fix(ingress-nginx): netpols (to be simplified)

kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml

@@ -6,9 +6,9 @@ metadata:
   name: ingress-nginx-default
   namespace: ingress
 spec:
+  # TODO: simplify this entire netpols file
   endpointSelector:
     matchLabels:
-      app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/name: ingress-nginx
   ingress:
     # allow kube-apiserver and remote-node (Cilium) for webhooks
@@ -193,6 +193,57 @@ spec:
 ---
 apiVersion: "cilium.io/v2"
 kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "ingress-from-nginx-internal"
+spec:
+  description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      ingress.home.arpa/nginx-internal: allow
+  ingress:
+    # ingress controller webhook admission
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-internal
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "ingress-from-nginx-external"
+spec:
+  description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      ingress.home.arpa/nginx-external: allow
+  ingress:
+    # ingress controller webhook admission
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-external
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "ingress-from-nginx-public"
+spec:
+  description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      ingress.home.arpa/nginx-public: allow
+  ingress:
+    # ingress controller webhook admission
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-public
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
 metadata:
   name: "egress-to-ingress-nginx"
 spec:
@@ -210,6 +261,57 @@ spec:
 ---
 apiVersion: "cilium.io/v2"
 kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "egress-to-nginx-internal"
+spec:
+  description: "Allow pods that require egress to ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      egress.home.arpa/nginx-internal: allow
+  egress:
+    # ingress controller webhook admission
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-internal
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "egress-to-nginx-external"
+spec:
+  description: "Allow pods that require egress to ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      egress.home.arpa/nginx-external: allow
+  egress:
+    # ingress controller webhook admission
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-external
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "egress-to-nginx-public"
+spec:
+  description: "Allow pods that require egress to ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      egress.home.arpa/nginx-public: allow
+  egress:
+    # ingress controller webhook admission
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-public
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
 metadata:
   name: "ingress-nginx-webhook"
 spec:
@@ -228,3 +330,66 @@ spec:
       toPorts:
         - ports:
             - port: "8443"
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "nginx-internal-webhook"
+spec:
+  endpointSelector: {}
+  egress:
+    # ingress controller webhook admission
+    - toServices:
+        - k8sService:
+            serviceName: nginx-internal-controller-admission
+            namespace: ingress
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-internal
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+      toPorts:
+        - ports:
+            - port: "8443"
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "nginx-external-webhook"
+spec:
+  endpointSelector: {}
+  egress:
+    # ingress controller webhook admission
+    - toServices:
+        - k8sService:
+            serviceName: nginx-external-controller-admission
+            namespace: ingress
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-external
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+      toPorts:
+        - ports:
+            - port: "8443"
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "nginx-public-webhook"
+spec:
+  endpointSelector: {}
+  egress:
+    # ingress controller webhook admission
+    - toServices:
+        - k8sService:
+            serviceName: nginx-public-controller-admission
+            namespace: ingress
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/instance: nginx-public
+            app.kubernetes.io/name: ingress-nginx
+            io.kubernetes.pod.namespace: ingress
+      toPorts:
+        - ports:
+            - port: "8443"