apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: example
  namespace: default
  labels:
    app.kubernetes.io: example
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: example
  template:
    metadata:
      labels:
        app.kubernetes.io/name: example
    spec:
      automountServiceAccountToken: false
      securityContext:
        runAsUser: 405
        runAsGroup: 100
      containers:
      - name: socat
        image: docker.io/alpine/socat:1.7.4.3-r1
        args:
        - "TCP-LISTEN:8080,reuseaddr,fork"
        - "EXEC:echo -e 'HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n$(NODE_IP) $(POD_NAMESPACE)/$(POD_NAME)\r\n'"
        ports:
        - containerPort: 8080
          name: http
        env:
        - name: NODE_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        readinessProbe:
          initialDelaySeconds: 2
          periodSeconds: 10
          httpGet:
            path: /
            port: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: example
  namespace: default
spec:
  type: NodePort
  selector:
    app.kubernetes.io/name: example
  ports:
  - name: http
    protocol: TCP
    port: 80
    nodePort: 30096
    targetPort: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example
spec:
  rules:
  - host: "example.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: example
            port:
              name: http
---
# Allow access to example backend from traefik ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-to-backend-example
  namespace: default
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: example
  ingress:
  - ports:
    - port: 8080
      protocol: TCP
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          app.kubernetes.io/name: traefik
  policyTypes:
  - Ingress
---
# Allow access to example backend from outside the cluster via nodeport service
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: nodeport-to-backend-example
  namespace: default
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: example
  ingress:
  - ports:
    - port: 8080
      protocol: TCP
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
          - 10.42.0.0/16
          - 10.43.0.0/16
  policyTypes:
  - Ingress