fix(rook-ceph): netpol allow CNPG to RGW

Signed-off-by: JJGadgets <git@jjgadgets.tech>
2026-03-22 05:39:51 +00:00 · 2023-05-10 09:54:25 +08:00
parent 626d72563c
commit d4e604b462
1 changed files with 17 additions and 5 deletions
--- a/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml
+++ b/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml
@@ -23,11 +23,8 @@ spec:
    - toCIDRSet:
        - cidr: "${IP_PVE_CEPH_CIDR}"
    # k8s apiserver
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: default
-            component: apiserver
-            provider: kubernetes
+    - toEntities:
+        - kube-apiserver
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
@@ -48,6 +45,21 @@ spec:
      toPorts:
        - ports:
            - port: "6953"
+    # allow CNPG to connect
+    - fromEndpoints:
+        - matchExpressions:
+            - key: cnpg.io/cluster
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "6953"
+              protocol: TCP
+            - port: "6953"
+              protocol: UDP
+            - port: "8080"
+              protocol: TCP
+            - port: "8080"
+              protocol: UDP
  egress:
    # ingress controller webhook admission
    - toServices: