diff --git a/apps/charts/cilium/.helmignore b/apps/charts/cilium/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/apps/charts/cilium/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/apps/charts/cilium/Chart.yaml b/apps/charts/cilium/Chart.yaml new file mode 100644 index 00000000..68b10e69 --- /dev/null +++ b/apps/charts/cilium/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: cilium +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-applicationset-ingress.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-applicationset-ingress.yaml new file mode 100644 index 00000000..1678e7a3 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-applicationset-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-applicationset-ingress + namespace: argocd +spec: + description: Allow access from the ingress controller + endpointSelector: + matchLabels: + app.kubernetes.io/component: applicationset-controller + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-notifications.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-notifications.yaml new file mode 100644 index 00000000..045dbc56 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-notifications.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-argo-notifications + namespace: argocd +spec: + description: Allow access to the ArgoCD Notifications + egress: + - toFQDNs: + - matchName: slack.com + endpointSelector: + matchLabels: + app.kubernetes.io/component: notifications-controller diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml new file mode 100644 index 00000000..0af071b5 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-argo-repo-access-applicationset + namespace: argocd +spec: + description: Allow access to the ArgoCD repo Applicationset + egress: + - toEntities: + - world + endpointSelector: + matchLabels: + app.kubernetes.io/component: applicationset-controller diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-repo-access.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-repo-access.yaml new file mode 100644 index 00000000..6e2b7e04 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-repo-access.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-argo-repo-access + namespace: argocd +spec: + description: Allow access to the ArgoCD repo server + egress: + - toEntities: + - world + endpointSelector: + matchLabels: + app.kubernetes.io/component: repo-server diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml new file mode 100644 index 00000000..5f030377 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-chartmuseum-ingress + namespace: argocd +spec: + description: Allow access to the chartmuseum ingress + endpointSelector: + matchLabels: + app.kubernetes.io/name: chartmuseum + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml new file mode 100644 index 00000000..1534b3c8 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-image-updater-repo-access + namespace: argocd +spec: + description: Allow argoCD image updater to access github container registry + egress: + - toFQDNs: + - matchName: ghcr.io + endpointSelector: + matchLabels: + app.kubernetes.io/name: argocd-image-updater diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-ingress.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-ingress.yaml new file mode 100644 index 00000000..2096eaae --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-ingress + namespace: argocd +spec: + description: Allow access from the ingress controller + endpointSelector: + matchLabels: + app.kubernetes.io/component: server + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..40045bb8 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: argocd +spec: + description: Allow access to the Kube API server + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-microsoft-sso.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-microsoft-sso.yaml new file mode 100644 index 00000000..e68b04d2 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-microsoft-sso.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-microsoft-sso + namespace: argocd +spec: + description: Allow argoCD dex server to authenticate to microsoft online azure oatuh + egress: + - toFQDNs: + - matchName: login.microsoftonline.com + - matchPattern: '*.microsoftonline.com' + - matchName: github.com + - matchName: api.github.com + endpointSelector: + matchLabels: + app.kubernetes.io/name: argocd-dex-server diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml new file mode 100644 index 00000000..ebfed5bd --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics-rollout + namespace: argocd +spec: + description: Allow access to the Prometheus metrics + endpointSelector: + matchLabels: + app.kubernetes.io/instance: argo-rollouts + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "8090" + protocol: TCP diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml new file mode 100644 index 00000000..f8f81286 --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics-workflows + namespace: argocd +spec: + description: Allow access to the Prometheus metrics + endpointSelector: + matchLabels: + app.kubernetes.io/instance: argo-workflows + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "9090" + protocol: TCP diff --git a/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..a1b0f86f --- /dev/null +++ b/apps/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,30 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: argocd +spec: + description: Allow access to the Prometheus metrics + endpointSelector: + matchLabels: + app.kubernetes.io/instance: argocd + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "8082" + protocol: TCP + - port: "8080" + protocol: TCP + - port: "9001" + protocol: TCP + - port: "9121" + protocol: TCP + - port: "8084" + protocol: TCP + - port: "8083" + protocol: TCP + - port: "5558" + protocol: TCP diff --git a/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml b/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml new file mode 100644 index 00000000..7ff9859e --- /dev/null +++ b/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server-to-cert-manager + namespace: cert-manager +spec: + description: Allow the API server to communicate with the cert-manager pods + endpointSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..49e026d4 --- /dev/null +++ b/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: cert-manager +spec: + description: Allow the Kube API server to communicate with cert-manager + egress: + - toEntities: + - kube-apiserver + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..d64ede50 --- /dev/null +++ b/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: cert-manager +spec: + description: Allow Prometheus metrics + endpointSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "9402" + protocol: TCP diff --git a/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-world-traffic.yaml b/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-world-traffic.yaml new file mode 100644 index 00000000..a3d26127 --- /dev/null +++ b/apps/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-world-traffic.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-world-traffic + namespace: cert-manager +spec: + description: Allow the world to communicate with cert-manager + egress: + - toEntities: + - world + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/cilium-spire/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/cilium-spire/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..ca0bd2c4 --- /dev/null +++ b/apps/charts/cilium/templates/cilium-spire/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: cilium-spire +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/cilium-spire/CiliumNetworkPolicy-allow-remote-node-to-server.yaml b/apps/charts/cilium/templates/cilium-spire/CiliumNetworkPolicy-allow-remote-node-to-server.yaml new file mode 100644 index 00000000..013a84f9 --- /dev/null +++ b/apps/charts/cilium/templates/cilium-spire/CiliumNetworkPolicy-allow-remote-node-to-server.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-to-server + namespace: cilium-spire +spec: + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - remote-node + toPorts: + - ports: + - port: "8081" + protocol: TCP diff --git a/apps/charts/cilium/templates/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..28045ea2 --- /dev/null +++ b/apps/charts/cilium/templates/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,22 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: cilium-test +spec: + egress: + - toEndpoints: + - {} + - toEntities: + - cluster + - toEntities: + - remote-node + - toEntities: + - world + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - cluster + - fromEntities: + - world diff --git a/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml new file mode 100644 index 00000000..214dade6 --- /dev/null +++ b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: allow-acme-solvers +spec: + description: Policy for ingress for Acme Solvers. + endpointSelector: + matchLabels: + acme.cert-manager.io/http01-solver: "true" + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml new file mode 100644 index 00000000..0a7f77b3 --- /dev/null +++ b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml @@ -0,0 +1,24 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: allow-dns +spec: + description: 'description: Allow only dns traffic by default. Also acts as a deny-all policy' + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - rules: + dns: + - matchPattern: '*' + endpointSelector: + matchExpressions: + - key: io.kubernetes.pod.namespace + operator: NotIn + values: + - kube-system diff --git a/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml new file mode 100644 index 00000000..a0a41bcc --- /dev/null +++ b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: allow-mariadb-operator +spec: + description: allow mariadb instances to be reached by operator + endpointSelector: + matchLabels: + app.kubernetes.io/name: mariadb + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: mariadb-operator + io.kubernetes.pod.namespace: mariadb-operator + toPorts: + - ports: + - port: "3306" + protocol: TCP diff --git a/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml new file mode 100644 index 00000000..43fed561 --- /dev/null +++ b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml @@ -0,0 +1,20 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: allow-s3-traffic +spec: + description: Policy for egress for CNPG Backups. + egress: + - toFQDNs: + {{- range .Values.s3.hosts }} + - matchName: {{ . | quote }} + {{- end }} + {{- range .Values.s3.patterns }} + - matchPattern: {{ . | quote }} + {{- end }} + - toCIDR: + {{- range .Values.s3.cidr }} + - {{ . | quote }} + {{- end }} + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml new file mode 100644 index 00000000..9fc9bb26 --- /dev/null +++ b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: cilium-health-checks +spec: + description: Health checks + egress: + - toEntities: + - remote-node + endpointSelector: + matchLabels: + reserved:health: "" + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml new file mode 100644 index 00000000..7ba45d08 --- /dev/null +++ b/apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml @@ -0,0 +1,9 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: deny-all +spec: + description: Deny all + egress: [] + endpointSelector: {} + ingress: [] diff --git a/apps/charts/cilium/templates/cnpg/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/cnpg/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..d32ac553 --- /dev/null +++ b/apps/charts/cilium/templates/cnpg/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: cnpg +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: postgres-operator diff --git a/apps/charts/cilium/templates/cnpg/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml b/apps/charts/cilium/templates/cnpg/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml new file mode 100644 index 00000000..6c04cc22 --- /dev/null +++ b/apps/charts/cilium/templates/cnpg/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-webhooks + namespace: cnpg +spec: + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "9443" + protocol: TCP diff --git a/apps/charts/cilium/templates/downscaler/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/downscaler/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..7c7345ec --- /dev/null +++ b/apps/charts/cilium/templates/downscaler/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: kube-downscaler +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + application: downscaler-py-kube-downscaler diff --git a/apps/charts/cilium/templates/downscaler/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml b/apps/charts/cilium/templates/downscaler/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml new file mode 100644 index 00000000..e99b9eec --- /dev/null +++ b/apps/charts/cilium/templates/downscaler/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-webhooks + namespace: kube-downscaler +spec: + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "9443" + protocol: TCP diff --git a/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-host-traffic.yaml b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-host-traffic.yaml new file mode 100644 index 00000000..4ffbbd8c --- /dev/null +++ b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-host-traffic.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-host-traffic + namespace: ingress-nginx +spec: + egress: + - toEntities: + - kube-apiserver + - host + endpointSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx diff --git a/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-hubble-traffic.yaml b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-hubble-traffic.yaml new file mode 100644 index 00000000..fa9ee953 --- /dev/null +++ b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-hubble-traffic.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-traffic + namespace: ingress-nginx +spec: + egress: + - toFQDNs: + - matchPattern: hubble.*.*.* + - matchPattern: hubble.*.*.*.* + endpointSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx diff --git a/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..98bbc402 --- /dev/null +++ b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,17 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: ingress-nginx +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: ingress-nginx + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "9913" + protocol: TCP diff --git a/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-s3-traffic.yaml b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-s3-traffic.yaml new file mode 100644 index 00000000..b3bcc3d3 --- /dev/null +++ b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-s3-traffic.yaml @@ -0,0 +1,19 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-s3-traffic + namespace: ingress-nginx +spec: + egress: + - toCIDR: + - 10.139.2.10/32 + - toCIDR: + - 10.139.2.11/32 + - toCIDR: + - 10.139.2.20/32 + - toCIDR: + - 10.139.2.21/32 + endpointSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx diff --git a/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml new file mode 100644 index 00000000..4ecbe4fa --- /dev/null +++ b/apps/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml @@ -0,0 +1,19 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-world-to-ingress-nginx + namespace: ingress-nginx +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + ingress: + - fromEntities: + - world + - toPorts: + - ports: + - port: "80" + protocol: TCP + - port: "443" + protocol: TCP diff --git a/apps/charts/cilium/templates/jaeger/CiliumNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/jaeger/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..29cd1826 --- /dev/null +++ b/apps/charts/cilium/templates/jaeger/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: jaeger +spec: + egress: + - toEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/jaeger/CiliumNetworkPolicy-allow-remote-node-to-jaeger.yaml b/apps/charts/cilium/templates/jaeger/CiliumNetworkPolicy-allow-remote-node-to-jaeger.yaml new file mode 100644 index 00000000..3d1bddcd --- /dev/null +++ b/apps/charts/cilium/templates/jaeger/CiliumNetworkPolicy-allow-remote-node-to-jaeger.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-to-jaeger + namespace: jaeger +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: jaeger-operator + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/kafka/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/kafka/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..1e35e6ad --- /dev/null +++ b/apps/charts/cilium/templates/kafka/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: kafka +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: kafka-operator diff --git a/apps/charts/cilium/templates/kafka/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml b/apps/charts/cilium/templates/kafka/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml new file mode 100644 index 00000000..cbf9ee6b --- /dev/null +++ b/apps/charts/cilium/templates/kafka/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-webhooks + namespace: kafka +spec: + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "9443" + protocol: TCP diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-controller-metrics.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-controller-metrics.yaml new file mode 100644 index 00000000..31b7dacc --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-controller-metrics.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-controller-metrics + namespace: kube-system +spec: + description: Allow Controller Metrics + endpointSelector: + matchLabels: + k8s-app: kube-controller-manager + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "10257" + protocol: TCP diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-csi-webhook.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-csi-webhook.yaml new file mode 100644 index 00000000..9e8e47fe --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-csi-webhook.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-csi-webhook + namespace: kube-system +spec: + endpointSelector: + matchLabels: + app: csi-snapshot-webhook + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-metrics.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-metrics.yaml new file mode 100644 index 00000000..b4c33ac7 --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-metrics.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-dns-metrics + namespace: kube-system +spec: + description: Allow DNS metrics + endpointSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "9153" + protocol: TCP diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-world.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-world.yaml new file mode 100644 index 00000000..b69f15f6 --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-world.yaml @@ -0,0 +1,31 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-dns-world + namespace: kube-system +spec: + description: Allow DNS World + egress: + - toCIDR: + - 8.8.8.8/32 + - 172.31.254.11/32 + - 1.1.1.1/32 + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: '*' + - toEntities: + - world + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: '*' + endpointSelector: + matchLabels: + k8s-app: kube-dns diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns.yaml new file mode 100644 index 00000000..7d19e1de --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns.yaml @@ -0,0 +1,19 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-dns + namespace: kube-system +spec: + description: Allow DNS + endpointSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - fromEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + toPorts: + - ports: + - port: "53" + protocol: UDP diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-host-traffic.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-host-traffic.yaml new file mode 100644 index 00000000..08710d89 --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-host-traffic.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-host-traffic + namespace: kube-system +spec: + description: Allow Host Traffic + egress: + - toEntities: + - remote-node + - host + - kube-apiserver + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-ingress.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-ingress.yaml new file mode 100644 index 00000000..ec1c6cf8 --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-ingress + namespace: kube-system +spec: + description: Allow Hubble ingress + endpointSelector: + matchLabels: + k8s-app: hubble-ui + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-oauth2-ingress.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-oauth2-ingress.yaml new file mode 100644 index 00000000..7e31779e --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-oauth2-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-oauth2-ingress + namespace: kube-system +spec: + description: Allow Hubble OAuth2 ingress + endpointSelector: + matchLabels: + k8s-app: oauth2-proxy + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-relay-metrics.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-relay-metrics.yaml new file mode 100644 index 00000000..676dddde --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-relay-metrics.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-relay-metrics + namespace: kube-system +spec: + description: Allow Hubble Relay Metrics + endpointSelector: + matchLabels: + k8s-app: hubble-relay + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "9966" + protocol: TCP diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-microsoft-sso.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-microsoft-sso.yaml new file mode 100644 index 00000000..71769867 --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-microsoft-sso.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-microsoft-sso + namespace: kube-system +spec: + description: Allow Microsoft SSO + egress: + - toFQDNs: + - matchName: login.microsoftonline.com + - matchPattern: '*.microsoftonline.com' + - matchName: graph.microsoft.com + endpointSelector: + matchLabels: + k8s-app: oauth2-proxy diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-namespace-traffic.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-namespace-traffic.yaml new file mode 100644 index 00000000..9b20afc2 --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-namespace-traffic.yaml @@ -0,0 +1,26 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-namespace-traffic + namespace: kube-system +spec: + description: Allow Namespace Traffic + egress: + - toEndpoints: + - {} + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: '*' + endpointSelector: + matchLabels: {} + ingress: + - fromEndpoints: + - {} diff --git a/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-proxy-metrics.yaml b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-proxy-metrics.yaml new file mode 100644 index 00000000..0d99e202 --- /dev/null +++ b/apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-proxy-metrics.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-proxy-metrics + namespace: kube-system +spec: + description: Allow Proxy metrics + endpointSelector: + matchLabels: + k8s-app: kube-proxy + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "10249" + protocol: TCP diff --git a/apps/charts/cilium/templates/kubelet-serving/CiliumNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/kubelet-serving/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..59732e3a --- /dev/null +++ b/apps/charts/cilium/templates/kubelet-serving/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: kubelet-serving-cert-approver +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..d52ee5c9 --- /dev/null +++ b/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: kyverno +spec: + egress: + - toEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..f547d4a5 --- /dev/null +++ b/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,17 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: kyverno +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: kyverno + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "8000" + protocol: TCP diff --git a/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-remote-node-to-kyverno.yaml b/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-remote-node-to-kyverno.yaml new file mode 100644 index 00000000..5087fa86 --- /dev/null +++ b/apps/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-remote-node-to-kyverno.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-to-kyverno + namespace: kyverno +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: kyverno + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml b/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml new file mode 100644 index 00000000..7e43aeb7 --- /dev/null +++ b/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-loki-backend-to-api-server + namespace: loki +spec: + description: Promtail needs to reach kube-apiserver + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/component: backend + app.kubernetes.io/instance: loki diff --git a/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..e3161e8b --- /dev/null +++ b/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,20 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: loki +spec: + description: Allow Prometheus read and write + endpointSelector: + matchLabels: + app.kubernetes.io/instance: loki + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "3100" + protocol: TCP + - port: "3500" + protocol: TCP diff --git a/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml b/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml new file mode 100644 index 00000000..5d7cd58a --- /dev/null +++ b/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml @@ -0,0 +1,17 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-promtail-to-api-server + namespace: loki +spec: + description: Promtail needs to reach kube-apiserver + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: promtail diff --git a/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml b/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml new file mode 100644 index 00000000..47a8be11 --- /dev/null +++ b/apps/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-stats-grafana + namespace: loki +spec: + description: Allow stats + egress: + - toFQDNs: + - matchName: stats.grafana.org + endpointSelector: + matchLabels: + app.kubernetes.io/instance: loki diff --git a/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..f90d4d76 --- /dev/null +++ b/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: mariadb-operator +spec: + egress: + - toEntities: + - kube-apiserver + endpointSelector: + matchLabels: + app.kubernetes.io/instance: mariadb-operator diff --git a/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-host-to-mariadb.yaml b/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-host-to-mariadb.yaml new file mode 100644 index 00000000..5da9d113 --- /dev/null +++ b/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-host-to-mariadb.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-host-to-mariadb + namespace: mariadb-operator +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: mariadb-operator + ingress: + - fromEntities: + - host diff --git a/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..726e1b72 --- /dev/null +++ b/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,17 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: mariadb-operator +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: mariadb-operator + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "8080" + protocol: TCP diff --git a/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml b/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml new file mode 100644 index 00000000..43e812ad --- /dev/null +++ b/apps/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-webhooks + namespace: mariadb-operator +spec: + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - kube-apiserver + - remote-node + toPorts: + - ports: + - port: "443" + protocol: TCP + - port: "9443" + protocol: TCP diff --git a/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-host-traffic.yaml b/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-host-traffic.yaml new file mode 100644 index 00000000..7d296c8e --- /dev/null +++ b/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-host-traffic.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-host-traffic + namespace: mayastor +spec: + description: Allow Host Traffic + egress: + - toEntities: + - remote-node + - host + - kube-apiserver + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-agent-core.yaml b/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-agent-core.yaml new file mode 100644 index 00000000..00e783d1 --- /dev/null +++ b/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-agent-core.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-to-agent-core + namespace: mayastor +spec: + description: Allow Remote to Agent Core + endpointSelector: + matchLabels: + app: agent-core + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-etcd.yaml b/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-etcd.yaml new file mode 100644 index 00000000..10464d0e --- /dev/null +++ b/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-etcd.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-to-etcd + namespace: mayastor +spec: + description: Allow Remote to Etcd + endpointSelector: + matchLabels: + app.kubernetes.io/name: etcd + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-maya.yaml b/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-maya.yaml new file mode 100644 index 00000000..1de55fac --- /dev/null +++ b/apps/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-maya.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-to-maya + namespace: mayastor +spec: + description: Allow Remote to Mayastor + endpointSelector: + matchLabels: + app: api-rest + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..6c53acf9 --- /dev/null +++ b/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: allow-kube-api +spec: + description: Allow access to the Kube API server + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app: minio diff --git a/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-minio-operator.yaml b/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-minio-operator.yaml new file mode 100644 index 00000000..f5ad26b5 --- /dev/null +++ b/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-minio-operator.yaml @@ -0,0 +1,17 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: allow-minio-operator +spec: + description: Allow access to the Kube API server + endpointSelector: + matchLabels: + app: minio + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: minio-operator + toPorts: + - ports: + - port: "9000" + protocol: TCP diff --git a/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-nodeport-ingress.yaml b/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-nodeport-ingress.yaml new file mode 100644 index 00000000..83985384 --- /dev/null +++ b/apps/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-nodeport-ingress.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: allow-nodeport-ingress +spec: + description: Allow access to the Kube API server + endpointSelector: + matchLabels: + app: minio + ingress: + - fromEntities: + - world + toPorts: + - ports: + - port: "9000" + protocol: TCP diff --git a/apps/charts/cilium/templates/minio-operator/CiliumNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/minio-operator/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..83a6d612 --- /dev/null +++ b/apps/charts/cilium/templates/minio-operator/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: minio-operator +spec: + description: Allow access to the Kube API server + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/odigos-system/CiliumNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/odigos-system/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..cb20793f --- /dev/null +++ b/apps/charts/cilium/templates/odigos-system/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: odigos-system +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/odigos-system/CiliumNetworkPolicy-allow-port-4317.yaml b/apps/charts/cilium/templates/odigos-system/CiliumNetworkPolicy-allow-port-4317.yaml new file mode 100644 index 00000000..f1b59b9e --- /dev/null +++ b/apps/charts/cilium/templates/odigos-system/CiliumNetworkPolicy-allow-port-4317.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-port-4317 + namespace: odigos-system +spec: + egress: + - toPorts: + - ports: + - port: "4317" + protocol: TCP + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/one-password-operator/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/one-password-operator/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..23c8a706 --- /dev/null +++ b/apps/charts/cilium/templates/one-password-operator/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: one-password +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: one-password-operator diff --git a/apps/charts/cilium/templates/one-password-operator/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml b/apps/charts/cilium/templates/one-password-operator/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml new file mode 100644 index 00000000..9a4a6c4b --- /dev/null +++ b/apps/charts/cilium/templates/one-password-operator/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-webhooks + namespace: one-password +spec: + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "9443" + protocol: TCP diff --git a/apps/charts/cilium/templates/opencost/CiliumNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/opencost/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..99971950 --- /dev/null +++ b/apps/charts/cilium/templates/opencost/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: opencost +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: opencost diff --git a/apps/charts/cilium/templates/otel/CiliumNetworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml b/apps/charts/cilium/templates/otel/CiliumNetworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml new file mode 100644 index 00000000..80f83639 --- /dev/null +++ b/apps/charts/cilium/templates/otel/CiliumNetworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-otel-collector-loadbalancer-ingress + namespace: otel +spec: + description: Allow ingress from world + endpointSelector: + matchLabels: + app.kubernetes.io/name: opentelemetry-collector + ingress: + - fromEntities: + - world diff --git a/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-mail-egress.yaml b/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-mail-egress.yaml new file mode 100644 index 00000000..0691f418 --- /dev/null +++ b/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-mail-egress.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-mail-egress + namespace: postfix +spec: + description: Allow mailserver to send mails to world + egress: + - toEntities: + - world + endpointSelector: + matchLabels: + app: smtp-relay diff --git a/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-mail-ingress.yaml b/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-mail-ingress.yaml new file mode 100644 index 00000000..a8a2d699 --- /dev/null +++ b/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-mail-ingress.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-mail-ingress + namespace: postfix +spec: + description: Allow all services in cluster to send mail + endpointSelector: + matchLabels: + app: smtp-relay + ingress: + - fromEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + toPorts: + - ports: + - port: "25" + protocol: TCP + - port: "587" + protocol: TCP diff --git a/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..0bac3318 --- /dev/null +++ b/apps/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: postfix +spec: + description: 'Allow prometheus metrics ' + endpointSelector: + matchLabels: + app: smtp-relay + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "9154" + protocol: TCP diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-alerting.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-alerting.yaml new file mode 100644 index 00000000..e092cb26 --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-alerting.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-alerting + namespace: prometheus +spec: + description: Allow alerting + egress: + - toEntities: + - world + endpointSelector: + matchLabels: + app.kubernetes.io/instance: prom-alertmanager diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml new file mode 100644 index 00000000..b6f96e64 --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-alertmanager-ingress + namespace: prometheus +spec: + description: Allow Nginx ingress + endpointSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-dns-metrics.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-dns-metrics.yaml new file mode 100644 index 00000000..0ee91e6e --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-dns-metrics.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-dns-metrics + namespace: prometheus +spec: + description: Allow DNS metrics + egress: + - toPorts: + - ports: + - port: "9153" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/name: prometheus diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-etcd-metrics.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-etcd-metrics.yaml new file mode 100644 index 00000000..90ac789e --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-etcd-metrics.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-etcd-metrics + namespace: prometheus +spec: + description: Allow ETCD metrics + egress: + - toPorts: + - ports: + - port: "2379" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/name: prometheus diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-ingress.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-ingress.yaml new file mode 100644 index 00000000..fca3baf2 --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-grafana-ingress + namespace: prometheus +spec: + description: Allow Grafana ingress + endpointSelector: + matchLabels: + app.kubernetes.io/name: grafana + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml new file mode 100644 index 00000000..ed2084fe --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-grafana-oidc-login + namespace: prometheus +spec: + description: Allow Grafana OIDC login + egress: + - toFQDNs: + - matchName: login.microsoftonline.com + - matchPattern: '*.microsoftonline.com' + - matchName: api.github.com + - matchName: github.com + endpointSelector: + matchLabels: + app.kubernetes.io/name: grafana diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-plugins.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-plugins.yaml new file mode 100644 index 00000000..60721c6a --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-plugins.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-grafana-plugins + namespace: prometheus +spec: + description: Allow Grafana Plugins + egress: + - toFQDNs: + - matchName: grafana.com + - matchName: storage.googleapis.com + - matchName: raw.githubusercontent.com + endpointSelector: + matchLabels: + app.kubernetes.io/name: grafana diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml new file mode 100644 index 00000000..453c2330 --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-grafana-secure-gravatar + namespace: prometheus +spec: + description: Allow Grafana Secure Gravatar + egress: + - toFQDNs: + - matchName: secure.grafana.com + - matchName: secure.gravatar.com + endpointSelector: + matchLabels: + app.kubernetes.io/name: grafana diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-host-traffic.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-host-traffic.yaml new file mode 100644 index 00000000..bb3a591a --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-host-traffic.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-host-traffic + namespace: prometheus +spec: + description: Allow Host Traffic + egress: + - toEntities: + - remote-node + - host + - kube-apiserver + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-nginx-ingress.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-nginx-ingress.yaml new file mode 100644 index 00000000..ac650e55 --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-nginx-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-nginx-ingress + namespace: prometheus +spec: + description: Allow Nginx ingress + endpointSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-opencost-scrape.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-opencost-scrape.yaml new file mode 100644 index 00000000..4b7bd679 --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-opencost-scrape.yaml @@ -0,0 +1,19 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-opencost-scrape + namespace: prometheus +spec: + description: Allow OpenCost scrape + endpointSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: opencost + io.kubernetes.pod.namespace: opencost + - toPorts: + - ports: + - port: "9090" + protocol: TCP diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml new file mode 100644 index 00000000..0603da13 --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-to-metrics-server + namespace: prometheus +spec: + description: Allow Remote Metrics Server + endpointSelector: + matchLabels: + app.kubernetes.io/instance: metrics-server + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml new file mode 100644 index 00000000..eeabfcbd --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-to-webhook + namespace: prometheus +spec: + description: Allow Remote Web Hook + endpointSelector: + matchLabels: + app: kube-prometheus-stack-operator + ingress: + - fromEntities: + - remote-node diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-robusta-ingress.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-robusta-ingress.yaml new file mode 100644 index 00000000..c1856c3f --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-robusta-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-robusta-ingress + namespace: prometheus +spec: + description: Allow Robusta ingress + endpointSelector: + matchLabels: + app.kubernetes.io/name: prom-prometheus + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: robusta diff --git a/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-stats-grafana.yaml b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-stats-grafana.yaml new file mode 100644 index 00000000..5d1ed102 --- /dev/null +++ b/apps/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-stats-grafana.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-stats-grafana + namespace: prometheus +spec: + description: Allow stats + egress: + - toFQDNs: + - matchName: stats.grafana.org + endpointSelector: + matchLabels: + app.kubernetes.io/name: grafana diff --git a/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-inter-node-traffic.yaml b/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-inter-node-traffic.yaml new file mode 100644 index 00000000..d06ad626 --- /dev/null +++ b/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-inter-node-traffic.yaml @@ -0,0 +1,52 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-inter-node-traffic + namespace: rabbitmq +spec: + description: Allow communication between nodes int the RabbitMQ cluster + egress: + - toEndpoints: + - matchLabels: + app.kubernetes.io/component: rabbitmq + toPorts: + - ports: + - port: "4369" + - endPort: 6500 + port: "6000" + - port: "25672" + - port: "35672" + - port: "35673" + - port: "35674" + - port: "35675" + - port: "35676" + - port: "35677" + - port: "35678" + - port: "35679" + - port: "35680" + - port: "35681" + - port: "35682" + endpointSelector: + matchLabels: + app.kubernetes.io/component: rabbitmq + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/component: rabbitmq + toPorts: + - ports: + - port: "4369" + - endPort: 6500 + port: "6000" + - port: "25672" + - port: "35672" + - port: "35673" + - port: "35674" + - port: "35675" + - port: "35676" + - port: "35677" + - port: "35678" + - port: "35679" + - port: "35680" + - port: "35681" + - port: "35682" diff --git a/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-operator-traffic.yaml b/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-operator-traffic.yaml new file mode 100644 index 00000000..b7deeb34 --- /dev/null +++ b/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-operator-traffic.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-operator-traffic + namespace: rabbitmq +spec: + description: Allow access to the RabbitMQ operator + endpointSelector: + matchLabels: + app.kubernetes.io/component: rabbitmq + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/component: rabbitmq-operator + toPorts: + - ports: + - port: "15672" + - port: "15671" diff --git a/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-rabbitmq-traffic.yaml b/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-rabbitmq-traffic.yaml new file mode 100644 index 00000000..f57cd209 --- /dev/null +++ b/apps/charts/cilium/templates/rabbitmq/CiliumNetworkPolicy-allow-rabbitmq-traffic.yaml @@ -0,0 +1,27 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-rabbitmq-traffic + namespace: rabbitmq +spec: + description: Allow access to the RabbitMQ cluster + endpointSelector: + matchLabels: + app.kubernetes.io/component: rabbitmq + ingress: + - toPorts: + - ports: + - port: "5672" + - port: "5671" + - port: "5552" + - port: "5551" + - port: "15672" + - port: "15671" + - port: "61613" + - port: "61614" + - port: "1883" + - port: "8883" + - port: "15674" + - port: "15675" + - port: "15692" + - port: "15691" diff --git a/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-ingress.yaml b/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-ingress.yaml new file mode 100644 index 00000000..5e8415c3 --- /dev/null +++ b/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-ingress.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-ingress + namespace: robusta +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/component: server + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..f91eed07 --- /dev/null +++ b/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: robusta +spec: + egress: + - toEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-slack.yaml b/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-slack.yaml new file mode 100644 index 00000000..c38a398a --- /dev/null +++ b/apps/charts/cilium/templates/robusta/CiliumNetworkPolicy-allow-slack.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-slack + namespace: robusta +spec: + egress: + - toFQDNs: + - matchPattern: slack.com + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/rook-ceph/CiliumNetworkPolicy-allow-oceanbox-subnet.yaml b/apps/charts/cilium/templates/rook-ceph/CiliumNetworkPolicy-allow-oceanbox-subnet.yaml new file mode 100644 index 00000000..960eac40 --- /dev/null +++ b/apps/charts/cilium/templates/rook-ceph/CiliumNetworkPolicy-allow-oceanbox-subnet.yaml @@ -0,0 +1,19 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-oceanbox-subnet + namespace: rook-ceph +spec: + description: Allow oceanbox traffic + egress: + - toCIDR: + - 10.255.241.0/24 + - toCIDR: + - 10.255.244.0/24 + endpointSelector: + matchLabels: {} + ingress: + - fromCIDR: + - 10.255.241.0/24 + - fromCIDR: + - 10.255.244.0/24 diff --git a/apps/charts/cilium/templates/s3-sync/CiliumNetworkPolicy-allow-s3-internal.yaml b/apps/charts/cilium/templates/s3-sync/CiliumNetworkPolicy-allow-s3-internal.yaml new file mode 100644 index 00000000..cd00612d --- /dev/null +++ b/apps/charts/cilium/templates/s3-sync/CiliumNetworkPolicy-allow-s3-internal.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-s3-internal + namespace: s3-sync +spec: + description: Allow s3 traffic internal + egress: + - toCIDR: + - 10.139.2.20/32 + - toCIDR: + - 10.139.2.21/32 + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/s3-sync/CiliumNetworkPolicy-allow-s3-sync.yaml b/apps/charts/cilium/templates/s3-sync/CiliumNetworkPolicy-allow-s3-sync.yaml new file mode 100644 index 00000000..58b8e709 --- /dev/null +++ b/apps/charts/cilium/templates/s3-sync/CiliumNetworkPolicy-allow-s3-sync.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-s3-sync + namespace: s3-sync +spec: + description: Allow sync to safespring + egress: + - toFQDNs: + - matchName: s3.osl2.safedc.net + endpointSelector: + matchLabels: {} diff --git a/apps/charts/cilium/templates/sealed-secrets/CiliumNetworkPolicy-allow-kube-api.yaml b/apps/charts/cilium/templates/sealed-secrets/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..d56b8d90 --- /dev/null +++ b/apps/charts/cilium/templates/sealed-secrets/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: sealed-secrets +spec: + egress: + - toEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: sealed-secrets diff --git a/apps/charts/cilium/templates/tempo/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/tempo/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..aa3ddd8c --- /dev/null +++ b/apps/charts/cilium/templates/tempo/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: tempo +spec: + egress: + - toPorts: + - ports: + - port: "7946" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: tempo diff --git a/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..cb01381b --- /dev/null +++ b/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: velero +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: velero diff --git a/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-job-api-server.yaml b/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-job-api-server.yaml new file mode 100644 index 00000000..21c8e2ff --- /dev/null +++ b/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-job-api-server.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-job-api-server + namespace: velero +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + batch.kubernetes.io/job-name: velero-upgrade-crds diff --git a/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..1631d4bf --- /dev/null +++ b/apps/charts/cilium/templates/velero/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,17 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: velero +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: velero + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "8085" + protocol: TCP diff --git a/apps/charts/cilium/templates/x509-exporter/CiliumNetworkPolicy-allow-api-server.yaml b/apps/charts/cilium/templates/x509-exporter/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..7742a0fe --- /dev/null +++ b/apps/charts/cilium/templates/x509-exporter/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: x509-exporter +spec: + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/instance: x509-exporter diff --git a/apps/charts/cilium/templates/x509-exporter/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/apps/charts/cilium/templates/x509-exporter/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..cc040dd9 --- /dev/null +++ b/apps/charts/cilium/templates/x509-exporter/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,17 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: x509-exporter +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: x509-exporter + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + - toPorts: + - ports: + - port: "9793" + protocol: TCP diff --git a/apps/charts/cilium/values.yaml b/apps/charts/cilium/values.yaml new file mode 100644 index 00000000..3964005c --- /dev/null +++ b/apps/charts/cilium/values.yaml @@ -0,0 +1,5 @@ +s3: + hosts: + patterns: + cidr: + - 10.255.241.30/32 diff --git a/apps/old/loki.yaml b/apps/old/loki.yaml index 90260805..2e46746d 100644 --- a/apps/old/loki.yaml +++ b/apps/old/loki.yaml @@ -114,7 +114,7 @@ spec: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal hosts: - loki.adm.oceanbox.io tls: diff --git a/apps/old/opentelemetry-collector.yaml b/apps/old/opentelemetry-collector.yaml index 70b04b6b..1714c341 100644 --- a/apps/old/opentelemetry-collector.yaml +++ b/apps/old/opentelemetry-collector.yaml @@ -96,7 +96,7 @@ spec: annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal ingressClassName: nginx hosts: - host: opentelemetry-collector.adm.oceanbox.io diff --git a/apps/old/tempo.yaml b/apps/old/tempo.yaml index 85240ca9..80e97ff9 100644 --- a/apps/old/tempo.yaml +++ b/apps/old/tempo.yaml @@ -66,7 +66,7 @@ spec: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal path: / pathType: Prefix hosts: diff --git a/charts/archmeister/templates/internal-ingress.yaml b/charts/archmeister/templates/internal-ingress.yaml index 6f1a9489..7f8dbe8b 100644 --- a/charts/archmeister/templates/internal-ingress.yaml +++ b/charts/archmeister/templates/internal-ingress.yaml @@ -20,7 +20,7 @@ metadata: {{- include "Archmeister.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/charts/atlantis/templates/internal-ingress.yaml b/charts/atlantis/templates/internal-ingress.yaml index 8c1b17a5..063c6250 100644 --- a/charts/atlantis/templates/internal-ingress.yaml +++ b/charts/atlantis/templates/internal-ingress.yaml @@ -20,7 +20,7 @@ metadata: {{- include "Atlantis.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/charts/plume/templates/internal-ingress.yaml b/charts/plume/templates/internal-ingress.yaml index 640fd79d..563981ed 100644 --- a/charts/plume/templates/internal-ingress.yaml +++ b/charts/plume/templates/internal-ingress.yaml @@ -20,7 +20,7 @@ metadata: {{- include "Plume.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/charts/sorcerer/templates/internal-ingress.yaml b/charts/sorcerer/templates/internal-ingress.yaml index 58ab6280..61c202db 100644 --- a/charts/sorcerer/templates/internal-ingress.yaml +++ b/charts/sorcerer/templates/internal-ingress.yaml @@ -20,7 +20,7 @@ metadata: {{- include "Sorcerer.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/values/atlantis/values/values-staging.yaml.gotmpl b/values/atlantis/values/values-staging.yaml.gotmpl index 65c25d94..596bd7fe 100644 --- a/values/atlantis/values/values-staging.yaml.gotmpl +++ b/values/atlantis/values/values-staging.yaml.gotmpl @@ -45,7 +45,7 @@ ingress: # nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity" # nginx.ingress.kubernetes.io/session-cookie-expires: "86400" # nginx.ingress.kubernetes.io/session-cookie-max-age: "86400" - # atlantis.oceanbox.io/expose: internal + # oceanbox.io/expose: internal hosts: - host: atlantis.beta.oceanbox.io paths: diff --git a/values/attic/archmeister/prod/kustomization.yaml b/values/attic/archmeister/prod/kustomization.yaml index bc309722..1af54e43 100644 --- a/values/attic/archmeister/prod/kustomization.yaml +++ b/values/attic/archmeister/prod/kustomization.yaml @@ -19,7 +19,7 @@ patches: group: networking.k8s.io kind: Ingress name: prod-archmeister-internal - annotationSelector: atlantis.oceanbox.io/expose=internal + annotationSelector: oceanbox.io/expose=internal version: v1 resources: - ../base diff --git a/values/attic/archmeister/staging/kustomization.yaml b/values/attic/archmeister/staging/kustomization.yaml index 28e76646..33c43e00 100644 --- a/values/attic/archmeister/staging/kustomization.yaml +++ b/values/attic/archmeister/staging/kustomization.yaml @@ -19,7 +19,7 @@ patches: group: networking.k8s.io kind: Ingress name: staging-archmeister-internal - annotationSelector: atlantis.oceanbox.io/expose=internal + annotationSelector: oceanbox.io/expose=internal version: v1 resources: - ../base diff --git a/values/attic/archmeister/values-staging.yaml b/values/attic/archmeister/values-staging.yaml index 1ae27409..9ce8a708 100644 --- a/values/attic/archmeister/values-staging.yaml +++ b/values/attic/archmeister/values-staging.yaml @@ -20,7 +20,7 @@ image: ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-production - # atlantis.oceanbox.io/expose: internal + # oceanbox.io/expose: internal hosts: - host: archmeister.beta.oceanbox.io paths: diff --git a/values/attic/hipster/values-prod.yaml b/values/attic/hipster/values-prod.yaml index 68e4f642..a656eef8 100644 --- a/values/attic/hipster/values-prod.yaml +++ b/values/attic/hipster/values-prod.yaml @@ -20,4 +20,4 @@ podAnnotations: ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-production - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal diff --git a/values/attic/hipster/values-staging.yaml b/values/attic/hipster/values-staging.yaml index ee159ca4..35ee5c5a 100644 --- a/values/attic/hipster/values-staging.yaml +++ b/values/attic/hipster/values-staging.yaml @@ -20,4 +20,4 @@ podAnnotations: ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal diff --git a/values/attic/petimeter/values-staging.yaml b/values/attic/petimeter/values-staging.yaml index f0aff180..1ad8668d 100644 --- a/values/attic/petimeter/values-staging.yaml +++ b/values/attic/petimeter/values-staging.yaml @@ -21,7 +21,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/proxy-buffer-size: 128k - # atlantis.oceanbox.io/expose: internal + # oceanbox.io/expose: internal hosts: - host: petimeter.beta.oceanbox.io paths: diff --git a/values/attic/seq/values.yaml b/values/attic/seq/values.yaml index 6c571671..e877cad3 100644 --- a/values/attic/seq/values.yaml +++ b/values/attic/seq/values.yaml @@ -64,7 +64,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-production kubernetes.io/ingress.class: nginx - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal tls: - secretName: seq-tls hosts: diff --git a/values/busynix/values-prod.yaml b/values/busynix/values-prod.yaml index 0a55095b..0d179d6a 100644 --- a/values/busynix/values-prod.yaml +++ b/values/busynix/values-prod.yaml @@ -5,7 +5,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/proxy-buffer-size: 128k - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal hosts: - host: busynix.srv.oceanbox.io paths: diff --git a/values/busynix/values-staging.yaml b/values/busynix/values-staging.yaml index d00073ca..5ae9421e 100644 --- a/values/busynix/values-staging.yaml +++ b/values/busynix/values-staging.yaml @@ -8,7 +8,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/proxy-buffer-size: 128k - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal hosts: - host: busynix.beta.oceanbox.io paths: diff --git a/values/geoserver/prod/ingress-web.yaml b/values/geoserver/prod/ingress-web.yaml index 4001b2b4..5d9c1fb6 100644 --- a/values/geoserver/prod/ingress-web.yaml +++ b/values/geoserver/prod/ingress-web.yaml @@ -5,7 +5,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/backend-protocol: HTTP nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal labels: app.kubernetes.io/instance: prod-geoserver app.kubernetes.io/name: geoserver diff --git a/values/geoserver/staging/ingress-web.yaml b/values/geoserver/staging/ingress-web.yaml index a7e22c4e..58f95f71 100644 --- a/values/geoserver/staging/ingress-web.yaml +++ b/values/geoserver/staging/ingress-web.yaml @@ -5,7 +5,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/backend-protocol: HTTP nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal labels: app.kubernetes.io/instance: staging-geoserver app.kubernetes.io/name: geoserver diff --git a/values/geoserver/values-staging.yaml b/values/geoserver/values-staging.yaml index 36691ebc..79eaff31 100644 --- a/values/geoserver/values-staging.yaml +++ b/values/geoserver/values-staging.yaml @@ -83,7 +83,7 @@ ingress: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/backend-protocol: HTTP nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal hosts: - host: geoserver.beta.oceanbox.io tls: diff --git a/values/osm-tile-server/values-prod.yaml b/values/osm-tile-server/values-prod.yaml index f0b45fa8..fb15457c 100644 --- a/values/osm-tile-server/values-prod.yaml +++ b/values/osm-tile-server/values-prod.yaml @@ -4,7 +4,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/proxy-buffer-size: 128k - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal hosts: - host: osm.srv.oceanbox.io paths: diff --git a/values/osm-tile-server/values-staging.yaml b/values/osm-tile-server/values-staging.yaml index 4a0e1e0a..700af638 100644 --- a/values/osm-tile-server/values-staging.yaml +++ b/values/osm-tile-server/values-staging.yaml @@ -7,7 +7,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/proxy-buffer-size: 128k - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal hosts: - host: osm.beta.oceanbox.io paths: diff --git a/values/rabbitmq/values-prod.yaml b/values/rabbitmq/values-prod.yaml index e57e74a2..bfddc700 100644 --- a/values/rabbitmq/values-prod.yaml +++ b/values/rabbitmq/values-prod.yaml @@ -10,7 +10,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal enabled: true extraHosts: [] extraPaths: [] diff --git a/values/rabbitmq/values-staging.yaml b/values/rabbitmq/values-staging.yaml index 95a10da8..825f093a 100644 --- a/values/rabbitmq/values-staging.yaml +++ b/values/rabbitmq/values-staging.yaml @@ -10,7 +10,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal enabled: true ingressClassName: "" extraHosts: diff --git a/values/rabbitmq/values/rabbitmq-prod.yaml.gotmpl b/values/rabbitmq/values/rabbitmq-prod.yaml.gotmpl index 78131362..9bcba693 100644 --- a/values/rabbitmq/values/rabbitmq-prod.yaml.gotmpl +++ b/values/rabbitmq/values/rabbitmq-prod.yaml.gotmpl @@ -10,7 +10,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal enabled: true extraHosts: [] extraPaths: [] diff --git a/values/rabbitmq/values/rabbitmq-staging.yaml.gotmpl b/values/rabbitmq/values/rabbitmq-staging.yaml.gotmpl index 52068aa3..7b5d5f1e 100644 --- a/values/rabbitmq/values/rabbitmq-staging.yaml.gotmpl +++ b/values/rabbitmq/values/rabbitmq-staging.yaml.gotmpl @@ -10,7 +10,7 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/ssl-redirect: "true" - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal enabled: true ingressClassName: "" extraHosts: diff --git a/values/sorcerer/values/values-staging.yaml b/values/sorcerer/values/values-staging.yaml index e50049eb..0c5275b9 100644 --- a/values/sorcerer/values/values-staging.yaml +++ b/values/sorcerer/values/values-staging.yaml @@ -39,7 +39,7 @@ ingress: nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity" nginx.ingress.kubernetes.io/session-cookie-expires: "86400" nginx.ingress.kubernetes.io/session-cookie-max-age: "86400" - # atlantis.oceanbox.io/expose: internal + # oceanbox.io/expose: internal hosts: - host: sorcerer.ekman.oceanbox.io paths: diff --git a/values/system/ekman/kyverno/add-ingress-whitelist.yaml b/values/system/ekman/kyverno/add-ingress-whitelist.yaml index 58c7b529..20c32017 100644 --- a/values/system/ekman/kyverno/add-ingress-whitelist.yaml +++ b/values/system/ekman/kyverno/add-ingress-whitelist.yaml @@ -17,4 +17,4 @@ spec: kinds: - Ingress annotations: - atlantis.oceanbox.io/expose: internal + oceanbox.io/expose: internal