re-enable cilium network policies

2024-06-17 11:45:06 +10:00
parent 8736b79cc1
commit d13e5346f7
6 changed files with 25 additions and 48 deletions
--- a/kubernetes/apps/homer/app/development.yaml
+++ b/kubernetes/apps/homer/app/development.yaml
@@ -13,13 +13,8 @@ spec:
    metadata:
      labels:
        app.kubernetes.io/name: homer
-        rpi5.cluster.policy/egress-kubeapi: "true"
-        rpi5.cluster.policy/egress-namespace: "true"
-        rpi5.cluster.policy/egress-world: "true"
-        rpi5.cluster.policy/ingress-namespace: "true"
-        rpi5.cluster.policy/ingress-nginx: "true"
+        rpi5.cluster.policy/egress-nodes: "true"
        rpi5.cluster.policy/ingress-nodes: "true"
-        rpi5.cluster.policy/ingress-world: "true"
    spec:
      securityContext:
        runAsUser: 1000
--- a/kubernetes/infrastructure/cilium/cilium.yaml
+++ b/kubernetes/infrastructure/cilium/cilium.yaml
@@ -14,24 +14,22 @@
 #    namespace: flux-system
 #    name: flux-system
 #---
-#apiVersion: kustomize.toolkit.fluxcd.io/v1
-#kind: Kustomization
-#metadata:
-#  name: cilium-networkpolicies
-#  namespace: cilium
-#spec:
-#  suspend: true
-#  interval: 10m
-#  timeout: 1m30s
-#  retryInterval: 30s
-#  path: ./kubernetes/infrastructure/cilium/networkpolicies
-#  prune: true
-#  sourceRef:
-#    kind: GitRepository
-#    namespace: flux-system
-#    name: flux-system
-#  dependsOn:
-#    - name: cilium
-#      namespace: cilium
-#    - name: ingress-nginx
-#      namespace: ingress-nginx
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cilium-networkpolicies
+  namespace: cilium
+spec:
+  suspend: true
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/cilium/networkpolicies
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: ingress-nginx
+      namespace: ingress-nginx
--- a/kubernetes/infrastructure/cilium/kustomization.yaml
+++ b/kubernetes/infrastructure/cilium/kustomization.yaml
@@ -1,4 +1,4 @@
-#apiVersion: kustomize.config.k8s.io/v1beta1
-#kind: Kustomization
-#resources:
-#  - cilium.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cilium.yaml
--- a/kubernetes/infrastructure/cilium/networkpolicies/egress-world-with-lan.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/egress-world-with-lan.yaml
@@ -1,12 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: egress-world-with-lan
-  namespace: cilium
-spec:
-  endpointSelector:
-    matchLabels:
-      rpi5.cluster.policy/egress-world-with-lan: "true"
-  egress:
-    - toCIDRSet:
-        - cidr: 0.0.0.0/0
--- a/kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml
+++ b/kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml
@@ -10,7 +10,3 @@ spec:
  egress:
    - toCIDRSet:
        - cidr: 0.0.0.0/0
-          except:
-            - 192.168.1.0/24
-            - 192.168.2.0/24
-            - 100.64.0.0/10
--- a/kubernetes/infrastructure/kustomization.yaml
+++ b/kubernetes/infrastructure/kustomization.yaml
@@ -9,6 +9,6 @@ resources:
  - ./namespaces/podinfo.yaml
  - ./namespaces/prometheus-operator.yaml
  - ./repositories/repositories.yaml
-#  - ./cilium/cilium.yaml
+  - ./cilium/cilium.yaml
  - ./ingress-nginx/ingress-nginx-config.yaml
  - ./ingress-nginx/ingress-nginx.yaml