scottk/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-03-21 12:39:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: netpols everything!

Browse Source 
Signed-off-by: JJGadgets <git@jjgadgets.tech>
This commit is contained in:
JJGadgets
2023-05-07 18:51:20 +08:00
parent 9023050d73
commit b089acf8dd
6 changed files with 250 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
kube/3-deploy/1-core/01-networking/cilium/netpols/cluster-default-kube-dns.yaml Normal file
View File

@@ -0,0 +1,39 @@
---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: "cluster-default-kube-dns-ingress"
spec:
description: "Policy for ingress allow to kube-dns from all Cilium managed endpoints in the cluster"
endpointSelector:
matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
ingress:
- fromEndpoints:
- {}
toPorts:
- ports:
- port: "53"
# rules:
# dns:
# - matchPattern: "*"
---
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: "cluster-default-kube-dns-egress"
spec:
description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster"
endpointSelector: {}
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
# rules:
# dns:
# - matchPattern: "*"

22
kube/3-deploy/1-core/01-networking/cilium/netpols/kube-system-allow-all.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: kube-system-allow-all
namespace: kube-system
spec:
endpointSelector: {}
ingress:
- fromEntities:
- cluster
- fromEndpoints:
- {}
- fromEntities:
- world
egress:
- toEntities:
- world
- toEndpoints:
- {}
- toEntities:
- cluster

77
kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml Normal file
View File

@@ -0,0 +1,77 @@
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: ingress-nginx-default
namespace: ingress
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
ingress:
# all ingress-nginx traffic
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: ingress-nginx
# allow all ingress traffic outside cluster
- fromEntities:
- world
toPorts:
- ports:
- port: "80"
- port: "443"
# allow traffic from external-proxy-x
- fromEndpoints:
- matchLabels:
app.kubernetes.io/instance: external-proxy-x
toPorts:
- ports:
- port: "80"
- port: "443"
- port: "8443"
# allow traffic from CloudFlare's cloudflared tunnel
- fromEndpoints:
- matchLabels:
app.kubernetes.io/instance: cloudflared
app.kubernetes.io/name: cloudflared
io.kubernetes.pod.namespace: cloudflare
toPorts:
- ports:
- port: "443"
egress:
# allow egress to all owned/controlled resources outside cluster
- toFQDNs:
- matchPattern: "*.${DNS_MAIN}"
- matchPattern: "*.${DNS_SHORT}"
- toCIDRSet:
- cidr: "${IP_ROUTER_LAN_CIDR}"
toPorts:
- ports:
- port: "80"
- port: "443"
- port: "9000"
- port: "9443"
- port: "8086"
# allow ingress-nginx traffic
- toEndpoints:
- matchLabels:
app.kubernetes.io/name: ingress-nginx
# allow egress to all pods, except pods in core namespaces that don't need ingress controllers
- toEndpoints:
- matchExpressions:
- key: io.kubernetes.pod.namespace
operator: NotIn
values:
- kube-system
- flux-system
- rook-ceph
# allow egress to hubble-ui (2023-05-07: no kube-system netpols planned)
- toServices:
- k8sService:
serviceName: hubble-ui
namespace: kube-system
- toEndpoints:
- matchLabels:
k8s-app: hubble-ui
io.kubernetes.pod.namespace: kube-system

33
kube/3-deploy/2-apps/gokapi/netpol.yaml Normal file
View File

@@ -0,0 +1,33 @@
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: &app gokapi
namespace: *app
spec:
endpointSelector: {}
ingress:
# same namespace
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# ingress controller
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
toPorts:
- ports:
- port: "53842"
egress:
# same namespace
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# allow traffic to Authentik for OIDC
- toFQDNs:
- matchName: "${APP_DNS_AUTH}"
toPorts:
- ports:
- port: "443"

40
kube/3-deploy/2-apps/kanidm/app/netpol.yaml Normal file
View File

@@ -0,0 +1,40 @@
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: &app kanidm
namespace: *app
spec:
endpointSelector: {}
ingress:
# same namespace
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# ingress controller
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
toPorts:
- ports:
- port: "443"
- port: "8443"
- port: "636"
- port: "3636"
- fromCIDRSet:
- cidr: "${IP_ROUTER_LAN_CIDR}"
- cidr: "${IP_WG_USER_1_V4}"
- cidr: "${IP_WG_GUEST_V4}"
toPorts:
- ports:
- port: "443"
- port: "8443"
- port: "636"
- port: "3636"
egress:
# same namespace
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app

39
kube/3-deploy/2-apps/whoogle/netpol.yaml Normal file
View File

@@ -0,0 +1,39 @@
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: &app whoogle
namespace: *app
spec:
endpointSelector: {}
ingress:
# same namespace
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# ingress controller
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
toPorts:
- ports:
- port: "5000"
egress:
# same namespace
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# allow Whoogle to connect to public Internet
- toEntities:
- world
toPorts:
- ports:
- port: "443"
# allow querying $IP_HOME_DNS
- toCIDRSet:
- cidr: "${IP_HOME_DNS}/32"
toPorts:
- ports:
- port: "53"