From d4e604b462a5fd9c36bfd72b86c068485e1aa306 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Wed, 10 May 2023 09:54:25 +0800
Subject: [PATCH] fix(rook-ceph): netpol allow CNPG to RGW

Signed-off-by: JJGadgets <git@jjgadgets.tech>
---
 .../02-storage/rook-ceph/app/netpol.yaml      | 22 ++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml b/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml
index 8eac2424..78fa4a5c 100644
--- a/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml
+++ b/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml
@@ -23,11 +23,8 @@ spec:
     - toCIDRSet:
         - cidr: "${IP_PVE_CEPH_CIDR}"
     # k8s apiserver
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: default
-            component: apiserver
-            provider: kubernetes
+    - toEntities:
+        - kube-apiserver
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
@@ -48,6 +45,21 @@ spec:
       toPorts:
         - ports:
             - port: "6953"
+    # allow CNPG to connect
+    - fromEndpoints:
+        - matchExpressions:
+            - key: cnpg.io/cluster
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "6953"
+              protocol: TCP
+            - port: "6953"
+              protocol: UDP
+            - port: "8080"
+              protocol: TCP
+            - port: "8080"
+              protocol: UDP
   egress:
     # ingress controller webhook admission
     - toServices: