Enable Cilium host firewall (#738)

This commit enables Cilium's host firewall feature and makes use of it to deny external connections to two exporters running as daemonset pods in the host network namespace. Signed-off-by: Timofei Larkin <lllamnyp@gmail.com> Co-authored-by: Timofei Larkin <lllamnyp@gmail.com>
2026-01-27 10:18:39 +00:00 · 2025-04-02 14:42:19 +02:00
parent d9c6fb7625
commit dbc1fb8a09
1 changed files with 27 additions and 0 deletions
--- a/packages/system/cilium/templates/networkpolicy.yaml
+++ b/packages/system/cilium/templates/networkpolicy.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: restrict-system-components
+spec:
+  ingressDeny:
+  - fromEntities:
+    - world
+    toPorts:
+    - ports:
+      - port: "2379"  # etcd
+      - port: "2380"  # etcd
+      - port: "3367"  # linstor
+      - port: "7473"  # frr-metrics (metallb)
+      - port: "8123"  # cozy assets server
+      - port: "9443"  # kube-rbac-proxy
+      - port: "10250" # kubelet
+      - port: "10257" # kube-controller-manager
+      - port: "10259" # kube-scheduler
+  ingress:
+  - fromEntities:
+    - world
+    - host
+    - cluster
+  nodeSelector:
+    matchLabels: {}