fix(kubevirt): netpols

2026-01-27 18:18:26 +00:00 · 2023-12-27 06:17:08 +08:00
parent 6a9f2fc4f2
commit 2109188056
1 changed files with 28 additions and 6 deletions
--- a/kube/deploy/vm/ad/_deps/netpol.yaml
+++ b/kube/deploy/vm/ad/_deps/netpol.yaml
@@ -8,14 +8,21 @@ metadata:
 spec:
  endpointSelector: {}
  ingress:
-    # same namespace
-    - fromEntities:
-        - cluster
-        - world
+    # WireGuard from router & same namespace
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+      fromCIDRSet:
+        - cidr: "${IP_ROUTER_LAN}/32"
      toPorts:
        - ports:
            - port: "45678"
              protocol: UDP
+    # Tailscale default port
+    - fromEntities:
+        - all
+      toPorts:
+        - ports:
            - port: "41641"
              protocol: UDP
  egress:
@@ -23,6 +30,21 @@ spec:
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: *app
-    # TODO: egress to everything
+    # WireGuard to router
+    - toCIDRSet:
+        - cidr: "${IP_ROUTER_LAN}/32"
+      toPorts:
+        - ports:
+            - port: "45678"
+              protocol: UDP
+    # egress to Tailscale default port
    - toEntities:
-        - world
+        - all
+      toPorts:
+        - ports:
+            - port: "41641"
+              protocol: UDP
+    # internet
+    - toCIDRSet:
+        - cidr: "0.0.0.0/0"
+          except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"] # private IP ranges should go through WireGuard with OPNsense rules or Tailscale's ACLs, but internet egress should still go through Cilium for DNS netpols and whatnot