From b089acf8dd74c136bb91ad5800bfa68dda203be3 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Sun, 7 May 2023 18:51:20 +0800 Subject: [PATCH] feat: netpols everything! Signed-off-by: JJGadgets --- .../netpols/cluster-default-kube-dns.yaml | 39 ++++++++++ .../cilium/netpols/kube-system-allow-all.yaml | 22 ++++++ .../1-core/05-ingress/nginx/netpol.yaml | 77 +++++++++++++++++++ kube/3-deploy/2-apps/gokapi/netpol.yaml | 33 ++++++++ kube/3-deploy/2-apps/kanidm/app/netpol.yaml | 40 ++++++++++ kube/3-deploy/2-apps/whoogle/netpol.yaml | 39 ++++++++++ 6 files changed, 250 insertions(+) create mode 100644 kube/3-deploy/1-core/01-networking/cilium/netpols/cluster-default-kube-dns.yaml create mode 100644 kube/3-deploy/1-core/01-networking/cilium/netpols/kube-system-allow-all.yaml create mode 100644 kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml create mode 100644 kube/3-deploy/2-apps/gokapi/netpol.yaml create mode 100644 kube/3-deploy/2-apps/kanidm/app/netpol.yaml create mode 100644 kube/3-deploy/2-apps/whoogle/netpol.yaml diff --git a/kube/3-deploy/1-core/01-networking/cilium/netpols/cluster-default-kube-dns.yaml b/kube/3-deploy/1-core/01-networking/cilium/netpols/cluster-default-kube-dns.yaml new file mode 100644 index 00000000..8867cce2 --- /dev/null +++ b/kube/3-deploy/1-core/01-networking/cilium/netpols/cluster-default-kube-dns.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "cluster-default-kube-dns-ingress" +spec: + description: "Policy for ingress allow to kube-dns from all Cilium managed endpoints in the cluster" + endpointSelector: + matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + ingress: + - fromEndpoints: + - {} + toPorts: + - ports: + - port: "53" + # rules: + # dns: + # - matchPattern: "*" +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "cluster-default-kube-dns-egress" +spec: + description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster" + endpointSelector: {} + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + # rules: + # dns: + # - matchPattern: "*" diff --git a/kube/3-deploy/1-core/01-networking/cilium/netpols/kube-system-allow-all.yaml b/kube/3-deploy/1-core/01-networking/cilium/netpols/kube-system-allow-all.yaml new file mode 100644 index 00000000..7306abc4 --- /dev/null +++ b/kube/3-deploy/1-core/01-networking/cilium/netpols/kube-system-allow-all.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: kube-system-allow-all + namespace: kube-system +spec: + endpointSelector: {} + ingress: + - fromEntities: + - cluster + - fromEndpoints: + - {} + - fromEntities: + - world + egress: + - toEntities: + - world + - toEndpoints: + - {} + - toEntities: + - cluster diff --git a/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml b/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml new file mode 100644 index 00000000..de7f49ae --- /dev/null +++ b/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml @@ -0,0 +1,77 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: ingress-nginx-default + namespace: ingress +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + ingress: + # all ingress-nginx traffic + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: ingress-nginx + # allow all ingress traffic outside cluster + - fromEntities: + - world + toPorts: + - ports: + - port: "80" + - port: "443" + # allow traffic from external-proxy-x + - fromEndpoints: + - matchLabels: + app.kubernetes.io/instance: external-proxy-x + toPorts: + - ports: + - port: "80" + - port: "443" + - port: "8443" + # allow traffic from CloudFlare's cloudflared tunnel + - fromEndpoints: + - matchLabels: + app.kubernetes.io/instance: cloudflared + app.kubernetes.io/name: cloudflared + io.kubernetes.pod.namespace: cloudflare + toPorts: + - ports: + - port: "443" + egress: + # allow egress to all owned/controlled resources outside cluster + - toFQDNs: + - matchPattern: "*.${DNS_MAIN}" + - matchPattern: "*.${DNS_SHORT}" + - toCIDRSet: + - cidr: "${IP_ROUTER_LAN_CIDR}" + toPorts: + - ports: + - port: "80" + - port: "443" + - port: "9000" + - port: "9443" + - port: "8086" + # allow ingress-nginx traffic + - toEndpoints: + - matchLabels: + app.kubernetes.io/name: ingress-nginx + # allow egress to all pods, except pods in core namespaces that don't need ingress controllers + - toEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: NotIn + values: + - kube-system + - flux-system + - rook-ceph + # allow egress to hubble-ui (2023-05-07: no kube-system netpols planned) + - toServices: + - k8sService: + serviceName: hubble-ui + namespace: kube-system + - toEndpoints: + - matchLabels: + k8s-app: hubble-ui + io.kubernetes.pod.namespace: kube-system diff --git a/kube/3-deploy/2-apps/gokapi/netpol.yaml b/kube/3-deploy/2-apps/gokapi/netpol.yaml new file mode 100644 index 00000000..f2e6a7dd --- /dev/null +++ b/kube/3-deploy/2-apps/gokapi/netpol.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app gokapi + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # ingress controller + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + toPorts: + - ports: + - port: "53842" + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # allow traffic to Authentik for OIDC + - toFQDNs: + - matchName: "${APP_DNS_AUTH}" + toPorts: + - ports: + - port: "443" diff --git a/kube/3-deploy/2-apps/kanidm/app/netpol.yaml b/kube/3-deploy/2-apps/kanidm/app/netpol.yaml new file mode 100644 index 00000000..00c88a46 --- /dev/null +++ b/kube/3-deploy/2-apps/kanidm/app/netpol.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app kanidm + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # ingress controller + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + toPorts: + - ports: + - port: "443" + - port: "8443" + - port: "636" + - port: "3636" + - fromCIDRSet: + - cidr: "${IP_ROUTER_LAN_CIDR}" + - cidr: "${IP_WG_USER_1_V4}" + - cidr: "${IP_WG_GUEST_V4}" + toPorts: + - ports: + - port: "443" + - port: "8443" + - port: "636" + - port: "3636" + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app diff --git a/kube/3-deploy/2-apps/whoogle/netpol.yaml b/kube/3-deploy/2-apps/whoogle/netpol.yaml new file mode 100644 index 00000000..fe563644 --- /dev/null +++ b/kube/3-deploy/2-apps/whoogle/netpol.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app whoogle + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # ingress controller + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + toPorts: + - ports: + - port: "5000" + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # allow Whoogle to connect to public Internet + - toEntities: + - world + toPorts: + - ports: + - port: "443" + # allow querying $IP_HOME_DNS + - toCIDRSet: + - cidr: "${IP_HOME_DNS}/32" + toPorts: + - ports: + - port: "53"