fix: add local loki cilium network policies

policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-loki-backend-to-api-server
+  namespace: loki
+spec:
+  description: Promtail needs to reach kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: backend
+      app.kubernetes.io/instance: loki

policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: loki
+spec:
+  description: Allow Prometheus read and write
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "3100"
+              protocol: TCP
+            - port: "3500"
+              protocol: TCP

policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml

@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-promtail-to-api-server
+  namespace: loki
+spec:
+  description: Promtail needs to reach kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: promtail

policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3-traffic.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+  namespace: loki
+spec:
+  egress:
+    - toCIDR:
+        - 10.139.2.20/32
+        - 10.255.241.30/32
+  endpointSelector:
+    matchLabels: {}

policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-s3
+  namespace: loki
+spec:
+  description: Allow loki to ship logs to s3
+  egress:
+    - toFQDNs:
+        - matchName: s3.*.oceanbox.io
+        - matchName: s3.production.itpartner.no
+        - matchPattern: s3.*.itpartner.no
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki

policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-stats-grafana
+  namespace: loki
+spec:
+  description: Allow stats
+  egress:
+    - toFQDNs:
+        - matchName: stats.grafana.org
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki