diff --git a/kube/deploy/apps/authentik/app/netpol.yaml b/kube/deploy/apps/authentik/app/netpol.yaml index 26921233..1357762e 100644 --- a/kube/deploy/apps/authentik/app/netpol.yaml +++ b/kube/deploy/apps/authentik/app/netpol.yaml @@ -48,6 +48,13 @@ spec: rules: dns: - matchPattern: "*" + # allow ingress-nginx + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx # allow Duo - toFQDNs: - matchPattern: api-*.duosecurity.com diff --git a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml index 770b8052..fd8f7198 100644 --- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml +++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml @@ -61,8 +61,12 @@ spec: - port: "443" # allow traffic from pods with egress label - fromEndpoints: - - matchLabels: - egress.home.arpa/ingress-nginx: allow + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + - key: egress.home.arpa/ingress-nginx + operator: In + values: ["allow"] egress: # allow access to kube-apiserver to get Ingress/etc resources and push updates - toEntities: @@ -91,7 +95,7 @@ spec: matchExpressions: - key: io.kubernetes.pod.namespace operator: Exists - # allow egress to all pods, except pods in core namespaces that don't need ingress controllers + # allow egress to all pods, except pods in core namespaces that don't need ingress controllers (TODO: rm this for podLabels with ingress.home.arpa/nginx) - toEndpoints: - matchExpressions: - key: io.kubernetes.pod.namespace @@ -188,7 +192,7 @@ kind: CiliumClusterwideNetworkPolicy metadata: name: "egress-to-ingress-nginx" spec: - description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions" + description: "Allow pods that require egress to ingress-nginx, no port restrictions" endpointSelector: matchLabels: egress.home.arpa/ingress-nginx: allow