From dbc1fb8a09f5ba2c4d3def2514ee17817317a83d Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Wed, 2 Apr 2025 14:42:19 +0200
Subject: [PATCH] Enable Cilium host firewall (#738)

This commit enables Cilium's host firewall feature and makes use of it
to deny external connections to two exporters running as daemonset pods
in the host network namespace.

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
Co-authored-by: Timofei Larkin <lllamnyp@gmail.com>
---
 .../cilium/templates/networkpolicy.yaml       | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 packages/system/cilium/templates/networkpolicy.yaml

diff --git a/packages/system/cilium/templates/networkpolicy.yaml b/packages/system/cilium/templates/networkpolicy.yaml
new file mode 100644
index 00000000..3c0cf1af
--- /dev/null
+++ b/packages/system/cilium/templates/networkpolicy.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: restrict-system-components
+spec:
+  ingressDeny:
+  - fromEntities:
+    - world
+    toPorts:
+    - ports:
+      - port: "2379"  # etcd
+      - port: "2380"  # etcd
+      - port: "3367"  # linstor
+      - port: "7473"  # frr-metrics (metallb)
+      - port: "8123"  # cozy assets server
+      - port: "9443"  # kube-rbac-proxy
+      - port: "10250" # kubelet
+      - port: "10257" # kube-controller-manager
+      - port: "10259" # kube-scheduler
+  ingress:
+  - fromEntities:
+    - world
+    - host
+    - cluster
+  nodeSelector:
+    matchLabels: {}