# Example of SecurityGroupPolicy that uses Pod labels to determine if a new Pod get a ENI with the specified Security Groups.
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: securitygrouppolicy-sample-podselector
spec:
  podSelector:  # Select eligible Pod using the Pod's label. The result from each item will be ANDed to retrieve final result.
    matchLabels:  # Select Pod with label that exactly match the key and value given below.
      role: db
    matchExpressions: # Select Pod with label that matches the pattern In/NotIn/Exists/DoesNotExist for given key-value pair.
      - key: environment
        operator: In
        values:
          - production
          - qa
  securityGroups:
    groupIds: # List of security groups to be applied to the ENI and assigned to a Pod.
      - sg-07b9fafd9006da7d5
      - sg-f7990sfng33684fad
---
# Example of SecurityGroupPolicy that uses Service Account labels to determine if a new Pod get a ENI with the specified Security Groups.
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: securitygrouppolicy-sample-serviceaccountselector
spec:
  serviceAccountSelector: # Select eligible Pod using the Service Account labels. The result from each item will be ANDed to retrieve final result.
    matchLabels: # Select Service Account with label that exactly match the key and value given below.
      role: db
    matchExpressions: # Select Service Account with label that matches the pattern In/NotIn/Exists/DoesNotExist for given key-value pair.
      - key: environment
        operator: In
        values:
          - production
          - qa
  securityGroups:
    groupIds: # List of security groups to be applied to the ENI and assigned to a Pod.
      - sg-07b9fafd9006da7d5
      - sg-f7990sfng33684fad