fix: update white-listing annotation

apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-acme-solvers
+spec:
+  description: Policy for ingress for Acme Solvers.
+  endpointSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml

@@ -0,0 +1,24 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-dns
+spec:
+  description: 'description: Allow only dns traffic by default. Also acts as a deny-all policy'
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+        - rules:
+            dns:
+              - matchPattern: '*'
+  endpointSelector:
+    matchExpressions:
+      - key: io.kubernetes.pod.namespace
+        operator: NotIn
+        values:
+          - kube-system

apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-mariadb-operator
+spec:
+  description: allow mariadb instances to be reached by operator
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: mariadb
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: mariadb-operator
+            io.kubernetes.pod.namespace: mariadb-operator
+      toPorts:
+        - ports:
+            - port: "3306"
+              protocol: TCP

apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml

@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+spec:
+  description: Policy for egress for CNPG Backups.
+  egress:
+    - toFQDNs:
+      {{- range .Values.s3.hosts }}
+        - matchName: {{ . | quote }}
+      {{- end }}
+      {{- range .Values.s3.patterns }}
+        - matchPattern: {{ . | quote }}
+      {{- end }}
+    - toCIDR:
+      {{- range .Values.s3.cidr }}
+        - {{ . | quote }}
+      {{- end }}
+  endpointSelector:
+    matchLabels: {}

apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: cilium-health-checks
+spec:
+  description: Health checks
+  egress:
+    - toEntities:
+        - remote-node
+  endpointSelector:
+    matchLabels:
+      reserved:health: ""
+  ingress:
+    - fromEntities:
+        - remote-node

apps/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml

@@ -0,0 +1,9 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: deny-all
+spec:
+  description: Deny all
+  egress: []
+  endpointSelector: {}
+  ingress: []