From 58673feeb0fcb17d90aea08195f6a23dbf7708bb Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@trumf.no>
Date: Fri, 13 Mar 2026 12:59:26 +0100
Subject: [PATCH] sidecar

---
 .../policies/auth-sidecar-injector.yaml       | 61 ++++++++++++++++++-
 1 file changed, 59 insertions(+), 2 deletions(-)

diff --git a/cluster-resources/policies/auth-sidecar-injector.yaml b/cluster-resources/policies/auth-sidecar-injector.yaml
index 6073325..4d42656 100644
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -10,7 +10,15 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
-      Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". The sidecar proxies requests through a token-based auth layer. If the auth-tokens Secret does not exist in the namespace, an empty one is created to prevent volume mount failures. Upstream URL and image can be overridden via policies.forteapps.io/auth-upstream-url and policies.forteapps.io/auth-image annotations.
+      Injects an auth sidecar container into Pods annotated with
+      policies.forteapps.io/auth: "true". The sidecar proxies requests through
+      a token-based auth layer and a NetworkPolicy is generated to restrict
+      ingress to the sidecar port only. If the auth-tokens Secret does not
+      exist in the namespace, an empty one is created to prevent volume mount
+      failures. Upstream URL and image can be overridden via
+      policies.forteapps.io/auth-upstream-url and
+      policies.forteapps.io/auth-image annotations. When auth-upstream-url is
+      not set, the first containerPort of the first existing container is used.
 spec:
   background: false
   rules:
@@ -32,6 +40,10 @@ spec:
           - argocd
           - cert-manager
           - monitoring
+    context:
+    - name: appPort
+      variable:
+        jmesPath: request.object.spec.containers[0].ports[0].containerPort || `3000`
     mutate:
       patchStrategicMerge:
         spec:
@@ -46,7 +58,7 @@ spec:
             - name: AUTH_LISTEN_ADDR
               value: ":8080"
             - name: AUTH_UPSTREAM_URL
-              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || 'http://localhost:3000' }}"
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || join('', ['http://localhost:', to_string(appPort)]) }}"
             - name: AUTH_TOKEN_FILE
               value: "/etc/auth/tokens"
             - name: AUTH_MODE
@@ -122,3 +134,48 @@ spec:
             app.kubernetes.io/created-by: inject-auth-sidecar
         type: Opaque
         data: {}
+  - name: generate-auth-network-policy
+    skipBackgroundRequests: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          annotations:
+            policies.forteapps.io/auth: "true"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - argocd
+          - cert-manager
+          - monitoring
+    preconditions:
+      all:
+      - key: "{{ request.operation }}"
+        operator: In
+        value:
+        - CREATE
+    generate:
+      synchronize: false
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      name: "{{ request.object.metadata.name }}-auth-ingress"
+      namespace: "{{ request.namespace }}"
+      data:
+        metadata:
+          labels:
+            app.kubernetes.io/managed-by: kyverno
+            app.kubernetes.io/created-by: inject-auth-sidecar
+        spec:
+          podSelector:
+            matchLabels:
+              "{{ request.object.metadata.labels }}"
+          policyTypes:
+          - Ingress
+          ingress:
+          - ports:
+            - port: 8080
+              protocol: TCP