48 lines
1.4 KiB
YAML
48 lines
1.4 KiB
YAML
{{- if .Values.clusterConfig.cilium.enabled }}
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
metadata:
|
|
name: allow-egress
|
|
namespace: niks3
|
|
spec:
|
|
# ekman has no cluster-wide allow-namespace-traffic baseline (unlike hel1/oceanbox),
|
|
# so once niks3 is selected by an egress rule it is default-deny for egress and every
|
|
# destination must be listed explicitly: RGW (S3), in-namespace PostgreSQL, and DNS.
|
|
description: niks3 egress to Ceph RGW (S3), in-namespace PostgreSQL, and kube-dns
|
|
endpointSelector:
|
|
matchLabels:
|
|
app: niks3
|
|
egress:
|
|
# Ceph RadosGW (S3 object storage backend) via NodePort
|
|
- toCIDR:
|
|
- 10.255.241.30/32
|
|
- 10.255.241.31/32
|
|
- 10.255.241.32/32
|
|
toPorts:
|
|
- ports:
|
|
- port: "30080"
|
|
protocol: TCP
|
|
# PostgreSQL (CNPG niks3-db cluster, same namespace)
|
|
- toEndpoints:
|
|
- matchLabels:
|
|
io.kubernetes.pod.namespace: niks3
|
|
toPorts:
|
|
- ports:
|
|
- port: "5432"
|
|
protocol: TCP
|
|
# DNS resolution
|
|
- toEndpoints:
|
|
- matchLabels:
|
|
io.kubernetes.pod.namespace: kube-system
|
|
k8s-app: kube-dns
|
|
toPorts:
|
|
- ports:
|
|
- port: "53"
|
|
protocol: UDP
|
|
- port: "53"
|
|
protocol: TCP
|
|
rules:
|
|
dns:
|
|
- matchPattern: "*"
|
|
{{- end }}
|