github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 18:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: reduce Cilium dnsproxy toFQDNs load

Browse Source
This commit is contained in:
JJGadgets
2024-07-29 14:50:28 +08:00
parent 9c96450b24
commit fb5f5efc39
8 changed files with 125 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
kube/deploy/apps/authentik/app/netpol.yaml
View File

@@ -25,16 +25,32 @@ spec:
io.kubernetes.pod.namespace: *app
# allow Duo
- toFQDNs:
- matchPattern: "api-*.duosecurity.com"
- &duo matchPattern: "api-*.duosecurity.com"
toPorts:
- ports:
- port: "443"
# allow AWS SES
- toFQDNs:
- matchPattern: "email-smtp.*.amazonaws.com"
- &smtp matchPattern: "email-smtp.*.amazonaws.com"
toPorts:
- ports:
- port: "587"
# toFQDNs
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: "ANY"
rules:
dns:
- *duo
- *smtp
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
apiVersion: cilium.io/v2

15
kube/deploy/apps/immich/app/netpol.yaml
View File

@@ -32,7 +32,7 @@ spec:
# app.kubernetes.io/name: *app
# app.kubernetes.io/component: ml
# egress:
# - toFQDNs:
# - toFQDNs: &huggingface
# - matchPattern: "huggingface.co"
# - matchPattern: "*.huggingface.co"
# toPorts:
@@ -41,3 +41,16 @@ spec:
# protocol: TCP
# - port: "443"
# protocol: UDP
# - toEndpoints:
# - matchLabels:
# "k8s:io.kubernetes.pod.namespace": kube-system
# "k8s:k8s-app": kube-dns
# - matchLabels:
# io.kubernetes.pod.namespace: kube-system
# k8s-app: kube-dns
# toPorts:
# - ports:
# - port: "53"
# protocol: "ANY"
# rules:
# dns: *huggingface

18
kube/deploy/apps/paperless-ngx/app/netpol.yaml
View File

@@ -13,6 +13,20 @@ spec:
- matchLabels:
io.kubernetes.pod.namespace: *app
# Debian apt repos
- toFQDNs:
- toFQDNs: &apt
- matchName: "deb.debian.org"
- matchName: "debian.map.fastlydns.net"
- matchName: "debian.map.fastlydns.net"
# toFQDNs
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: "ANY"
rules:
dns: *apt

19
kube/deploy/apps/redbot/app/netpol.yaml
View File

@@ -9,7 +9,7 @@ spec:
endpointSelector: {}
egress:
# Lavalink (Audio cog)
- toFQDNs:
- toFQDNs: &lavalink
## Discord media (???)
- matchPattern: "*.discord.media"
## YouTube
@@ -47,4 +47,19 @@ spec:
- port: "50008"
protocol: "UDP"
- port: "50009"
protocol: "UDP"
protocol: "UDP"
# toFQDNs
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: "ANY"
rules:
dns:
- matchPattern: "*"

3
kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml
View File

@@ -26,6 +26,7 @@ spec:
endpointSelector:
matchExpressions:
- {key: dns.home.arpa/l7, operator: NotIn, values: ["false"]}
- {key: dns.home.arpa/l7, operator: In, values: ["true"]}
egress:
- toEndpoints:
- matchLabels:
@@ -50,7 +51,7 @@ spec:
description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster"
endpointSelector:
matchExpressions:
- {key: dns.home.arpa/l7, operator: In, values: ["false"]}
- {key: dns.home.arpa/l7, operator: NotIn, values: ["true"]}
egress:
- toEndpoints:
- matchLabels:

42
kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml
View File

@@ -71,6 +71,20 @@ spec:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: "ANY"
rules:
dns:
- matchPattern: "*"
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
apiVersion: cilium.io/v2
@@ -92,6 +106,20 @@ spec:
- ports:
- port: "443"
protocol: ANY
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: "ANY"
rules:
dns:
- matchPattern: "*"
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
apiVersion: cilium.io/v2
@@ -111,6 +139,20 @@ spec:
protocol: TCP
- port: "443"
protocol: UDP
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: "ANY"
rules:
dns:
- matchPattern: "*"
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
apiVersion: cilium.io/v2

14
kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
View File

@@ -116,6 +116,20 @@ spec:
- toFQDNs:
- matchPattern: "*.${DNS_MAIN}"
- matchPattern: "*.${DNS_SHORT}"
- toEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
"k8s:k8s-app": kube-dns
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: "ANY"
rules:
dns:
- matchPattern: "*"
- toCIDRSet:
- cidr: "${IP_ROUTER_LAN_CIDR}"
toPorts:

4
kube/deploy/core/storage/rook-ceph/app/netpol.yaml
View File

@@ -50,8 +50,8 @@ spec:
- matchLabels:
rgw: "${CLUSTER_NAME}"
io.kubernetes.pod.namespace: rook-ceph
- toFQDNs:
- matchName: "rgw-biohazard.${DNS_TS}"
# - toFQDNs:
# - matchName: "rgw-biohazard.${DNS_TS}"
- toCIDRSet:
- cidr: "${IP_VLAN_CEPH_CIDR}"
toPorts: