diff --git a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml index daa8b214..cbfc1be7 100644 --- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml +++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml @@ -6,9 +6,9 @@ metadata: name: ingress-nginx-default namespace: ingress spec: + # TODO: simplify this entire netpols file endpointSelector: matchLabels: - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx ingress: # allow kube-apiserver and remote-node (Cilium) for webhooks @@ -193,6 +193,57 @@ spec: --- apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy +metadata: + name: "ingress-from-nginx-internal" +spec: + description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions" + endpointSelector: + matchLabels: + ingress.home.arpa/nginx-internal: allow + ingress: + # ingress controller webhook admission + - fromEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-internal + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "ingress-from-nginx-external" +spec: + description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions" + endpointSelector: + matchLabels: + ingress.home.arpa/nginx-external: allow + ingress: + # ingress controller webhook admission + - fromEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-external + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "ingress-from-nginx-public" +spec: + description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions" + endpointSelector: + matchLabels: + ingress.home.arpa/nginx-public: allow + ingress: + # ingress controller webhook admission + - fromEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-public + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy metadata: name: "egress-to-ingress-nginx" spec: @@ -210,6 +261,57 @@ spec: --- apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy +metadata: + name: "egress-to-nginx-internal" +spec: + description: "Allow pods that require egress to ingress-nginx, no port restrictions" + endpointSelector: + matchLabels: + egress.home.arpa/nginx-internal: allow + egress: + # ingress controller webhook admission + - toEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-internal + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "egress-to-nginx-external" +spec: + description: "Allow pods that require egress to ingress-nginx, no port restrictions" + endpointSelector: + matchLabels: + egress.home.arpa/nginx-external: allow + egress: + # ingress controller webhook admission + - toEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-external + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "egress-to-nginx-public" +spec: + description: "Allow pods that require egress to ingress-nginx, no port restrictions" + endpointSelector: + matchLabels: + egress.home.arpa/nginx-public: allow + egress: + # ingress controller webhook admission + - toEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-public + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy metadata: name: "ingress-nginx-webhook" spec: @@ -228,3 +330,66 @@ spec: toPorts: - ports: - port: "8443" +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "nginx-internal-webhook" +spec: + endpointSelector: {} + egress: + # ingress controller webhook admission + - toServices: + - k8sService: + serviceName: nginx-internal-controller-admission + namespace: ingress + - toEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-internal + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress + toPorts: + - ports: + - port: "8443" +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "nginx-external-webhook" +spec: + endpointSelector: {} + egress: + # ingress controller webhook admission + - toServices: + - k8sService: + serviceName: nginx-external-controller-admission + namespace: ingress + - toEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-external + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress + toPorts: + - ports: + - port: "8443" +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "nginx-public-webhook" +spec: + endpointSelector: {} + egress: + # ingress controller webhook admission + - toServices: + - k8sService: + serviceName: nginx-public-controller-admission + namespace: ingress + - toEndpoints: + - matchLabels: + app.kubernetes.io/instance: nginx-public + app.kubernetes.io/name: ingress-nginx + io.kubernetes.pod.namespace: ingress + toPorts: + - ports: + - port: "8443" \ No newline at end of file