fix(kyak): add networking netpols

Signed-off-by: Tyler Witlin <[email protected]>
coolguy1771 · Jan 21, 2024 · 3207675 · 3207675
1 parent 1efcb79
commit 3207675
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 0 deletions.
diff --git a/kubernetes/kyak/apps/networking/cloudflared/app/kustomization.yaml b/kubernetes/kyak/apps/networking/cloudflared/app/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - ./externalsecret.yaml
   - ./dnsendpoint.yaml
   - ./helmrelease.yaml
+  - ./networkpolicy.yaml
 configMapGenerator:
   - name: cloudflared-configmap
     files:

diff --git a/kubernetes/kyak/apps/networking/cloudflared/app/networkpolicy.yaml b/kubernetes/kyak/apps/networking/cloudflared/app/networkpolicy.yaml
@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: cloudflared
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudflared
+  ingress:
+    # Prometheus
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: monitoring
+            app.kubernetes.io/name: prometheus
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: "TCP"
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/instance: nginx-external
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: "TCP"
diff --git a/kubernetes/kyak/apps/networking/nginx/external/kustomization.yaml b/kubernetes/kyak/apps/networking/nginx/external/kustomization.yaml
@@ -5,3 +5,4 @@ kind: Kustomization
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
+  - ./networkpolicy.yaml
diff --git a/kubernetes/kyak/apps/networking/nginx/external/networkpolicy.yaml b/kubernetes/kyak/apps/networking/nginx/external/networkpolicy.yaml
@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-ingress-nginx-external
+spec:
+  description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      ingress.home.arpa/nginx-external: allow
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/instance: nginx-external
+            io.kubernetes.pod.namespace: networking
diff --git a/kubernetes/kyak/apps/networking/nginx/internal/kustomization.yaml b/kubernetes/kyak/apps/networking/nginx/internal/kustomization.yaml
@@ -5,3 +5,4 @@ kind: Kustomization
 namespace: networking
 resources:
   - ./helmrelease.yaml
+  - ./networkpolicy.yaml
diff --git a/kubernetes/kyak/apps/networking/nginx/internal/networkpolicy.yaml b/kubernetes/kyak/apps/networking/nginx/internal/networkpolicy.yaml
@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-ingress-nginx-internal
+spec:
+  description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      ingress.home.arpa/nginx-internal: allow
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/instance: nginx-internal
+            io.kubernetes.pod.namespace: networking