From 9181781f55dbd3469af5843127a47d3dd838a4b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Tue, 11 Nov 2025 11:14:15 +0100
Subject: [PATCH] fix(spegel): CNP

---
 .../CiliumNetworkPolicy-allow-remote-node.yaml | 18 ++++++++++++++++++
 .../CiliumNetworkPolicy-allow-world.yaml       | 17 +++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 values/spegel/manifests/policies/CiliumNetworkPolicy-allow-remote-node.yaml
 create mode 100644 values/spegel/manifests/policies/CiliumNetworkPolicy-allow-world.yaml

diff --git a/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-remote-node.yaml b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-remote-node.yaml
new file mode 100644
index 00000000..7bb26906
--- /dev/null
+++ b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-remote-node.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node
+  namespace: spegel
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "5000"
+              protocol: TCP
+{{- end}}
diff --git a/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-world.yaml b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-world.yaml
new file mode 100644
index 00000000..2682f0b6
--- /dev/null
+++ b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-world.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-dns
+  namespace: spegel
+spec:
+  description: Allow DNS world
+  egress:
+    - toPorts:
+        - ports:
+            - port: "5001"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: spegel
+{{- end }}