wip: merge old serit-platfrom into manifests

policies/sys/prometheus/CiliumNetworkPolicy-allow-alerting.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-alerting
+  namespace: prometheus
+spec:
+  description: Allow alerting
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: prom-alertmanager

policies/sys/prometheus/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-alertmanager-ingress
+  namespace: prometheus
+spec:
+  description: Allow Nginx ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: alertmanager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

policies/sys/prometheus/CiliumNetworkPolicy-allow-dns-metrics.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns-metrics
+  namespace: prometheus
+spec:
+  description: Allow DNS metrics
+  egress:
+    - toPorts:
+        - ports:
+            - port: "9153"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus

policies/sys/prometheus/CiliumNetworkPolicy-allow-etcd-metrics.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-etcd-metrics
+  namespace: prometheus
+spec:
+  description: Allow ETCD metrics
+  egress:
+    - toPorts:
+        - ports:
+            - port: "2379"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus

policies/sys/prometheus/CiliumNetworkPolicy-allow-grafana-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-ingress
+  namespace: prometheus
+spec:
+  description: Allow Grafana ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

policies/sys/prometheus/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-oidc-login
+  namespace: prometheus
+spec:
+  description: Allow Grafana OIDC login
+  egress:
+    - toFQDNs:
+        - matchName: login.microsoftonline.com
+        - matchPattern: '*.microsoftonline.com'
+        - matchName: api.github.com
+        - matchName: github.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana

policies/sys/prometheus/CiliumNetworkPolicy-allow-grafana-plugins.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-plugins
+  namespace: prometheus
+spec:
+  description: Allow Grafana Plugins
+  egress:
+    - toFQDNs:
+        - matchName: grafana.com
+        - matchName: storage.googleapis.com
+        - matchName: raw.githubusercontent.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana

policies/sys/prometheus/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-secure-gravatar
+  namespace: prometheus
+spec:
+  description: Allow Grafana Secure Gravatar
+  egress:
+    - toFQDNs:
+        - matchName: secure.grafana.com
+        - matchName: secure.gravatar.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana

policies/sys/prometheus/CiliumNetworkPolicy-allow-host-traffic.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: prometheus
+spec:
+  description: Allow Host Traffic
+  egress:
+    - toEntities:
+        - remote-node
+        - host
+        - kube-apiserver
+  endpointSelector:
+    matchLabels: {}

policies/sys/prometheus/CiliumNetworkPolicy-allow-nginx-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-nginx-ingress
+  namespace: prometheus
+spec:
+  description: Allow Nginx ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

policies/sys/prometheus/CiliumNetworkPolicy-allow-opencost-scrape.yaml

@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-opencost-scrape
+  namespace: prometheus
+spec:
+  description: Allow OpenCost scrape
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: opencost
+            io.kubernetes.pod.namespace: opencost
+    - toPorts:
+        - ports:
+            - port: "9090"
+              protocol: TCP

policies/sys/prometheus/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-metrics-server
+  namespace: prometheus
+spec:
+  description: Allow Remote Metrics Server
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: metrics-server
+  ingress:
+    - fromEntities:
+        - remote-node

policies/sys/prometheus/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-webhook
+  namespace: prometheus
+spec:
+  description: Allow Remote Web Hook
+  endpointSelector:
+    matchLabels:
+      app: kube-prometheus-stack-operator
+  ingress:
+    - fromEntities:
+        - remote-node

policies/sys/prometheus/CiliumNetworkPolicy-allow-robusta-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-robusta-ingress
+  namespace: prometheus
+spec:
+  description: Allow Robusta ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prom-prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: robusta

policies/sys/prometheus/CiliumNetworkPolicy-allow-stats-grafana.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-stats-grafana
+  namespace: prometheus
+spec:
+  description: Allow stats
+  egress:
+    - toFQDNs:
+        - matchName: stats.grafana.org
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana