana
+
     config:
       tenantFederation: true
       haTracker: true

diff --git a/tests/golden/openshift/openshift/openshift/30_network_policies.yaml b/tests/golden/openshift/openshift/openshift/30_network_policies.yaml
@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: allow-from-other-namespaces
+    name: allow-from-other-namespaces
+  name: allow-from-other-namespaces
+  namespace: openshift
+spec:
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - vshn-grafana
+  policyTypes:
+    - Ingress
diff --git a/tests/openshift.yml b/tests/openshift.yml
@@ -70,6 +70,11 @@ parameters:
       zoneAwareReplication:
         enabled: true
 
+    networkPolicy:
+      ~exposedComponents: []
+      allowedNamespaces:
+        - vshn-grafana
+
     ingress:
       enabled: true
       url: metrics-receive.example.com