feat(helm): Medcat service - create network policy (#48)

alhendrickson · web-flow · commit 7d18e44f8ae1 · 2026-03-03T16:41:19.000Z
diff --git a/deployment/kubernetes/charts/medcat-service-helm/templates/networkpolicy.yaml b/deployment/kubernetes/charts/medcat-service-helm/templates/networkpolicy.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "medcat-service.fullname" . }}
+  labels:
+    {{- include "medcat-service.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "medcat-service.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    {{- if .Values.networkPolicy.egress.enabled }}
+    - Egress
+    {{- end }}
+  ingress:
+    - ports:
+        - port: {{ .Values.service.port }}
+  {{- if .Values.networkPolicy.egress.enabled }}
+  egress:
+    {{- toYaml .Values.networkPolicy.egress.egressRules | nindent 4 }}
+  {{- end }}
+{{ end }}
diff --git a/deployment/kubernetes/charts/medcat-service-helm/values.yaml b/deployment/kubernetes/charts/medcat-service-helm/values.yaml
@@ -217,3 +217,19 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+networkPolicy:
+  # Choose to create a default network policy blocking all ingress other than to the service port.
+  enabled: true
+  egress:
+    # Choose to block egress by enabling it in the network policy
+    enabled: false
+    # Append any custom egress rules following the standard format
+    egressRules: []
+      # # Example format
+      # - to:
+      #     - podSelector:
+      #         matchLabels:
+      #           app.kubernetes.io/name: model-downloader
+      #   ports:
+      #     - port: 5000
diff --git a/deployment/kubernetes/local_dev_startup.sh b/deployment/kubernetes/local_dev_startup.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-minikube start
+minikube start --cni=calico --cpus=no-limit --memory=no-limit
 minikube addons enable metrics-server
 
 minikube dashboard --url=true &
