From 0c52466f2decdfed5f829447b6de40123ef19645 Mon Sep 17 00:00:00 2001
From: Przemyslaw Roguski <proguski@proguski-thinkpadp1gen7.rmtpl.csb>
Date: Thu, 30 Apr 2026 19:13:17 +0200
Subject: [PATCH] Add optional default-deny NetworkPolicy template.

---
 templates/default-deny-network-policy.yaml | 12 ++++++++++++
 values.yaml                                |  9 +++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 templates/default-deny-network-policy.yaml

diff --git a/templates/default-deny-network-policy.yaml b/templates/default-deny-network-policy.yaml
new file mode 100644
index 0000000..6793640
--- /dev/null
+++ b/templates/default-deny-network-policy.yaml
@@ -0,0 +1,12 @@
+{{- if eq (.Values.defaultDenyNetworkPolicy.enabled | toString) "true" }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-in-namespace-{{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+{{- end }}
diff --git a/values.yaml b/values.yaml
index f90621f..123ed23 100644
--- a/values.yaml
+++ b/values.yaml
@@ -7,6 +7,15 @@ global:
   # -- The DNS entry for the cluster the chart is being rendered on with the apps. prefix
   localClusterDomain: apps.foo.cluster.com
 
+# -- Default-deny NetworkPolicy for the vault namespace
+# When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and
+# egress for pods without an explicit allow policy. Patterns that need zero-trust
+# network isolation should enable this and provide per-pod allow rules via
+# vault.server.networkPolicy.
+# @default -- false
+defaultDenyNetworkPolicy:
+  enabled: false
+
 # -- A number of settings passed down to the vault subchart
 # @default -- depends on the individual settings
 vault: