K3S-Cluster/home-cluster-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #191 from 3dwardch3ng/infra/cilium

Browse Source 
re-enable cilium network policies
This commit is contained in:
Edward Cheng
2024-06-17 11:45:26 +10:00
committed by GitHub
parent 8736b79cc1 d13e5346f7
commit 338880efb6
6 changed files with 25 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
kubernetes/apps/homer/app/development.yaml
View File

@@ -13,13 +13,8 @@ spec:
metadata: metadata:
labels: labels:
app.kubernetes.io/name: homer app.kubernetes.io/name: homer
rpi5.cluster.policy/egress-kubeapi: "true" rpi5.cluster.policy/egress-nodes: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
rpi5.cluster.policy/ingress-nginx: "true"
rpi5.cluster.policy/ingress-nodes: "true" rpi5.cluster.policy/ingress-nodes: "true"
rpi5.cluster.policy/ingress-world: "true"
spec: spec:
securityContext: securityContext:
runAsUser: 1000 runAsUser: 1000

40
kubernetes/infrastructure/cilium/cilium.yaml
View File

@@ -14,24 +14,22 @@
# namespace: flux-system # namespace: flux-system
# name: flux-system # name: flux-system
#--- #---
#apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
#kind: Kustomization kind: Kustomization
#metadata: metadata:
# name: cilium-networkpolicies name: cilium-networkpolicies
# namespace: cilium namespace: cilium
#spec: spec:
# suspend: true suspend: true
# interval: 10m interval: 10m
# timeout: 1m30s timeout: 1m30s
# retryInterval: 30s retryInterval: 30s
# path: ./kubernetes/infrastructure/cilium/networkpolicies path: ./kubernetes/infrastructure/cilium/networkpolicies
# prune: true prune: true
# sourceRef: sourceRef:
# kind: GitRepository kind: GitRepository
# namespace: flux-system namespace: flux-system
# name: flux-system name: flux-system
# dependsOn: dependsOn:
# - name: cilium - name: ingress-nginx
# namespace: cilium namespace: ingress-nginx
# - name: ingress-nginx
# namespace: ingress-nginx

8
kubernetes/infrastructure/cilium/kustomization.yaml
View File

@@ -1,4 +1,4 @@
#apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
#kind: Kustomization kind: Kustomization
#resources: resources:
# - cilium.yaml - cilium.yaml

12
kubernetes/infrastructure/cilium/networkpolicies/egress-world-with-lan.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-world-with-lan
namespace: cilium
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-world-with-lan: "true"
egress:
- toCIDRSet:
- cidr: 0.0.0.0/0

4
kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml
View File

@@ -10,7 +10,3 @@ spec:
egress: egress:
- toCIDRSet: - toCIDRSet:
- cidr: 0.0.0.0/0 - cidr: 0.0.0.0/0
except:
- 192.168.1.0/24
- 192.168.2.0/24
- 100.64.0.0/10

2
kubernetes/infrastructure/kustomization.yaml
View File

@@ -9,6 +9,6 @@ resources:
- ./namespaces/podinfo.yaml - ./namespaces/podinfo.yaml
- ./namespaces/prometheus-operator.yaml - ./namespaces/prometheus-operator.yaml
- ./repositories/repositories.yaml - ./repositories/repositories.yaml
# - ./cilium/cilium.yaml - ./cilium/cilium.yaml
- ./ingress-nginx/ingress-nginx-config.yaml - ./ingress-nginx/ingress-nginx-config.yaml
- ./ingress-nginx/ingress-nginx.yaml - ./ingress-nginx/ingress-nginx.yaml