From 11d20afd2719f5082c8b9d4ea77767181fede545 Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik@sundellopensource.se>
Date: Tue, 20 Oct 2020 11:26:45 +0200
Subject: [PATCH] docs: add schema.yaml entries for networkPolicy configuration

---
 jupyterhub/schema.yaml | 47 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/jupyterhub/schema.yaml b/jupyterhub/schema.yaml
index 5100f22976..f0814ce4df 100644
--- a/jupyterhub/schema.yaml
+++ b/jupyterhub/schema.yaml
@@ -191,6 +191,50 @@ properties:
               pullSecrets:
                 - my-k8s-secret-with-image-registry-credentials
               ```
+      networkPolicy: &networkPolicy-spec
+        type: object
+        description: |
+          This configuration regards the creation and configuration of a k8s
+          _NetworkPolicy resource_.
+        properties:
+          enabled:
+            type: bool
+            description: |
+              Toggle the creation of the NetworkPolicy resource for this pod.
+          ingress:
+            type: list
+            description: |
+              Additional ingress rules to add.
+          egress:
+            type: list
+            description: |
+              Additional egress rules to add.
+          interNamespaceAccessLabels:
+            type: string
+            enum:
+              - accept
+              - ignore
+            description: |
+              This configuration option determines if both namespaces and pods
+              in other namespaces that have specific access labels, should be
+              accepted to allow ingress (set to `accept`), or, if the labels are
+              to be ignored when applied outside the local namespace (set to
+              `ignore`).
+
+              The available access labels for respective NetworkPolicy resources
+              are:
+
+              - `hub.jupyter.org/network-access-hub: "true"` (hub)
+              - `hub.jupyter.org/network-access-proxy-http: "true"` (proxy.chp, proxy.traefik)
+              - `hub.jupyter.org/network-access-proxy-api: "true"` (proxy.chp)
+              - `hub.jupyter.org/network-access-singleuser: "true"` (singleuser)
+          allowedIngressPorts:
+            type: list
+            description: |
+              A rule to allow ingress on these ports will be added no matter
+              what the origin of the request is. The default setting for
+              `proxy.chp` and `proxy.traefik`'s networkPolicy configuration is
+              `[http, https]`, while it is `[]` for other networkPolicies.
       db:
         type: object
         properties:
@@ -535,6 +579,7 @@ properties:
           Configure the configurable-http-proxy (chp) pod managed by jupyterhub to route traffic
           both to itself and to user pods.
         properties:
+          networkPolicy: *networkPolicy-spec
           extraCommandLineFlags:
             type: list
             description: |
@@ -799,6 +844,7 @@ properties:
         description: |
           Configure the traefik proxy used to terminate TLS when 'autohttps' is enabled
         properties:
+          networkPolicy: *networkPolicy-spec
           extraEnv:
             type: object
             description: |
@@ -873,6 +919,7 @@ properties:
     description: |
       Options for customizing the environment that is provided to the users after they log in.
     properties:
+      networkPolicy: *networkPolicy-spec
       podNameTemplate:
         type: string
         description: |