Add baremetal servers

hetzner/README.md

@@ -110,6 +110,44 @@ make create-kubeconfig
 make create-infrastructure
 ```
 
+## Add barematal (robot) servers
+
+Run server in [Rescue mode](https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system/).
+
+```shell
+wget -O /tmp/metal-amd64.tar.gz https://github.com/siderolabs/talos/releases/download/v1.2.2/metal-amd64.tar.gz
+tar -Oxzf /tmp/talos-amd64.tar.gz > /dev/sda
+```
+
+Part of Talos machineconfig:
+
+```yaml
+  network:
+    hostname: server-name
+    interfaces:
+      - interface: eth0
+        addresses:
+          - IPv4/mask
+          - IPv6/64
+        routes:
+          - network: 0.0.0.0/0
+            gateway: IPv4.GW
+          - network: ::/0
+            gateway: fe80::1
+        vlans:
+          - vlanId: VLAN-ID
+            dhcp: false
+            mtu: 1400
+            addresses:
+              - 172.16.2.XXX/24
+            routes:
+              - network: 172.16.0.0/16
+                gateway: 172.16.2.1
+  install:
+    disk: /dev/sda
+    wipe: false
+```
+
 ## Node Autoscaler
 
 Cluster Autoscaler for [Hetzner Cloud](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/hetzner)

hetzner/deployments/cilium-policy.yaml

@@ -0,0 +1,91 @@
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: controlplane
+spec:
+  nodeSelector:
+    matchLabels:
+      node-role.kubernetes.io/control-plane: ""
+  ingress:
+    - toPorts:
+        - ports:
+          - port: "6443"
+            protocol: TCP
+          - port: "50000"
+            protocol: TCP
+    - toPorts:
+        - ports:
+          - port: "2379"
+            protocol: TCP
+          - port: "2380"
+            protocol: TCP
+          - port: "50001"
+            protocol: TCP
+      fromCIDR:
+        - 172.16.0.0/16
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: common
+spec:
+  nodeSelector:
+    matchLabels:
+      {}
+  ingress:
+    - fromEntities:
+        - host
+        - remote-node
+        - health
+    - toPorts:
+        - ports:
+          - port: "53"
+            protocol: ANY
+    - fromEndpoints:
+        - matchLabels:
+            "k8s:io.kubernetes.pod.namespace": kube-system
+            "k8s-app": hubble-relay
+      toPorts:
+        - ports:
+          - port: "4244"
+            protocol: TCP
+    - fromEndpoints:
+        - matchLabels:
+            "k8s:io.kubernetes.pod.namespace": kube-system
+            "k8s-app": metrics-server
+      toPorts:
+        - ports:
+          - port: "10250"
+            protocol: TCP
+    - fromEndpoints:
+        - matchLabels:
+            "k8s:io.kubernetes.pod.namespace": monitoring
+            "app": prometheus
+            "component": server
+      toPorts:
+        - ports:
+          - port: "9090"
+            protocol: TCP
+          - port: "9091"
+            protocol: TCP
+          - port: "9153"
+            protocol: TCP
+          - port: "10254"
+            protocol: TCP
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: web
+spec:
+  nodeSelector:
+    matchLabels:
+      project.io/node-pool: web
+  ingress:
+    - toPorts:
+        - ports:
+          - port: "80"
+            protocol: TCP
+          - port: "443"
+            protocol: TCP