wip: unify sys and apps

2025-05-06 16:00:57 +02:00
parent 4590ddc30a
commit 7de100a4d4
204 changed files with 3 additions and 0 deletions
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-applicationset-ingress
+  namespace: argocd
+spec:
+  description: Allow access from the ingress controller
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: applicationset-controller
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-notifications
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD Notifications
+  egress:
+    - toFQDNs:
+        - matchName: slack.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: notifications-controller
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-repo-access-applicationset
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD repo Applicationset
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: applicationset-controller
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-repo-access
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD repo server
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: repo-server
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-chartmuseum-ingress
+  namespace: argocd
+spec:
+  description: Allow access to the chartmuseum ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: chartmuseum
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-image-updater-repo-access
+  namespace: argocd
+spec:
+  description: Allow argoCD image updater to access github container registry
+  egress:
+    - toFQDNs:
+        - matchName: ghcr.io
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-image-updater
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: argocd
+spec:
+  description: Allow access from the ingress controller
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: server
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: argocd
+spec:
+  description: Allow access to the Kube API server
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-microsoft-sso
+  namespace: argocd
+spec:
+  description: Allow argoCD dex server to authenticate to microsoft online azure oatuh
+  egress:
+    - toFQDNs:
+        - matchName: login.microsoftonline.com
+        - matchPattern: '*.microsoftonline.com'
+        - matchName: github.com
+        - matchName: api.github.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics-rollout
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argo-rollouts
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8090"
+              protocol: TCP
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics-workflows
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argo-workflows
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "9090"
+              protocol: TCP
@@ -0,0 +1,30 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8082"
+              protocol: TCP
+            - port: "8080"
+              protocol: TCP
+            - port: "9001"
+              protocol: TCP
+            - port: "9121"
+              protocol: TCP
+            - port: "8084"
+              protocol: TCP
+            - port: "8083"
+              protocol: TCP
+            - port: "5558"
+              protocol: TCP