fix(ingress-nginx): moar netpols!

2026-01-28 02:18:24 +00:00 · 2023-11-30 01:12:43 +08:00
parent eee8324852
commit 60dcd015ca
1 changed files with 44 additions and 0 deletions
--- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
@@ -189,6 +189,28 @@ spec:
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
+metadata:
+  name: "egress-to-ingress-nginx-internal"
+  namespace: ingress
+spec:
+  # TODO: simplify this entire netpols file
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/instance: "nginx-internal"
+  ingress:
+    # allow traffic from pods with egress label
+    - fromEndpoints:
+        - matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+            - key: egress.home.arpa/nginx-internal
+              operator: In
+              values: ["allow"]
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
 metadata:
  name: "egress-to-ingress-nginx-external"
  namespace: ingress
@@ -208,6 +230,28 @@ spec:
              operator: In
              values: ["allow"]
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: "egress-to-ingress-nginx-public"
+  namespace: ingress
+spec:
+  # TODO: simplify this entire netpols file
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/instance: "nginx-public"
+  ingress:
+    # allow traffic from pods with egress label
+    - fromEndpoints:
+        - matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+            - key: egress.home.arpa/nginx-public
+              operator: In
+              values: ["allow"]
+---
 apiVersion: "cilium.io/v2"
 kind: CiliumClusterwideNetworkPolicy
 metadata: