From 86d8326f2f2c782fb6f6353bbb8cf24e773d45e5 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Tue, 30 Jul 2024 18:05:43 +0800 Subject: [PATCH] chore: archive Tailscale, optimize netpols --- .../tailscale/app/clusterrolebinding.yaml | 0 .../core/_networking/tailscale/app/hr.yaml | 0 .../_networking/tailscale/app/netpol.yaml | 7 +- .../tailscale/app/secrets-oauth.yaml | 0 .../deploy/core/_networking/tailscale/ks.yaml | 0 .../_networking/tailscale/kustomization.yaml | 0 .../deploy/core/_networking/tailscale/ns.yaml | 0 kube/clusters/biohazard/flux/flux-repo.yaml | 4 +- .../ingress/ingress-nginx/app/netpol.yaml | 215 +++--------------- .../core/storage/rook-ceph/app/netpol.yaml | 5 +- kube/deploy/vm/ad/_deps/netpol.yaml | 109 ++++----- 11 files changed, 98 insertions(+), 242 deletions(-) rename {kube => .archive/kube}/deploy/core/_networking/tailscale/app/clusterrolebinding.yaml (100%) rename {kube => .archive/kube}/deploy/core/_networking/tailscale/app/hr.yaml (100%) rename {kube => .archive/kube}/deploy/core/_networking/tailscale/app/netpol.yaml (95%) rename {kube => .archive/kube}/deploy/core/_networking/tailscale/app/secrets-oauth.yaml (100%) rename {kube => .archive/kube}/deploy/core/_networking/tailscale/ks.yaml (100%) rename {kube => .archive/kube}/deploy/core/_networking/tailscale/kustomization.yaml (100%) rename {kube => .archive/kube}/deploy/core/_networking/tailscale/ns.yaml (100%) diff --git a/kube/deploy/core/_networking/tailscale/app/clusterrolebinding.yaml b/.archive/kube/deploy/core/_networking/tailscale/app/clusterrolebinding.yaml similarity index 100% rename from kube/deploy/core/_networking/tailscale/app/clusterrolebinding.yaml rename to .archive/kube/deploy/core/_networking/tailscale/app/clusterrolebinding.yaml diff --git a/kube/deploy/core/_networking/tailscale/app/hr.yaml b/.archive/kube/deploy/core/_networking/tailscale/app/hr.yaml similarity index 100% rename from kube/deploy/core/_networking/tailscale/app/hr.yaml rename to .archive/kube/deploy/core/_networking/tailscale/app/hr.yaml diff --git a/kube/deploy/core/_networking/tailscale/app/netpol.yaml b/.archive/kube/deploy/core/_networking/tailscale/app/netpol.yaml similarity index 95% rename from kube/deploy/core/_networking/tailscale/app/netpol.yaml rename to .archive/kube/deploy/core/_networking/tailscale/app/netpol.yaml index 386a829c..c135e600 100644 --- a/kube/deploy/core/_networking/tailscale/app/netpol.yaml +++ b/.archive/kube/deploy/core/_networking/tailscale/app/netpol.yaml @@ -19,15 +19,14 @@ spec: prometheus: "kps" # Tailscale connection - fromEntities: - - cluster - - world + - all egress: - toEntities: - world # kube-apiserver - toEntities: - kube-apiserver - - toEntities: + - toEntities: - host - remote-node toPorts: @@ -76,4 +75,4 @@ spec: # ingress controller webhook admission - fromEndpoints: - matchLabels: - io.kubernetes.pod.namespace: "tailscale" \ No newline at end of file + io.kubernetes.pod.namespace: "tailscale" diff --git a/kube/deploy/core/_networking/tailscale/app/secrets-oauth.yaml b/.archive/kube/deploy/core/_networking/tailscale/app/secrets-oauth.yaml similarity index 100% rename from kube/deploy/core/_networking/tailscale/app/secrets-oauth.yaml rename to .archive/kube/deploy/core/_networking/tailscale/app/secrets-oauth.yaml diff --git a/kube/deploy/core/_networking/tailscale/ks.yaml b/.archive/kube/deploy/core/_networking/tailscale/ks.yaml similarity index 100% rename from kube/deploy/core/_networking/tailscale/ks.yaml rename to .archive/kube/deploy/core/_networking/tailscale/ks.yaml diff --git a/kube/deploy/core/_networking/tailscale/kustomization.yaml b/.archive/kube/deploy/core/_networking/tailscale/kustomization.yaml similarity index 100% rename from kube/deploy/core/_networking/tailscale/kustomization.yaml rename to .archive/kube/deploy/core/_networking/tailscale/kustomization.yaml diff --git a/kube/deploy/core/_networking/tailscale/ns.yaml b/.archive/kube/deploy/core/_networking/tailscale/ns.yaml similarity index 100% rename from kube/deploy/core/_networking/tailscale/ns.yaml rename to .archive/kube/deploy/core/_networking/tailscale/ns.yaml diff --git a/kube/clusters/biohazard/flux/flux-repo.yaml b/kube/clusters/biohazard/flux/flux-repo.yaml index 400f92ff..2dc53635 100644 --- a/kube/clusters/biohazard/flux/flux-repo.yaml +++ b/kube/clusters/biohazard/flux/flux-repo.yaml @@ -164,7 +164,7 @@ spec: metadata: name: not-used spec: - prune: false + prune: true target: group: kustomize.toolkit.fluxcd.io version: v1 @@ -188,7 +188,7 @@ spec: metadata: name: not-used spec: - prune: false + prune: true target: group: kustomize.toolkit.fluxcd.io version: v1 diff --git a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml index 52e53de6..ea931ecf 100644 --- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml +++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml @@ -17,10 +17,6 @@ spec: - remote-node toPorts: - ports: - - port: "80" - protocol: TCP - - port: "443" - protocol: TCP - port: "8443" protocol: TCP # all ingress-nginx traffic @@ -79,14 +75,6 @@ spec: key: egress.home.arpa/nginx-external - <<: *egress key: egress.home.arpa/nginx-public - # allow authentik-managed components to connect to main authentik server - - fromEndpoints: - - matchExpressions: - - key: io.kubernetes.pod.namespace - operator: Exists - - key: app.kubernetes.io/managed-by - operator: In - values: ["goauthentik.io"] # allow KPS to scrape - fromEndpoints: - matchLabels: @@ -116,6 +104,7 @@ spec: - toFQDNs: - matchPattern: "*.${DNS_MAIN}" - matchPattern: "*.${DNS_SHORT}" + # DNS proxy to kube-dns, DNS L7 visibility - toEndpoints: - matchLabels: "k8s:io.kubernetes.pod.namespace": kube-system @@ -144,21 +133,13 @@ spec: - matchLabels: app.kubernetes.io/name: ingress-nginx # allow ingress-nginx to egress to pods that require ingress - - toEndpoints: - - matchLabels: - ingress.home.arpa/nginx: allow - matchExpressions: - - key: io.kubernetes.pod.namespace - operator: Exists - # allow egress to all pods, except pods in core namespaces that don't need ingress controllers (TODO: rm this for podLabels with ingress.home.arpa/nginx) - toEndpoints: - matchExpressions: - key: io.kubernetes.pod.namespace - operator: NotIn - values: - - kube-system - - flux-system - - rook-ceph + operator: Exists + - key: ingress.home.arpa/nginx + operator: In + values: [allow] # allow Flux notification-controller ingress - toEndpoints: - matchLabels: @@ -203,23 +184,12 @@ spec: - matchLabels: k8s-app: hubble-ui io.kubernetes.pod.namespace: kube-system - # DNS proxy to kube-dns, DNS L7 visibility - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns - toPorts: - - ports: - - port: "53" - rules: - dns: - - matchPattern: "*" --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: "egress-to-ingress-nginx-internal" + name: "ingress-nginx-internal" namespace: ingress spec: # TODO: simplify this entire netpols file @@ -236,12 +206,21 @@ spec: - key: egress.home.arpa/nginx-internal operator: In values: ["allow"] + egress: + # allow ingress-nginx to egress to pods that require ingress + - toEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + - key: ingress.home.arpa/nginx-internal + operator: In + values: [allow] --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: "egress-to-ingress-nginx-external" + name: "ingress-nginx-external" namespace: ingress spec: # TODO: simplify this entire netpols file @@ -258,12 +237,21 @@ spec: - key: egress.home.arpa/nginx-external operator: In values: ["allow"] + egress: + # allow ingress-nginx to egress to pods that require ingress + - toEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + - key: ingress.home.arpa/nginx-external + operator: In + values: [allow] --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: "egress-to-ingress-nginx-public" + name: "ingress-nginx-public" namespace: ingress spec: # TODO: simplify this entire netpols file @@ -280,6 +268,15 @@ spec: - key: egress.home.arpa/nginx-public operator: In values: ["allow"] + egress: + # allow ingress-nginx to egress to pods that require ingress + - toEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + - key: ingress.home.arpa/nginx-public + operator: In + values: [allow] --- apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy @@ -291,7 +288,6 @@ spec: matchLabels: ingress.home.arpa/nginx: allow ingress: - # ingress controller webhook admission - fromEndpoints: - matchLabels: app.kubernetes.io/instance: ingress-nginx @@ -308,7 +304,6 @@ spec: matchLabels: ingress.home.arpa/nginx-internal: allow ingress: - # ingress controller webhook admission - fromEndpoints: - matchLabels: app.kubernetes.io/instance: nginx-internal @@ -325,7 +320,6 @@ spec: matchLabels: ingress.home.arpa/nginx-external: allow ingress: - # ingress controller webhook admission - fromEndpoints: - matchLabels: app.kubernetes.io/instance: nginx-external @@ -342,7 +336,6 @@ spec: matchLabels: ingress.home.arpa/nginx-public: allow ingress: - # ingress controller webhook admission - fromEndpoints: - matchLabels: app.kubernetes.io/instance: nginx-public @@ -359,7 +352,6 @@ spec: matchLabels: egress.home.arpa/nginx-internal: allow egress: - # ingress controller webhook admission - toEndpoints: - matchLabels: app.kubernetes.io/instance: nginx-internal @@ -376,7 +368,6 @@ spec: matchLabels: egress.home.arpa/nginx-external: allow egress: - # ingress controller webhook admission - toEndpoints: - matchLabels: app.kubernetes.io/instance: nginx-external @@ -393,144 +384,8 @@ spec: matchLabels: egress.home.arpa/nginx-public: allow egress: - # ingress controller webhook admission - toEndpoints: - matchLabels: app.kubernetes.io/instance: nginx-public app.kubernetes.io/name: ingress-nginx io.kubernetes.pod.namespace: ingress ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: "egress-to-nginx-internal" -spec: - description: "Allow pods that require egress to ingress-nginx, no port restrictions" - endpointSelector: - matchLabels: - egress.home.arpa/nginx-internal: allow - egress: - # ingress controller webhook admission - - toEndpoints: - - matchLabels: - app.kubernetes.io/instance: nginx-internal - app.kubernetes.io/name: ingress-nginx - io.kubernetes.pod.namespace: ingress ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: "egress-to-nginx-external" -spec: - description: "Allow pods that require egress to ingress-nginx, no port restrictions" - endpointSelector: - matchLabels: - egress.home.arpa/nginx-external: allow - egress: - # ingress controller webhook admission - - toEndpoints: - - matchLabels: - app.kubernetes.io/instance: nginx-external - app.kubernetes.io/name: ingress-nginx - io.kubernetes.pod.namespace: ingress ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: "egress-to-nginx-public" -spec: - description: "Allow pods that require egress to ingress-nginx, no port restrictions" - endpointSelector: - matchLabels: - egress.home.arpa/nginx-public: allow - egress: - # ingress controller webhook admission - - toEndpoints: - - matchLabels: - app.kubernetes.io/instance: nginx-public - app.kubernetes.io/name: ingress-nginx - io.kubernetes.pod.namespace: ingress ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: "ingress-nginx-webhook" -spec: - endpointSelector: {} - egress: - # ingress controller webhook admission - - toServices: - - k8sService: - serviceName: ingress-nginx-controller-admission - namespace: ingress - - toEndpoints: - - matchLabels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - io.kubernetes.pod.namespace: ingress - toPorts: - - ports: - - port: "8443" ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: "nginx-internal-webhook" -spec: - endpointSelector: {} - egress: - # ingress controller webhook admission - - toServices: - - k8sService: - serviceName: nginx-internal-controller-admission - namespace: ingress - - toEndpoints: - - matchLabels: - app.kubernetes.io/instance: nginx-internal - app.kubernetes.io/name: ingress-nginx - io.kubernetes.pod.namespace: ingress - toPorts: - - ports: - - port: "8443" ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: "nginx-external-webhook" -spec: - endpointSelector: {} - egress: - # ingress controller webhook admission - - toServices: - - k8sService: - serviceName: nginx-external-controller-admission - namespace: ingress - - toEndpoints: - - matchLabels: - app.kubernetes.io/instance: nginx-external - app.kubernetes.io/name: ingress-nginx - io.kubernetes.pod.namespace: ingress - toPorts: - - ports: - - port: "8443" ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: "nginx-public-webhook" -spec: - endpointSelector: {} - egress: - # ingress controller webhook admission - - toServices: - - k8sService: - serviceName: nginx-public-controller-admission - namespace: ingress - - toEndpoints: - - matchLabels: - app.kubernetes.io/instance: nginx-public - app.kubernetes.io/name: ingress-nginx - io.kubernetes.pod.namespace: ingress - toPorts: - - ports: - - port: "8443" diff --git a/kube/deploy/core/storage/rook-ceph/app/netpol.yaml b/kube/deploy/core/storage/rook-ceph/app/netpol.yaml index 872cb96c..9fb8308e 100644 --- a/kube/deploy/core/storage/rook-ceph/app/netpol.yaml +++ b/kube/deploy/core/storage/rook-ceph/app/netpol.yaml @@ -89,8 +89,9 @@ spec: operator: Exists # allow pods with rgw label to connect - fromEndpoints: - - matchLabels: - s3.home.arpa/store: rgw-${CLUSTER_NAME} - matchExpressions: - key: io.kubernetes.pod.namespace operator: Exists + - key: s3.home.arpa/store + operator: In + values: ["rgw-${CLUSTER_NAME}"] diff --git a/kube/deploy/vm/ad/_deps/netpol.yaml b/kube/deploy/vm/ad/_deps/netpol.yaml index 340554d6..3a9cb2c4 100644 --- a/kube/deploy/vm/ad/_deps/netpol.yaml +++ b/kube/deploy/vm/ad/_deps/netpol.yaml @@ -1,54 +1,55 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: &app vm-ad - namespace: *app -spec: - endpointSelector: {} - ingress: - # WireGuard from router & same namespace - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - toPorts: - - ports: - - port: "45678" - protocol: UDP - - fromCIDRSet: - - cidr: "${IP_ROUTER_LAN}/32" - toPorts: - - ports: - - port: "45678" - protocol: UDP - # Tailscale default port - - fromEntities: - - all - toPorts: - - ports: - - port: "41641" - protocol: UDP - egress: - # same namespace - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - # WireGuard to router - - toCIDRSet: - - cidr: "${IP_ROUTER_LAN}/32" - toPorts: - - ports: - - port: "45678" - protocol: UDP - # egress to Tailscale default port - - toEntities: - - all - toPorts: - - ports: - - port: "41641" - protocol: UDP - # internet - - toCIDRSet: - - cidr: "0.0.0.0/0" - except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"] # private IP ranges should go through WireGuard with OPNsense rules or Tailscale's ACLs, but internet egress should still go through Cilium for DNS netpols and whatnot +#--- +# NOTE: disabled due to using Multus instead of Cilium CNI, so this netpol won't do anything +## yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json +#apiVersion: cilium.io/v2 +#kind: CiliumNetworkPolicy +#metadata: +# name: &app vm-ad +# namespace: *app +#spec: +# endpointSelector: {} +# ingress: +# # WireGuard from router & same namespace +# - fromEndpoints: +# - matchLabels: +# io.kubernetes.pod.namespace: *app +# toPorts: +# - ports: +# - port: "45678" +# protocol: UDP +# - fromCIDRSet: +# - cidr: "${IP_ROUTER_LAN}/32" +# toPorts: +# - ports: +# - port: "45678" +# protocol: UDP +# # Tailscale default port +# - fromEntities: +# - all +# toPorts: +# - ports: +# - port: "41641" +# protocol: UDP +# egress: +# # same namespace +# - toEndpoints: +# - matchLabels: +# io.kubernetes.pod.namespace: *app +# # WireGuard to router +# - toCIDRSet: +# - cidr: "${IP_ROUTER_LAN}/32" +# toPorts: +# - ports: +# - port: "45678" +# protocol: UDP +# # egress to Tailscale default port +# - toEntities: +# - all +# toPorts: +# - ports: +# - port: "41641" +# protocol: UDP +# # internet +# - toCIDRSet: +# - cidr: "0.0.0.0/0" +# except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"] # private IP ranges should go through WireGuard with OPNsense rules or Tailscale's ACLs, but internet egress should still go through Cilium for DNS netpols and whatnot