appuio · DebakelOrakel · Oct 29, 2025 · Oct 29, 2025
diff --git a/component/standalone.jsonnet b/component/standalone.jsonnet
@@ -98,10 +98,10 @@ local route(instance) = if std.get(params.instances[instance], 'url', '') != ''
     namespace: namespacedName(instance).namespace,
   },
   spec: {
-    rules: [{
+    rules: [ {
       host: params.instances[instance].url,
       http: {
-        paths: [{
+        paths: [ {
           backend: {
             service: {
               name: 'splunk-%s-standalone-service' % namespacedName(instance).name,
@@ -112,14 +112,42 @@ local route(instance) = if std.get(params.instances[instance], 'url', '') != ''
           },
           path: '/',
           pathType: 'Prefix',
-        }],
+        } ],
       },
-    }],
+    } ],
     // tls: [{
     //   hosts: [ 'splunk-traffic-vshn-tdr-infra-prod.apps.ocp4.acrevison.ch' ],
     //   secretName: '%s-tls' % namespacedName(instance).name,
     // }]
-  }
+  },
+};
+
+local netpol(instance) = if std.get(params.instances[instance], 'allowFrom', []) != [] then {
+  apiVersion: 'networking.k8s.io/v1',
+  kind: 'NetworkPolicy',
+  metadata: {
+    annotations: utils.commonAnnotations,
+    labels: utils.commonLabelsWithInstance(namespacedName(instance).name),
+    name: 'splunk-standalone-%s' % namespacedName(instance).name,
+    namespace: namespacedName(instance).namespace,
+  },
+  spec: {
+    podSelector: {},
+    policyTypes: [ 'Ingress' ],
+    ingress: [
+      {
+        from: [ {
+          namespaceSelector: {
+            matchExpressions: [ {
+              operator: 'In',
+              key: 'kubernetes.io/metadata.name',
+              values: params.instances[instance].allowFrom,
+            } ],
+          },
+        } ],
+      },
+    ],
+  },
 };
 
 // RABC
@@ -179,6 +207,7 @@ local namespace(instance) = if std.get(params.instances[instance], 'createNamesp
       namespace(instance),
       standalone(instance),
       route(instance),
+      netpol(instance),
       serviceAccount(instance),
       roleBinding(instance),
     ] + appConfigs(instance))

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -112,6 +112,24 @@ splunk_operator:
 
 Creates the `Namespace` for the Splunk instance.
 
+=== `instances.{}.allowFrom`
+
+[horizontal]
+type:: list
+default:: []
+example::
++
+[source]
+----
+splunk_operator:
+  instances:
+    my-namespace/my-instance:
+      allowFrom:
+        - openshift-logging
+----
+
+Creates a `NetworkPolicy` allowing ingress from listed namespaces.
+
 === `instances.{}.url`
 
 [horizontal]

diff --git a/tests/forwarder.yml b/tests/forwarder.yml
@@ -14,6 +14,8 @@ parameters:
     instances:
       test1/heavyforwarder:
         createNamespace: true
+        allowFrom:
+          - openshift-logging
         url: my-splunk.example.com
         standalone:
           serviceAccount: splunk-forwarder

diff --git a/tests/golden/forwarder/splunk-operator/splunk-operator/50_instance_test1_heavyforwarder.yaml b/tests/golden/forwarder/splunk-operator/splunk-operator/50_instance_test1_heavyforwarder.yaml
@@ -51,6 +51,31 @@ spec:
             path: /
             pathType: Prefix
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    syn.tools/source: https://github.com/projectsyn/component-splunk-operator.git
+  labels:
+    app.kubernetes.io/component: splunk
+    app.kubernetes.io/instance: heavyforwarder
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/part-of: syn
+  name: splunk-standalone-heavyforwarder
+  namespace: test1
+spec:
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - openshift-logging
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata: