diff --git a/kube/deploy/apps/authentik/app/netpol.yaml b/kube/deploy/apps/authentik/app/netpol.yaml index 12f5c8ad..144f7ecf 100644 --- a/kube/deploy/apps/authentik/app/netpol.yaml +++ b/kube/deploy/apps/authentik/app/netpol.yaml @@ -25,16 +25,32 @@ spec: io.kubernetes.pod.namespace: *app # allow Duo - toFQDNs: - - matchPattern: "api-*.duosecurity.com" + - &duo matchPattern: "api-*.duosecurity.com" toPorts: - ports: - port: "443" # allow AWS SES - toFQDNs: - - matchPattern: "email-smtp.*.amazonaws.com" + - &smtp matchPattern: "email-smtp.*.amazonaws.com" toPorts: - ports: - port: "587" + # toFQDNs + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: + - *duo + - *smtp --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 diff --git a/kube/deploy/apps/immich/app/netpol.yaml b/kube/deploy/apps/immich/app/netpol.yaml index 1e1b2269..3e01c786 100644 --- a/kube/deploy/apps/immich/app/netpol.yaml +++ b/kube/deploy/apps/immich/app/netpol.yaml @@ -32,7 +32,7 @@ spec: # app.kubernetes.io/name: *app # app.kubernetes.io/component: ml # egress: -# - toFQDNs: +# - toFQDNs: &huggingface # - matchPattern: "huggingface.co" # - matchPattern: "*.huggingface.co" # toPorts: @@ -41,3 +41,16 @@ spec: # protocol: TCP # - port: "443" # protocol: UDP +# - toEndpoints: +# - matchLabels: +# "k8s:io.kubernetes.pod.namespace": kube-system +# "k8s:k8s-app": kube-dns +# - matchLabels: +# io.kubernetes.pod.namespace: kube-system +# k8s-app: kube-dns +# toPorts: +# - ports: +# - port: "53" +# protocol: "ANY" +# rules: +# dns: *huggingface diff --git a/kube/deploy/apps/paperless-ngx/app/netpol.yaml b/kube/deploy/apps/paperless-ngx/app/netpol.yaml index 7943a7d5..d62f442e 100644 --- a/kube/deploy/apps/paperless-ngx/app/netpol.yaml +++ b/kube/deploy/apps/paperless-ngx/app/netpol.yaml @@ -13,6 +13,20 @@ spec: - matchLabels: io.kubernetes.pod.namespace: *app # Debian apt repos - - toFQDNs: + - toFQDNs: &apt - matchName: "deb.debian.org" - - matchName: "debian.map.fastlydns.net" \ No newline at end of file + - matchName: "debian.map.fastlydns.net" + # toFQDNs + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: *apt diff --git a/kube/deploy/apps/redbot/app/netpol.yaml b/kube/deploy/apps/redbot/app/netpol.yaml index f7acb48a..a99e1c2b 100644 --- a/kube/deploy/apps/redbot/app/netpol.yaml +++ b/kube/deploy/apps/redbot/app/netpol.yaml @@ -9,7 +9,7 @@ spec: endpointSelector: {} egress: # Lavalink (Audio cog) - - toFQDNs: + - toFQDNs: &lavalink ## Discord media (???) - matchPattern: "*.discord.media" ## YouTube @@ -47,4 +47,19 @@ spec: - port: "50008" protocol: "UDP" - port: "50009" - protocol: "UDP" \ No newline at end of file + protocol: "UDP" + # toFQDNs + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: + - matchPattern: "*" diff --git a/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml b/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml index 79f7a91c..2c29522f 100644 --- a/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml +++ b/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml @@ -26,6 +26,7 @@ spec: endpointSelector: matchExpressions: - {key: dns.home.arpa/l7, operator: NotIn, values: ["false"]} + - {key: dns.home.arpa/l7, operator: In, values: ["true"]} egress: - toEndpoints: - matchLabels: @@ -50,7 +51,7 @@ spec: description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster" endpointSelector: matchExpressions: - - {key: dns.home.arpa/l7, operator: In, values: ["false"]} + - {key: dns.home.arpa/l7, operator: NotIn, values: ["true"]} egress: - toEndpoints: - matchLabels: diff --git a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml index be773989..0bd42621 100644 --- a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml +++ b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml @@ -71,6 +71,20 @@ spec: - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: + - matchPattern: "*" --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 @@ -92,6 +106,20 @@ spec: - ports: - port: "443" protocol: ANY + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: + - matchPattern: "*" --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 @@ -111,6 +139,20 @@ spec: protocol: TCP - port: "443" protocol: UDP + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: + - matchPattern: "*" --- # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 diff --git a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml index 173a2dc0..52e53de6 100644 --- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml +++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml @@ -116,6 +116,20 @@ spec: - toFQDNs: - matchPattern: "*.${DNS_MAIN}" - matchPattern: "*.${DNS_SHORT}" + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: "ANY" + rules: + dns: + - matchPattern: "*" - toCIDRSet: - cidr: "${IP_ROUTER_LAN_CIDR}" toPorts: diff --git a/kube/deploy/core/storage/rook-ceph/app/netpol.yaml b/kube/deploy/core/storage/rook-ceph/app/netpol.yaml index 2968b451..872cb96c 100644 --- a/kube/deploy/core/storage/rook-ceph/app/netpol.yaml +++ b/kube/deploy/core/storage/rook-ceph/app/netpol.yaml @@ -50,8 +50,8 @@ spec: - matchLabels: rgw: "${CLUSTER_NAME}" io.kubernetes.pod.namespace: rook-ceph - - toFQDNs: - - matchName: "rgw-biohazard.${DNS_TS}" +# - toFQDNs: +# - matchName: "rgw-biohazard.${DNS_TS}" - toCIDRSet: - cidr: "${IP_VLAN_CEPH_CIDR}" toPorts: