From bd46a4978e9decb6797c507af378c0932090e51f Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Mon, 19 Feb 2024 16:07:23 +0100 Subject: [PATCH] feat: allow namespace internal traffic from clusterwide policy --- .../allow-namespace-traffic.yaml | 63 ------------------- ...clusterpolicy-allow-namespace-traffic.yaml | 28 +++++++++ 2 files changed, 28 insertions(+), 63 deletions(-) delete mode 100644 resources/oceanbox-cluster/kyverno-policies/allow-namespace-traffic.yaml create mode 100644 resources/oceanbox-cluster/network-policies/clusterpolicy-allow-namespace-traffic.yaml diff --git a/resources/oceanbox-cluster/kyverno-policies/allow-namespace-traffic.yaml b/resources/oceanbox-cluster/kyverno-policies/allow-namespace-traffic.yaml deleted file mode 100644 index 9a058c53..00000000 --- a/resources/oceanbox-cluster/kyverno-policies/allow-namespace-traffic.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: allow-namespace-traffic - annotations: - policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces - policies.kyverno.io/subject: Namespace, NetworkPolicy - kyverno.io/kyverno-version: 1.7.0 - policies.kyverno.io/minversion: 1.7.0 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/description: >- - Allow all ingress/egress traffic within a namespace. - Allow egress to any pods in the cluster - Allow DNS with layer 7 inspection -spec: - generateExistingOnPolicyUpdate: true - rules: - - name: allow-namespace-traffic - match: - any: - - resources: - kinds: - - Namespace - generate: - synchronize: true - apiVersion: cilium.io/v2 - kind: CiliumNetworkPolicy - name: allow-namespace-traffic - namespace: "{{request.object.metadata.name}}" - data: - metadata: - labels: - created-by: kyverno - spec: - endpointSelector: {} - description: "Allow all traffic within a namespace, allow dns, allow egress to all entities in cluster" - ingress: - - fromEndpoints: - - {} - - fromEndpoints: - - matchExpressions: - - key: io.kubernetes.pod.namespace - operator: Exists - egress: - - toEndpoints: - - matchExpressions: - - key: io.kubernetes.pod.namespace - operator: Exists - #authentication: - # mode: "required" - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns - toPorts: - - ports: - - port: "53" - protocol: UDP - rules: - dns: - - matchPattern: "*" - #authentication: - # mode: "required" diff --git a/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-namespace-traffic.yaml b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-namespace-traffic.yaml new file mode 100644 index 00000000..06995008 --- /dev/null +++ b/resources/oceanbox-cluster/network-policies/clusterpolicy-allow-namespace-traffic.yaml @@ -0,0 +1,28 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: allow-namespace-traffic +spec: + description: "Allow all traffic within a namespace, allow dns, allow egress to all entities in cluster" + endpointSelector: {} + ingress: + - fromEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + egress: + - toEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: "*"