Add CNP for PMO (#1528)

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add CNP for prometheus-meta-operator to be able to talk to the api-server in locked-down clusters.
+
 ## [4.67.3] - 2024-02-13
 
 ### Added

helm/prometheus-meta-operator/templates/cilium-network-policy.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.ciliumNetworkPolicy.enabled -}}
+{{- if .Capabilities.APIVersions.Has "cilium.io/v2" -}}
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "resource.default.name" . }}
+  namespace: {{ include "resource.default.namespace" . }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "labels.selector" . | nindent 6 }}
+  egress:
+    - toEntities:
+      ## Needed to create anything in the MCs.
+      - kube-apiserver
+      ## Needed to set remote write informations.
+      - cluster
+      ## Needed to access opsgenie and create heartbeats.
+      - world
+  ingress:
+    - fromEntities:
+      - cluster
+      toPorts:
+      - ports:
+        - port: "8000"
+          protocol: "TCP"
+        rules:
+          http:
+          - method: "GET"
+            path: "/metrics"
+          - method: "GET"
+            path: "/healthz"
+{{ end }}
+{{ end }}