From d9c6fb7625f5e2e5f64f094f1306ec402d42c96a Mon Sep 17 00:00:00 2001
From: Timofei Larkin <lllamnyp@gmail.com>
Date: Wed, 2 Apr 2025 15:16:15 +0400
Subject: [PATCH] Enable Cilium host firewall (#736)

This commit enables Cilium's host firewall feature and makes use of it
to deny external connections to two exporters running as daemonset pods
in the host network namespace.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Host firewall is now enabled by default, adding an extra layer of
security.
  - Enhanced network traffic management with new policies:
    - One policy tightens access to critical service ports.
- Another secures monitoring endpoints by restricting unauthorized
external access.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
---
 packages/system/cilium/values.yaml            |  2 ++
 .../linstor/templates/networkpolicy.yaml      | 19 +++++++++++++++++++
 .../templates/networkpolicy.yaml              | 19 +++++++++++++++++++
 3 files changed, 40 insertions(+)
 create mode 100644 packages/system/linstor/templates/networkpolicy.yaml
 create mode 100644 packages/system/monitoring-agents/templates/networkpolicy.yaml

diff --git a/packages/system/cilium/values.yaml b/packages/system/cilium/values.yaml
index 476fc0b4..1e6ef6e8 100644
--- a/packages/system/cilium/values.yaml
+++ b/packages/system/cilium/values.yaml
@@ -1,5 +1,7 @@
 cilium:
   kubeProxyReplacement: true
+  hostFirewall:
+    enabled: true
   hubble:
     enabled: false
   externalIPs:
diff --git a/packages/system/linstor/templates/networkpolicy.yaml b/packages/system/linstor/templates/networkpolicy.yaml
new file mode 100644
index 00000000..e8129b30
--- /dev/null
+++ b/packages/system/linstor/templates/networkpolicy.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: restrict-drbd-reactor
+spec:
+  ingressDeny:
+  - fromEntities:
+    - world
+    toPorts:
+    - ports:
+      - port: "9942"
+  ingress:
+  - fromEntities:
+    - world
+    - host
+    - cluster
+  nodeSelector:
+    matchLabels: {}
diff --git a/packages/system/monitoring-agents/templates/networkpolicy.yaml b/packages/system/monitoring-agents/templates/networkpolicy.yaml
new file mode 100644
index 00000000..aa6dd4fe
--- /dev/null
+++ b/packages/system/monitoring-agents/templates/networkpolicy.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: restrict-node-exporter
+spec:
+  ingressDeny:
+  - fromEntities:
+    - world
+    toPorts:
+    - ports:
+      - port: "9100"
+  ingress:
+  - fromEntities:
+    - world
+    - host
+    - cluster
+  nodeSelector:
+    matchLabels: {}