Version 3.0.0

Cluster policies

Cluster policies are manifests that control communication between Pods, between namespaces, and between the cluster and external networks. They do not install components — they define which connections are allowed or blocked at the platform level.

In the context of TDP Kubernetes installation, these policies are only needed when the environment imposes connectivity restrictions that affect component operation.

A recurring concept in these policies is egress: outbound traffic from a Pod toward services outside the workload itself — such as databases, S3 endpoints, corporate APIs, and object storage. Environments with active NetworkPolicies block this traffic by default, requiring each destination to be explicitly declared.

When to consider this adjustment

Consider this adjustment when the cluster uses active NetworkPolicies or other connectivity rules that may block the communication required by TDP components.

Depending on the environment, these policies may need to be applied before component installation or together with it.

Without these rules, TDP components may fail when trying to access:

external databases
S3 and object storage endpoints
corporate services outside the namespace
other IP ranges released by the environment network

Role of this YAML in the GitOps flow

The YAML below is a platform policy manifest. It does not install TDP components and does not replace Application manifests. Its role is to allow or restrict communications required by the environment.

NetworkPolicy example

The example below allows internal communication between Pods in the namespace and releases egress to specific external destinations:

allow-internal-full-and-external-ip.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-internal-full-and-external-ip
  namespace: tdp-project
spec:
  podSelector: {}
  policyTypes:
    - Egress
    - Ingress

  ingress:
    - from:
        - podSelector: {}

  egress:
    - to:
        - podSelector: {}
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system

    - to:
        - ipBlock:
            cidr: x.x.x.0/24

Applying the policy

Terminal input

kubectl apply -f allow-internal-full-and-external-ip.yaml

What to review before applying

The target namespace (tdp-project in the example)
The IP ranges released in ipBlock.cidr
Whether communication with kube-system is required
Existing cluster policies, to avoid overlap or unintended blocks

Where to store in the GitOps repository

To maintain traceability, version this file in the GitOps repository under a policies/ folder:

tdp-gitops/
├── app-of-apps.yaml
├── apps/
├── values/
└── policies/
    └── allow-internal-full-and-external-ip.yaml

These files are not managed by Argo CD as Applications — they are applied directly with kubectl apply -f. Storing them in the repository ensures a change history alongside the rest of the platform configuration.

When to consider this adjustment​

Role of this YAML in the GitOps flow​

NetworkPolicy example​

Applying the policy​

What to review before applying​

Where to store in the GitOps repository​