Cluster Policies
Cluster policies are manifests that control communication between Pods, between namespaces, and between the cluster and external networks. They don't install components — they define which connections are allowed or blocked at the platform level.
In the context of installing TDP Kubernetes, these policies are only necessary when the environment imposes connectivity restrictions that affect the functioning of components.
A recurring concept in these policies is egress: the outgoing traffic of a Pod towards services external to the workload itself — such as databases, S3 endpoints, corporate APIs and object storage. Environments with active NetworkPolicies block this traffic by default, requiring each destination to be declared explicitly.
When to consider this adjustment
Consider this adjustment when the cluster adopts active NetworkPolicies or other connectivity rules that may block communication required by TDP components.
Depending on the environment, these policies may need to be applied before or in conjunction with component installation.
Without these rules, TDP components may fail when trying to access:
- external databases
- S3 endpoints and object storage
- corporate services outside the namespace
- other IP ranges released by the environment network
Papel deste YAML no fluxo GitOps
The YAML below is a platform policy manifest. It does not install TDP components and does not replace Application manifests. Its role is to release or restrict communications required by the environment.
NetworkPolicy example
The example below allows internal communication between namespace Pods and releases egress to specific external destinations:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-internal-full-and-external-ip
namespace: <NAMESPACE>
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
ingress:
- from:
- podSelector: {}
egress:
- to:
- podSelector: {}
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
- to:
- ipBlock:
cidr: x.x.x.0/24
Application
kubectl apply -f allow-internal-full-and-external-ip.yaml
What to review before applying
- The target namespace (
<NAMESPACE>) - The IP ranges released in
ipBlock.cidr - The need to allow communication with
kube-system - Policies already existing in the cluster, to avoid overlapping or involuntary blocking
Where to save in the GitOps repository
To maintain traceability, version this file in the GitOps repository inside a policies/ folder:
tdp-gitops/
├── app-of-apps.yaml
├── apps/
├── values/
└── policies/
└── allow-internal-full-and-external-ip.yaml
These files are not managed by Argo CD as Applications — they are applied directly with kubectl apply -f. Storing them in the repository guarantees a history of changes along with the rest of the platform configuration.