From 7971b73a75776c6747f4a4610a54e42b8ca59177 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Fri, 7 Feb 2025 13:43:18 +0100
Subject: [PATCH] fix: add local loki cilium network policies

---
 ...licy-allow-loki-backend-to-api-server.yaml | 18 +++++++++++++++++
 ...etworkPolicy-allow-prometheus-metrics.yaml | 20 +++++++++++++++++++
 ...rkPolicy-allow-promtail-to-api-server.yaml | 17 ++++++++++++++++
 .../CiliumNetworkPolicy-allow-s3-traffic.yaml | 12 +++++++++++
 .../loki/CiliumNetworkPolicy-allow-s3.yaml    | 15 ++++++++++++++
 ...liumNetworkPolicy-allow-stats-grafana.yaml | 13 ++++++++++++
 6 files changed, 95 insertions(+)
 create mode 100644 policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml
 create mode 100644 policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml
 create mode 100644 policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml
 create mode 100644 policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3-traffic.yaml
 create mode 100644 policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3.yaml
 create mode 100644 policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml

diff --git a/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml
new file mode 100644
index 00000000..7e43aeb7
--- /dev/null
+++ b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-loki-backend-to-api-server
+  namespace: loki
+spec:
+  description: Promtail needs to reach kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: backend
+      app.kubernetes.io/instance: loki
diff --git a/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml
new file mode 100644
index 00000000..e3161e8b
--- /dev/null
+++ b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml
@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: loki
+spec:
+  description: Allow Prometheus read and write
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "3100"
+              protocol: TCP
+            - port: "3500"
+              protocol: TCP
diff --git a/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml
new file mode 100644
index 00000000..5d7cd58a
--- /dev/null
+++ b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-promtail-to-api-server
+  namespace: loki
+spec:
+  description: Promtail needs to reach kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: promtail
diff --git a/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3-traffic.yaml b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3-traffic.yaml
new file mode 100644
index 00000000..7ccf17ed
--- /dev/null
+++ b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3-traffic.yaml
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+  namespace: loki
+spec:
+  egress:
+    - toCIDR:
+        - 10.139.2.20/32
+        - 10.255.241.30/32
+  endpointSelector:
+    matchLabels: {}
diff --git a/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3.yaml b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3.yaml
new file mode 100644
index 00000000..b0df515d
--- /dev/null
+++ b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-s3.yaml
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-s3
+  namespace: loki
+spec:
+  description: Allow loki to ship logs to s3
+  egress:
+    - toFQDNs:
+        - matchName: s3.*.oceanbox.io
+        - matchName: s3.production.itpartner.no
+        - matchPattern: s3.*.itpartner.no
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki
diff --git a/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml
new file mode 100644
index 00000000..47a8be11
--- /dev/null
+++ b/policies/oceanbox/network/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-stats-grafana
+  namespace: loki
+spec:
+  description: Allow stats
+  egress:
+    - toFQDNs:
+        - matchName: stats.grafana.org
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki