From 5e9fedb195261cec2bea39349a85c1f7214cb6d0 Mon Sep 17 00:00:00 2001
From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
Date: Sun, 1 May 2022 09:32:25 +0200
Subject: [PATCH] Add kserve networkpolicy (#2189)

* Create kserve

* Rename kserve to kserve.yaml

* Update kustomization.yaml
---
 contrib/networkpolicies/kserve.yaml        | 21 +++++++++++++++++++++
 contrib/networkpolicies/kustomization.yaml |  1 +
 2 files changed, 22 insertions(+)
 create mode 100644 contrib/networkpolicies/kserve.yaml

diff --git a/contrib/networkpolicies/kserve.yaml b/contrib/networkpolicies/kserve.yaml
new file mode 100644
index 0000000000..9ce467f472
--- /dev/null
+++ b/contrib/networkpolicies/kserve.yaml
@@ -0,0 +1,21 @@
+
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: kserve
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+      - key: control-plane
+        operator: In
+        values:
+          - kserve-controller-manager # mutating webhook
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 9443
+  policyTypes:
+    - Ingress
diff --git a/contrib/networkpolicies/kustomization.yaml b/contrib/networkpolicies/kustomization.yaml
index 48ba33a7d2..4a566f06a1 100644
--- a/contrib/networkpolicies/kustomization.yaml
+++ b/contrib/networkpolicies/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
   - kfserving-models-web-app.yaml
   - kfserving.yaml
   - kserve-models-web-app.yaml
+  - kserve.yaml
   - metadata-grpc-server.yaml
   - minio.yaml
   - ml-pipeline-ui.yaml