refactor: move resorces and policies to system

2025-06-19 16:55:23 +02:00
parent 7cd6cc352b
commit cea7ff8537
47 changed files with 0 additions and 69 deletions
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ingress-whitelist
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: set-whitelist-internal
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    match:
+      resources:
+        kinds:
+        - Ingress
+        annotations:
+          atlantis.oceanbox.io/expose: internal
@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: sorcerer
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{request.object.metadata.namespace}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          names:
+          - azure-keyvault
+          annotations:
+            kyverno/clone: "true"
+    name: sync-keyvault-secrets
+
+
@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Secrets like registry credentials often need
+      to exist in multiple Namespaces so Pods there have access. Manually duplicating
+      those Secrets is time consuming and error prone. This policy will copy a Secret
+      called `regcred` which exists in the `default` Namespace to new Namespaces when
+      they are created. It will also push updates to the copied Secrets should the
+      source Secret be changed.            '
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-oceanbox-regcred
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        # name: oceanbox-regcred
+        name: gitlab-pull-secret
+        namespace: default
+      kind: Secret
+      # name: oceanbox-regcred
+      name: gitlab-pull-secret
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "vcluster-*"
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: sync-oceanbox-regcred
+
+
@@ -0,0 +1,56 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-sorcerer-secrets
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: sync-atlantis-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: staging-sorcerer-env
+        namespace: staging-sorcerer
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-sorcerer-env"
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-dapr-api-token
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: dapr-api-token
+        namespace: staging-sorcerer
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - dapr-api-token
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
@@ -0,0 +1,65 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
+    # nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
+    # nginx.ingress.kubernetes.io/client-header-buffer-size: 64k
+    # nginx.ingress.kubernetes.io/large-client-header-buffers: 4 64k
+    # nginx.ingress.kubernetes.io/proxy-body-size: 500m
+    # nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
+    # nginx.ingress.kubernetes.io/server-snippet: |
+    #   client_header_buffer_size 100k;
+    #   large_client_header_buffers 4 100k;
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,128.39.100.131/32,158.36.88.98/32,158.36.21.21/32,192.30.252.0/22,140.82.112.0/20
+  name: hubble-ui
+  namespace: kube-system
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: hubble.adm.oceanbox.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: hubble-ui
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    # nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
+    # nginx.ingress.kubernetes.io/client-header-buffer-size: 64k
+    # nginx.ingress.kubernetes.io/large-client-header-buffers: 4 64k
+    # nginx.ingress.kubernetes.io/proxy-body-size: 500m
+    # nginx.ingress.kubernetes.io/proxy-buffer-size: 64k
+    # nginx.ingress.kubernetes.io/server-snippet: |
+    #   client_header_buffer_size 100k;
+    #   large_client_header_buffers 4 100k;
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,128.39.100.131/32,158.36.88.98/32,158.36.21.21/32,192.30.252.0/22,140.82.112.0/20
+  name: hubble-ui-oauth2-proxy
+  namespace: kube-system
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: hubble.adm.oceanbox.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: oauth2-proxy
+            port:
+              number: 4180
+        path: /oauth2
+        pathType: Prefix
+  tls:
+  - hosts:
+    - hubble.adm.oceanbox.io
+    secretName: hubble-tls
+
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ingress-whitelist
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: set-whitelist-internal
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    match:
+      resources:
+        kinds:
+        - Ingress
+        annotations:
+          atlantis.oceanbox.io/expose: internal
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: add-openfga-secrets
+  namespace: openfga
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: add-db-uri
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          names:
+          - prod-openfga-db-superuser
+          - staging-openfga-db-superuser
+    mutate:
+      targets:
+        - apiVersion: v1
+          kind: Secret
+          name: "{{ request.object.metadata.name }}"
+      patchStrategicMerge:
+        stringData:
+          postgres-password: '{{ request.object.data.password | base64_decode(@) }}'
+          uri: 'postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable'
+    skipBackgroundRequests: true
+  validationFailureAction: Audit
+
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remove-argocd-tracking-id
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: remove-argocd-tracking-ids
+    mutate:
+      patchesJson6902: |-
+        - path: /metadata/annotations/argocd.argoproj.io~1tracking-id
+          op: remove
+    match:
+      any:
+       - resources:
+           kinds:
+           - Secret
+           names:
+           - prod-rabbitmq
+           - staging-rabbitmq
+           - prod-redis
+           - staging-redis
+    exclude:
+      any:
+       - resources:
+           kinds:
+           - Namespace
+           names:
+           - rabbitmq
+           - redis
@@ -0,0 +1,168 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-atlantis-secrets
+spec:
+  background: true
+  generateExisting: false
+  rules:
+  - name: sync-prod-rabbitmq-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: prod-rabbitmq
+        namespace: rabbitmq
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-rabbitmq"
+         annotations:
+           kyverno/clone: "true"
+           kyverno/env: "prod"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-dev-rabbitmq-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: staging-rabbitmq
+        namespace: rabbitmq
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-rabbitmq"
+         annotations:
+           kyverno/clone: "true"
+           kyverno/env: "staging"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-atlantis-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: staging-atlantis-env
+        namespace: staging-atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-atlantis-env"
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-azure-keyvault-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: azure-keyvault
+        namespace: prod-atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - azure-keyvault
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-dapr-api-token
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: dapr-api-token
+        namespace: prod-atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - dapr-api-token
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-atlantis-db-ca
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-atlantis-db-ca
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        namespace: prod-atlantis
+        name: prod-atlantis-db-ca
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-atlantis-db-ca
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-atlantis-db-replication
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-atlantis-db-replication
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        namespace: prod-atlantis
+        name: prod-atlantis-db-replication
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-atlantis-db-replication
+         annotations:
+           kyverno/clone: "true"
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: atlantis
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "*-atlantis"
+    name: sync-keyvault-secrets
+
+
@@ -0,0 +1,42 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Secrets like registry credentials often need
+      to exist in multiple Namespaces so Pods there have access. Manually duplicating
+      those Secrets is time consuming and error prone. This policy will copy a Secret
+      called `regcred` which exists in the `default` Namespace to new Namespaces when
+      they are created. It will also push updates to the copied Secrets should the
+      source Secret be changed.            '
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-regcred
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        # name: oceanbox-regcred
+        name: gitlab-pull-secret
+        namespace: default
+      kind: Secret
+      # name: oceanbox-regcred
+      name: gitlab-pull-secret
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: sync-oceanbox-regcred
+
+
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-azure-egress
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: atlantis.blob.core.windows.net
+    - matchName: atlantisvault.vault.azure.net
+    toPorts:
+    - ports:
+      - port: "443"
+        protocol: TCP
+  endpointSelector: {}
+
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-ceph-egress
+spec:
+  egress:
+  - toCIDR:
+    - 10.255.241.30/32
+    - 10.255.241.31/32
+    - 10.255.241.32/32
+    - 10.255.244.0/24
+    # toPorts:
+    # - ports:
+    #   - port: "4443"
+    #     protocol: TCP
+  endpointSelector: {}
+
@@ -0,0 +1,10 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-microsoft-oidc-login
+spec:
+  endpointSelector: {}
+  egress:
+  - toFQDNs:
+    - matchName: login.microsoftonline.com
+    - matchPattern: '*.microsoftonline.com'
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: atlantis
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
@@ -0,0 +1,26 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-atlantis-services
+  namespace: {{ .Release.Namespace }}
+spec:
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: dapr-system
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.rabbitmq.namespace | default "rabbitmq" }}
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.tracing.namespace | default "otel" }}
+  - toFQDNs:
+    - matchName: dapr.github.io
+    - matchName: analytics.loft.rocks
+    # - matchName: gitlab.com
+    # - matchName: api.github.com
+    - matchPattern: "*.k1.itpartner.no"
+    - matchPattern: '*.oceanbox.io'
+    # - matchPattern: '*.gitlab.com'
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,10 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-kube-apiserver
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
@@ -0,0 +1,22 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-ekman-egress
+spec:
+  endpointSelector: {}
+  egress:
+  - toCIDR:
+    - 10.255.241.99/32
+    - 10.255.241.100/32
+    - 185.125.160.88/32
+    - 185.125.160.89/32
+    toPorts:
+    - ports:
+      - port: "443"
+        protocol: TCP
+      - port: "4443"
+        protocol: TCP
+      - port: "30443"
+        protocol: TCP
+      - port: "30080"
+        protocol: TCP
@@ -0,0 +1,28 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-namespace-traffic
+spec:
+  description: "Allow all traffic within a namespace, allow dns, allow egress to all entities in cluster"
+  endpointSelector: {}
+  ingress:
+    - fromEndpoints:
+      - matchExpressions:
+        - key: io.kubernetes.pod.namespace
+          operator: Exists
+  egress:
+    - toEndpoints:
+      - matchExpressions:
+        - key: io.kubernetes.pod.namespace
+          operator: Exists
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchPattern: "*"
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-oceanboxio-egress
+spec:
+  endpointSelector: {}
+  egress:
+  - toFQDNs:
+    - matchName: oceanbox.io
+    - matchPattern: "*oceanbox.io"
+    - matchPattern: "*.oceanbox.io"
+
@@ -0,0 +1,10 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+  - fromEntities:
+    - kube-apiserver
@@ -0,0 +1,28 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-port-9070
+  namespace: csi-addons-system
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: csi-addons
+  egress:
+  - toEntities:
+    - host
+    toPorts:
+    - ports:
+      - port: "9070"
+        protocol: TCP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: addons-to-remote-node
+  namespace: csi-addons-system
+spec:
+  description: remote node
+  egress:
+    - toEntities:
+        - remote-node
+  endpointSelector: {}
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: dapr-system
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: dapr-system
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+    - remote-node
+  - toPorts:
+    - ports:
+      - port: "4000"
+        protocol: TCP
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-geoserver-ingress
+  namespace: geoserver
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: geoserver
+  ingress:
+    - fromEndpoints:
+      - matchLabels:
+          io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-oidc-login
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: cerbos
+  egress:
+  - toFQDNs:
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'
@@ -0,0 +1,13 @@
+piVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-idp
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: login.microsoftonline.com
+    - matchName: graph.microsoft.com
+    - matchName: s3.k1.itpartner.no
+    - matchName: telemetry.cerbos.dev
+  endpointSelector: {}
+
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-itp-smtp
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: keycloak
+  egress:
+  - toFQDNs:
+    - matchName: smtpgw.itpartner.no
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-keycloak
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: dex
+  egress:
+  - toFQDNs:
+    - matchName: auth.srv.oceanbox.io
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: jaeger
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: jaeger
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "9443"
+        protocol: TCP
+      - port: "443"
+        protocol: TCP
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-loki-backend-to-api-server
+  namespace: loki
+spec:
+  description: Promtail needs to reach kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: backend
+      app.kubernetes.io/instance: loki
@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: loki
+spec:
+  description: Allow Prometheus read and write
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "3100"
+              protocol: TCP
+            - port: "3500"
+              protocol: TCP
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-promtail-to-api-server
+  namespace: loki
+spec:
+  description: Promtail needs to reach kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: promtail
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+  namespace: loki
+spec:
+  egress:
+    - toCIDR:
+        - 10.139.2.20/32
+        - 10.255.241.30/32
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-s3
+  namespace: loki
+spec:
+  description: Allow loki to ship logs to s3
+  egress:
+    - toFQDNs:
+        - matchPattern: s3.*.oceanbox.io
+        - matchPattern: s3.*.itpartner.no
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-stats-grafana
+  namespace: loki
+spec:
+  description: Allow stats
+  egress:
+    - toFQDNs:
+        - matchName: stats.grafana.org
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-to-rabbitmq-http
+  namespace: rabbitmq
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: rabbitmq
+  ingress:
+  - fromEntities:
+    - world
+  - toPorts:
+    - ports:
+      - port: "15672"
+        protocol: TCP
+
@@ -0,0 +1,63 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-dataprotection-keys
+  namespace: redis
+spec:
+  schedule: "0 12 14 * *" # at noon the 14th of every month
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: redis
+            command: [ "/bin/sh", "/script/sync.sh" ]
+            env:
+            - name: PROD_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: prod-redis
+                  key: redis-password
+            - name: STAGING_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: staging-redis
+                  key: redis-password
+            volumeMounts:
+            - name: script
+              mountPath: /script
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: false
+              runAsGroup: 0
+              runAsNonRoot: true
+              runAsUser: 1001
+              seccompProfile:
+                type: RuntimeDefault
+          securityContext:
+            fsGroup: 1001
+            fsGroupChangePolicy: Always
+          volumes:
+            - name: script
+              configMap:
+                name: sync-dataprotection-keys-script
+                defaultMode: 0500
+          restartPolicy: Never
+      backoffLimit: 4
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sync-dataprotection-keys-script
+  namespace: redis
+data:
+  sync.sh: |-
+    #!/bin/sh
+    redis-cli -h prod-redis-master -a $PROD_REDIS_PASSWORD -D "" --raw dump DataProtection-Keys |\
+    redis-cli -h staging-redis-master -a $STAGING_REDIS_PASSWORD -X keys restore DataProtection-Keys 0 keys replace
+
+
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vcluster-create-cilium-networkpolicies
+rules:
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnetworkpolicies
+  verbs:
+  - '*'