platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

feat: add a bunch of network policies from Kai

Browse Source
This commit is contained in:
Jonas Juselius
2024-02-19 15:34:15 +01:00
parent 839a96dc39
commit f2db2db473
15 changed files with 206 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-hubble-oidc-login
namespace: kube-system
spec:
endpointSelector:
matchLabels:
k8s-app: oauth2-proxy
egress:
- toFQDNs:
- matchName: login.microsoftonline.com
- matchPattern: '*.microsoftonline.com'
resources/oceanbox-cluster/network-policies/atlantis/allow-api-server.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-kube-api
namespace: atlantis
spec:
endpointSelector:
matchLabels: {}
egress:
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "6443"
protocol: TCP
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-api-server.yaml
+10
View File
@@ -0,0 +1,10 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-kube-apiserver
spec:
endpointSelector:
matchLabels: {}
egress:
- toEntities:
- kube-apiserver
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-ekman-egress.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-ekman-egress
spec:
endpointSelector: {}
egress:
- toCIDR:
- 10.255.241.99/32
- 10.255.241.100/32
toPorts:
- ports:
- port: "4443"
protocol: TCP
- port: "30443"
protocol: TCP
- port: "30080"
protocol: TCP
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-oceanboxio.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-oceanboxio-egress
spec:
endpointSelector: {}
egress:
- toFQDNs:
- matchName: oceanbox.io
- matchName: hubble.srv.oceanbox.io
- matchPattern: "*oceanbox.io"
- matchPattern: "*.oceanbox.io"
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-remote-node.yaml
+10
View File
@@ -0,0 +1,10 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-remote-node-webhooks
spec:
endpointSelector:
matchLabels: {}
ingress:
- fromEntities:
- kube-apiserver
resources/oceanbox-cluster/network-policies/dapr/allow-api-server.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-kube-api
namespace: dapr-system
spec:
endpointSelector:
matchLabels: {}
egress:
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "6443"
protocol: TCP
resources/oceanbox-cluster/network-policies/dapr/allow-remote-node.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-remote-node-webhooks
namespace: dapr-system
spec:
endpointSelector:
matchLabels: {}
ingress:
- fromEntities:
- kube-apiserver
- toPorts:
- ports:
- port: "4000"
protocol: TCP
resources/oceanbox-cluster/network-policies/geoserver/allow-geoserver-ingress.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-geoserver-ingress
namespace: geoserver
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/instance: geoserver
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
resources/oceanbox-cluster/network-policies/idp/allow-api-server.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-kube-api
namespace: idp
spec:
endpointSelector:
matchLabels: {}
egress:
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "6443"
protocol: TCP
resources/oceanbox-cluster/network-policies/idp/allow-gitlab.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-grafana-oidc-login
namespace: idp
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: cerbos
egress:
- toFQDNs:
- matchName: gitlab.com
- matchPattern: '*.gitlab.com'
resources/oceanbox-cluster/network-policies/idp/allow-itp-smtpgw.yaml
+12
View File
@@ -0,0 +1,12 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-itp-smtp
namespace: idp
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: keycloak
egress:
- toFQDNs:
- matchName: smtpgw.itpartner.no
resources/oceanbox-cluster/network-policies/idp/allow-keycloak.yaml
+12
View File
@@ -0,0 +1,12 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-keycloak
namespace: idp
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: dex
egress:
- toFQDNs:
- matchName: auth.srv.oceanbox.io
resources/oceanbox-cluster/network-policies/jaeger/allow-api-server.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-kube-api
namespace: jaeger
spec:
endpointSelector:
matchLabels: {}
egress:
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "6443"
protocol: TCP
resources/oceanbox-cluster/network-policies/jaeger/allow-remote-node.yaml
+17
View File
@@ -0,0 +1,17 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-remote-node-webhooks
namespace: jaeger
spec:
endpointSelector:
matchLabels: {}
ingress:
- fromEntities:
- kube-apiserver
- toPorts:
- ports:
- port: "9443"
protocol: TCP
- port: "443"
protocol: TCP