Add network polices to helm chart

[brandtkeller]

Consider adding network policies as an opt-in feature as part of this helm chart.

With some templating - this could be handled gracefully and configurable.

considerations:

default deny (baseline deny all):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress: []
  egress: []

dns-egress (allowing ingress options to target k8s dns IE nginx.nginx.svc.cluster.local:443)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
  # Allow access to DNS
  egress:
  - to:
    - namespaceSelector: {}
    ports:
    - port: 53
      protocol: UDP

egress to target pods:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-tunnel-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: nginx
      podSelector:
        matchLabels:
          app: nginx
    ports:
    - port: 8443

public egress (to cloudflare - still needs some more definitive targeting)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-public-egress
spec:
# https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/ports-and-ips/
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - ports:
    - protocol: TCP
      port: 443
    - protocol: UDP
      port: 7844
    - protocol: TCP
      port: 7844
    to:
    - ipBlock:
        cidr: 0.0.0.0/0

This is currently working for my test - hopefully I haven't overlooked anything critical.