diff --git a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml index 3aa5af73..9a13eb47 100644 --- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml +++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml @@ -189,6 +189,28 @@ spec: # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy +metadata: + name: "egress-to-ingress-nginx-internal" + namespace: ingress +spec: + # TODO: simplify this entire netpols file + endpointSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: "nginx-internal" + ingress: + # allow traffic from pods with egress label + - fromEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + - key: egress.home.arpa/nginx-internal + operator: In + values: ["allow"] +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy metadata: name: "egress-to-ingress-nginx-external" namespace: ingress @@ -208,6 +230,28 @@ spec: operator: In values: ["allow"] --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: "egress-to-ingress-nginx-public" + namespace: ingress +spec: + # TODO: simplify this entire netpols file + endpointSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: "nginx-public" + ingress: + # allow traffic from pods with egress label + - fromEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + - key: egress.home.arpa/nginx-public + operator: In + values: ["allow"] +--- apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: