feat: add a bunch of network policies from Kai
This commit is contained in:
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-hubble-oidc-login
|
||||
namespace: kube-system
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
k8s-app: oauth2-proxy
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: login.microsoftonline.com
|
||||
- matchPattern: '*.microsoftonline.com'
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-kube-api
|
||||
namespace: atlantis
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,10 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-kube-apiserver
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
@@ -0,0 +1,18 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ekman-egress
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
egress:
|
||||
- toCIDR:
|
||||
- 10.255.241.99/32
|
||||
- 10.255.241.100/32
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "4443"
|
||||
protocol: TCP
|
||||
- port: "30443"
|
||||
protocol: TCP
|
||||
- port: "30080"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-oceanboxio-egress
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: oceanbox.io
|
||||
- matchName: hubble.srv.oceanbox.io
|
||||
- matchPattern: "*oceanbox.io"
|
||||
- matchPattern: "*.oceanbox.io"
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-remote-node-webhooks
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- kube-apiserver
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-kube-api
|
||||
namespace: dapr-system
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-remote-node-webhooks
|
||||
namespace: dapr-system
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- kube-apiserver
|
||||
- toPorts:
|
||||
- ports:
|
||||
- port: "4000"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-geoserver-ingress
|
||||
namespace: geoserver
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: geoserver
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: ingress-nginx
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-kube-api
|
||||
namespace: idp
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-grafana-oidc-login
|
||||
namespace: idp
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: cerbos
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: gitlab.com
|
||||
- matchPattern: '*.gitlab.com'
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-itp-smtp
|
||||
namespace: idp
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: keycloak
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: smtpgw.itpartner.no
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-keycloak
|
||||
namespace: idp
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: dex
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: auth.srv.oceanbox.io
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-kube-api
|
||||
namespace: jaeger
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,17 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-remote-node-webhooks
|
||||
namespace: jaeger
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- kube-apiserver
|
||||
- toPorts:
|
||||
- ports:
|
||||
- port: "9443"
|
||||
protocol: TCP
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
Reference in New Issue
Block a user