fix(EMQX): netpols

2026-01-27 10:18:27 +00:00 · 2024-08-22 21:15:59 +08:00
parent d03e1a5cca
commit 111b27cb77
2 changed files with 46 additions and 8 deletions
--- a/kube/deploy/core/db/emqx/cluster/emqx.yaml
+++ b/kube/deploy/core/db/emqx/cluster/emqx.yaml
@@ -26,7 +26,7 @@ spec:
        deny_action = "ignore"
        sources = [{
          enable = true
-          type = "file"
+          type = file
          path = "/secrets/acl.conf"
        }]
      }
--- a/kube/deploy/core/db/emqx/cluster/netpol.yaml
+++ b/kube/deploy/core/db/emqx/cluster/netpol.yaml
@@ -1,4 +1,25 @@
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "apps-to-emqx"
+spec:
+  endpointSelector:
+    matchLabels:
+      db.home.arpa/emqx: "emqx"
+  egress:
+    - toEndpoints: &emqx
+        - matchLabels:
+            io.kubernetes.pod.namespace: emqx
+            apps.emqx.io/instance: emqx
+      toPorts:
+        - ports:
+            - port: "8883"
+              protocol: TCP
+    - toEndpoints: *emqx
+      icmps: [{}]
+---
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
@@ -6,14 +27,31 @@ metadata:
  name: &app emqx
  namespace: *app
 spec:
-  endpointSelector: {}
+  endpointSelector: &cluster
+    matchLabels:
+      apps.emqx.io/instance: emqx
  ingress:
-    # same namespace
+    # same EMQX cluster
+    - fromEndpoints: [*cluster]
+    # labelled pods
+    - fromEndpoints: &labelled
+        - matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+            - key: apps.emqx.io/instance
+              operator: In
+              values: [emqx]
+      toPorts:
+        - ports:
+            - port: "8883"
+              protocol: TCP
+    - fromEndpoints: *labelled
+      icmps: [{}]
+    # operator
    - fromEndpoints:
        - matchLabels:
-            io.kubernetes.pod.namespace: *app
+            io.kubernetes.pod.namespace: emqx
+            app.kubernetes.io/name: emqx-operator
  egress:
-    # same namespace
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: *app
+    # same cluster
+    - toEndpoints: [*cluster]