platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

fix: update white-listing annotation

Browse Source
This commit is contained in:
Jonas Juselius
2025-06-22 08:33:29 +02:00
parent 561c620f98
commit 383477822a
141 changed files with 1854 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-controller-metrics.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-controller-metrics
namespace: kube-system
spec:
description: Allow Controller Metrics
endpointSelector:
matchLabels:
k8s-app: kube-controller-manager
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
- toPorts:
- ports:
- port: "10257"
protocol: TCP
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-csi-webhook.yaml
+12
View File
@@ -0,0 +1,12 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-csi-webhook
namespace: kube-system
spec:
endpointSelector:
matchLabels:
app: csi-snapshot-webhook
ingress:
- fromEntities:
- remote-node
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-metrics.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-dns-metrics
namespace: kube-system
spec:
description: Allow DNS metrics
endpointSelector:
matchLabels:
k8s-app: kube-dns
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
- toPorts:
- ports:
- port: "9153"
protocol: TCP
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-world.yaml
+31
View File
@@ -0,0 +1,31 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-dns-world
namespace: kube-system
spec:
description: Allow DNS World
egress:
- toCIDR:
- 8.8.8.8/32
- 172.31.254.11/32
- 1.1.1.1/32
toPorts:
- ports:
- port: "53"
protocol: UDP
rules:
dns:
- matchPattern: '*'
- toEntities:
- world
toPorts:
- ports:
- port: "53"
protocol: UDP
rules:
dns:
- matchPattern: '*'
endpointSelector:
matchLabels:
k8s-app: kube-dns
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns.yaml
+19
View File
@@ -0,0 +1,19 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-dns
namespace: kube-system
spec:
description: Allow DNS
endpointSelector:
matchLabels:
k8s-app: kube-dns
ingress:
- fromEndpoints:
- matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists
toPorts:
- ports:
- port: "53"
protocol: UDP
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-host-traffic.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-host-traffic
namespace: kube-system
spec:
description: Allow Host Traffic
egress:
- toEntities:
- remote-node
- host
- kube-apiserver
endpointSelector:
matchLabels: {}
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-ingress.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-hubble-ingress
namespace: kube-system
spec:
description: Allow Hubble ingress
endpointSelector:
matchLabels:
k8s-app: hubble-ui
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-oauth2-ingress.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-hubble-oauth2-ingress
namespace: kube-system
spec:
description: Allow Hubble OAuth2 ingress
endpointSelector:
matchLabels:
k8s-app: oauth2-proxy
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-relay-metrics.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-hubble-relay-metrics
namespace: kube-system
spec:
description: Allow Hubble Relay Metrics
endpointSelector:
matchLabels:
k8s-app: hubble-relay
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
- toPorts:
- ports:
- port: "9966"
protocol: TCP
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-microsoft-sso.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-microsoft-sso
namespace: kube-system
spec:
description: Allow Microsoft SSO
egress:
- toFQDNs:
- matchName: login.microsoftonline.com
- matchPattern: '*.microsoftonline.com'
- matchName: graph.microsoft.com
endpointSelector:
matchLabels:
k8s-app: oauth2-proxy
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-namespace-traffic.yaml
+26
View File
@@ -0,0 +1,26 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-namespace-traffic
namespace: kube-system
spec:
description: Allow Namespace Traffic
egress:
- toEndpoints:
- {}
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
rules:
dns:
- matchPattern: '*'
endpointSelector:
matchLabels: {}
ingress:
- fromEndpoints:
- {}
apps/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-proxy-metrics.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-proxy-metrics
namespace: kube-system
spec:
description: Allow Proxy metrics
endpointSelector:
matchLabels:
k8s-app: kube-proxy
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
- toPorts:
- ports:
- port: "10249"
protocol: TCP