From 3207675cd63d982b7db0edfc513035785f335492 Mon Sep 17 00:00:00 2001
From: Tyler Witlin <twitlin@witl.xyz>
Date: Sat, 20 Jan 2024 19:02:13 -0500
Subject: [PATCH] fix(kyak): add networking netpols

Signed-off-by: Tyler Witlin <twitlin@witl.xyz>
---
 .../cloudflared/app/kustomization.yaml        |  1 +
 .../cloudflared/app/networkpolicy.yaml        | 29 +++++++++++++++++++
 .../nginx/external/kustomization.yaml         |  1 +
 .../nginx/external/networkpolicy.yaml         | 17 +++++++++++
 .../nginx/internal/kustomization.yaml         |  1 +
 .../nginx/internal/networkpolicy.yaml         | 17 +++++++++++
 6 files changed, 66 insertions(+)
 create mode 100644 kubernetes/kyak/apps/networking/cloudflared/app/networkpolicy.yaml
 create mode 100644 kubernetes/kyak/apps/networking/nginx/external/networkpolicy.yaml
 create mode 100644 kubernetes/kyak/apps/networking/nginx/internal/networkpolicy.yaml

diff --git a/kubernetes/kyak/apps/networking/cloudflared/app/kustomization.yaml b/kubernetes/kyak/apps/networking/cloudflared/app/kustomization.yaml
index 0970e96fe9..1775f02a91 100644
--- a/kubernetes/kyak/apps/networking/cloudflared/app/kustomization.yaml
+++ b/kubernetes/kyak/apps/networking/cloudflared/app/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - ./externalsecret.yaml
   - ./dnsendpoint.yaml
   - ./helmrelease.yaml
+  - ./networkpolicy.yaml
 configMapGenerator:
   - name: cloudflared-configmap
     files:
diff --git a/kubernetes/kyak/apps/networking/cloudflared/app/networkpolicy.yaml b/kubernetes/kyak/apps/networking/cloudflared/app/networkpolicy.yaml
new file mode 100644
index 0000000000..24f8a9c889
--- /dev/null
+++ b/kubernetes/kyak/apps/networking/cloudflared/app/networkpolicy.yaml
@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: cloudflared
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudflared
+  ingress:
+    # Prometheus
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: monitoring
+            app.kubernetes.io/name: prometheus
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: "TCP"
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/instance: nginx-external
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: "TCP"
diff --git a/kubernetes/kyak/apps/networking/nginx/external/kustomization.yaml b/kubernetes/kyak/apps/networking/nginx/external/kustomization.yaml
index 4eed917b96..decfaab383 100644
--- a/kubernetes/kyak/apps/networking/nginx/external/kustomization.yaml
+++ b/kubernetes/kyak/apps/networking/nginx/external/kustomization.yaml
@@ -5,3 +5,4 @@ kind: Kustomization
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
+  - ./networkpolicy.yaml
diff --git a/kubernetes/kyak/apps/networking/nginx/external/networkpolicy.yaml b/kubernetes/kyak/apps/networking/nginx/external/networkpolicy.yaml
new file mode 100644
index 0000000000..5fddcf50a8
--- /dev/null
+++ b/kubernetes/kyak/apps/networking/nginx/external/networkpolicy.yaml
@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-ingress-nginx-external
+spec:
+  description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      ingress.home.arpa/nginx-external: allow
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/instance: nginx-external
+            io.kubernetes.pod.namespace: networking
diff --git a/kubernetes/kyak/apps/networking/nginx/internal/kustomization.yaml b/kubernetes/kyak/apps/networking/nginx/internal/kustomization.yaml
index 4d56b78684..4b07ecb56a 100644
--- a/kubernetes/kyak/apps/networking/nginx/internal/kustomization.yaml
+++ b/kubernetes/kyak/apps/networking/nginx/internal/kustomization.yaml
@@ -5,3 +5,4 @@ kind: Kustomization
 namespace: networking
 resources:
   - ./helmrelease.yaml
+  - ./networkpolicy.yaml
diff --git a/kubernetes/kyak/apps/networking/nginx/internal/networkpolicy.yaml b/kubernetes/kyak/apps/networking/nginx/internal/networkpolicy.yaml
new file mode 100644
index 0000000000..a3394dd21b
--- /dev/null
+++ b/kubernetes/kyak/apps/networking/nginx/internal/networkpolicy.yaml
@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-ingress-nginx-internal
+spec:
+  description: "Allow pods that require ingress to allow traffic from ingress-nginx, no port restrictions"
+  endpointSelector:
+    matchLabels:
+      ingress.home.arpa/nginx-internal: allow
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/instance: nginx-internal
+            io.kubernetes.pod.namespace: networking