clean up?

chart/templates/network-policy/egress-default-deny.yml → chart/templates/network-policy/egress-default-deny.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: default-deny-egress
+  name: egress-default-deny
   namespace: "{{ .Release.Namespace }}"
 spec:
   podSelector: {}

chart/templates/network-policy/egress-gateway-external.yml → chart/templates/network-policy/egress-gateway-external.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   # Note: This is not used currently since we don't have an egress gateway
-  name: egress-gateway-allow-external-traffic
+  name: egress-gateway-traffic-to-external
   namespace: "{{ .Release.Namespace }}"
 spec:
   egress:

chart/templates/network-policy/egress-virtual-services.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-virtual-services
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  # Since we don't know what apps may have VS and what ports they are on, allow to all namespaces, any ports
+  egress:
+    - to:
+      - namespaceSelector: {}
+  podSelector:
+    matchLabels:
+      istio: ingressgateway
+  policyTypes:
+    - Egress
+{{- end }}

chart/templates/network-policy/ingress-default-deny.yml → chart/templates/network-policy/ingress-default-deny.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: default-deny-ingress
+  name: ingress-default-deny
   namespace: "{{ .Release.Namespace }}"
 spec:
   podSelector: {}

chart/templates/network-policy/ingress-gateway-external.yml → chart/templates/network-policy/ingress-gateway-external.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ingress-gateway-allow-external-traffic
+  name: ingress-external-traffic-to-gateway
   namespace: "{{ .Release.Namespace }}"
 spec:
   ingress:

chart/templates/network-policy/ingress-istio-enabled-ns.yml → chart/templates/network-policy/ingress-istio-enabled-ns.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ingress-injection-enabled-ns
+  name: ingress-istio-injected-ns
   namespace: "{{ .Release.Namespace }}"
 spec:
   ingress:
@@ -15,7 +15,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app: istiod
+      istio: pilot
   policyTypes:
     - Ingress
     - Egress

chart/templates/network-policy/ingress-istio-enabled-pod.yml → chart/templates/network-policy/ingress-istio-enabled-pod.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: gateway-istio-enabled-pods
+  name: ingress-istio-injected-pods
   namespace: "{{ .Release.Namespace }}"
 spec:
   ingress:
@@ -16,7 +16,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app: istiod
+      istio: pilot
   policyTypes:
     - Ingress
     - Egress

chart/templates/network-policy/ingress-monitoring-istiod.yml → chart/templates/network-policy/ingress-monitoring-istiod.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ingress-istiod-allow-metric-scraping
+  name: ingress-metric-scraping
   namespace: "{{ .Release.Namespace }}"
 spec:
   ingress:
@@ -18,7 +18,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app: istiod
+      istio: pilot
   policyTypes:
     - Ingress
 {{- end }}

chart/templates/network-policy/ingress-webhook.yml → chart/templates/network-policy/ingress-webhook.yaml

@@ -2,12 +2,12 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ingress-allow-webhook-api
+  name: ingress-webhook
   namespace: {{ .Release.Namespace }}
 spec:
   podSelector:
     matchLabels:
-      app: istiod
+      istio: pilot
   ingress:
     - from:
       - ipBlock: