diff --git a/kubernetes/rpi5-cluster/apps/cilium/app/helmrelease.yaml b/kubernetes/rpi5-cluster/apps/cilium/app/helmrelease.yaml new file mode 100644 index 0000000..8be73c8 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/app/helmrelease.yaml @@ -0,0 +1,43 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cilium + namespace: kube-system +spec: + chart: + spec: + chart: cilium + version: 1.15.5 + sourceRef: + kind: HelmRepository + namespace: kube-system + name: cilium + install: + crds: Create + upgrade: + crds: CreateReplace + interval: 1h + driftDetection: + mode: enabled + values: + global: + encryption: + enabled: true + nodeEncryption: true + + policyEnforcementMode: default + + operator: + replicas: 1 + + ipam: + mode: cluster-pool + operator: + clusterPoolIPv4PodCIDRList: [10.42.0.0/16] + clusterPoolIPv4MaskSize: 24 + + dnsProxy: + dnsRejectResponseCode: nameError + + cni: + exclusive: false diff --git a/kubernetes/rpi5-cluster/apps/cilium/app/helmrepository.yaml b/kubernetes/rpi5-cluster/apps/cilium/app/helmrepository.yaml new file mode 100644 index 0000000..0ca641c --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/app/helmrepository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cilium + namespace: kube-system +spec: + interval: 1h + url: https://helm.cilium.io diff --git a/kubernetes/rpi5-cluster/apps/cilium/kustomization.yaml b/kubernetes/rpi5-cluster/apps/cilium/kustomization.yaml new file mode 100644 index 0000000..512f204 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/kustomization.yaml @@ -0,0 +1,30 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cilium-app + namespace: kube-system +spec: + interval: 1h + targetNamespace: kube-system + path: ./kubernetes/rpi5-cluster/apps/cilium/app + prune: true + sourceRef: + kind: GitRepository + namespace: flux-system + name: home-cluster-ops +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cilium-networkpolicies + namespace: kube-system +spec: + interval: 1h + path: ./kubernetes/rpi5-cluster/apps/cilium/networkpolicies + prune: true + sourceRef: + kind: GitRepository + namespace: flux-system + name: home-cluster-ops + dependsOn: + - name: cilium-app diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kube-dns.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kube-dns.yaml new file mode 100644 index 0000000..1003e85 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kube-dns.yaml @@ -0,0 +1,19 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-kube-dns +spec: + endpointSelector: + matchExpressions: + - key: rpi5.cluster.policy/egress-kube-dns + operator: NotIn + values: + - "false" + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kubeapi.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kubeapi.yaml new file mode 100644 index 0000000..3e54454 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kubeapi.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-kubeapi +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-kubeapi: "true" + egress: + - toEntities: + - host + - remote-node + toPorts: + - ports: + - port: "6443" + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "443" + - port: "6443" diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-namespace.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-namespace.yaml new file mode 100644 index 0000000..7173deb --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-namespace +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-namespace: "true" + egress: + - toEndpoints: + - {} diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-nodes.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-nodes.yaml new file mode 100644 index 0000000..08bb2fa --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-nodes.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-nodes +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-nodes: "true" + egress: + - toEntities: + - host + - remote-node diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world-with-lan.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world-with-lan.yaml new file mode 100644 index 0000000..0b55a55 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world-with-lan.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-world-with-lan +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-world-with-lan: "true" + egress: + - toCIDRSet: + - cidr: 0.0.0.0/0 diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world.yaml new file mode 100644 index 0000000..f2c2845 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-world +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-world: "true" + egress: + - toCIDRSet: + - cidr: 0.0.0.0/0 + except: + - 192.168.1.0/24 + - 192.168.2.0/24 + - 100.64.0.0/10 diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-namespace.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-namespace.yaml new file mode 100644 index 0000000..f479a7f --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: ingress-namespace +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/ingress-namespace: "true" + ingress: + - fromEndpoints: + - {} diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nginx.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nginx.yaml new file mode 100644 index 0000000..4729f28 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nginx.yaml @@ -0,0 +1,65 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: ingress-ingress +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/ingress-ingress: "true" + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: ingress-nginx + namespace: ingress-nginx +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + egress: + - toEndpoints: + - matchLabels: + rpi5.cluster.policy/ingress-ingress: "true" + matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists +--- +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-ingress +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-ingress: "true" + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: egress-nginx + namespace: ingress-nginx +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + ingress: + - fromEndpoints: + - matchLabels: + rpi5.cluster.policy/egress-ingress: "true" + matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nodes.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nodes.yaml new file mode 100644 index 0000000..b148425 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nodes.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: ingress-nodes +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/ingress-nodes: "true" + ingress: + - fromEntities: + - host + - remote-node diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-world.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-world.yaml new file mode 100644 index 0000000..24d0ce1 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-world.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: ingress-world +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/ingress-world: "true" + ingress: + - fromEntities: + - world diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/local-path-provisioner.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/local-path-provisioner.yaml new file mode 100644 index 0000000..947aff1 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/local-path-provisioner.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: local-path-provisioner + namespace: kube-system +spec: + endpointSelector: + matchLabels: + app: local-path-provisioner + egress: + - toEntities: + - host + - remote-node + toPorts: + - ports: + - port: "6443"