From a6700cc3ba294dfcdd01a7552861877149e54ae4 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Fri, 17 Nov 2023 10:07:25 +0800
Subject: [PATCH] fix(csi-addons): netpol egress rook-ceph rbdplugin

---
 kube/deploy/core/storage/_csi-addons/netpol.yaml   | 9 +++++++++
 kube/deploy/core/storage/rook-ceph/app/netpol.yaml | 4 ++++
 2 files changed, 13 insertions(+)

diff --git a/kube/deploy/core/storage/_csi-addons/netpol.yaml b/kube/deploy/core/storage/_csi-addons/netpol.yaml
index 0f80ddc2..8d9a29b2 100644
--- a/kube/deploy/core/storage/_csi-addons/netpol.yaml
+++ b/kube/deploy/core/storage/_csi-addons/netpol.yaml
@@ -8,5 +8,14 @@ metadata:
 spec:
   endpointSelector: {}
   egress:
+    # allow access to apiserver
     - toEntities:
         - kube-apiserver
+    # allow access to Rook-Ceph's rbdplugin which has csi-addons listener
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: "rook-ceph"
+            app: "csi-rbdplugin"
+      toPorts:
+        - ports:
+            - port: "9070"
\ No newline at end of file
diff --git a/kube/deploy/core/storage/rook-ceph/app/netpol.yaml b/kube/deploy/core/storage/rook-ceph/app/netpol.yaml
index f87b6da7..6e13a04d 100644
--- a/kube/deploy/core/storage/rook-ceph/app/netpol.yaml
+++ b/kube/deploy/core/storage/rook-ceph/app/netpol.yaml
@@ -15,6 +15,10 @@ spec:
     # external Ceph cluster
     - fromCIDRSet:
         - cidr: "${IP_PVE_CEPH_CIDR}"
+    # csi-addons
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: "csi-addons-system"
   egress:
     # same namespace
     - toEndpoints: