diff --git a/kubernetes/rpi5-cluster/apps/cilium/ks.yaml b/kubernetes/rpi5-cluster/apps/cilium/ks.yaml index 8c82c5a..512f204 100644 --- a/kubernetes/rpi5-cluster/apps/cilium/ks.yaml +++ b/kubernetes/rpi5-cluster/apps/cilium/ks.yaml @@ -12,4 +12,19 @@ spec: kind: GitRepository namespace: flux-system name: home-cluster-ops - +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cilium-networkpolicies + namespace: kube-system +spec: + interval: 1h + path: ./kubernetes/rpi5-cluster/apps/cilium/networkpolicies + prune: true + sourceRef: + kind: GitRepository + namespace: flux-system + name: home-cluster-ops + dependsOn: + - name: cilium-app diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/coredns.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/coredns.yaml new file mode 100644 index 0000000..5b7826c --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/coredns.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: coredns + namespace: kube-system +spec: + endpointSelector: + matchLabels: + k8s-app: kube-dns + egress: + - toEntities: + - world + toPorts: + - ports: + - port: "53" + - toEntities: + - host + - remote-node + toPorts: + - ports: + - port: "6443" \ No newline at end of file diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kube-dns.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kube-dns.yaml new file mode 100644 index 0000000..1003e85 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kube-dns.yaml @@ -0,0 +1,19 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-kube-dns +spec: + endpointSelector: + matchExpressions: + - key: rpi5.cluster.policy/egress-kube-dns + operator: NotIn + values: + - "false" + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kubeapi.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kubeapi.yaml new file mode 100644 index 0000000..3e54454 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kubeapi.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-kubeapi +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-kubeapi: "true" + egress: + - toEntities: + - host + - remote-node + toPorts: + - ports: + - port: "6443" + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "443" + - port: "6443" diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-namespace.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-namespace.yaml new file mode 100644 index 0000000..7173deb --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-namespace +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-namespace: "true" + egress: + - toEndpoints: + - {} diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-nodes.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-nodes.yaml new file mode 100644 index 0000000..08bb2fa --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-nodes.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-nodes +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-nodes: "true" + egress: + - toEntities: + - host + - remote-node diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world-with-lan.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world-with-lan.yaml new file mode 100644 index 0000000..0b55a55 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world-with-lan.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-world-with-lan +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-world-with-lan: "true" + egress: + - toCIDRSet: + - cidr: 0.0.0.0/0 diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world.yaml new file mode 100644 index 0000000..f2c2845 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-world +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-world: "true" + egress: + - toCIDRSet: + - cidr: 0.0.0.0/0 + except: + - 192.168.1.0/24 + - 192.168.2.0/24 + - 100.64.0.0/10 diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-namespace.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-namespace.yaml new file mode 100644 index 0000000..f479a7f --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: ingress-namespace +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/ingress-namespace: "true" + ingress: + - fromEndpoints: + - {} diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nginx.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nginx.yaml new file mode 100644 index 0000000..4729f28 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nginx.yaml @@ -0,0 +1,65 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: ingress-ingress +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/ingress-ingress: "true" + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: ingress-nginx + namespace: ingress-nginx +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + egress: + - toEndpoints: + - matchLabels: + rpi5.cluster.policy/ingress-ingress: "true" + matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists +--- +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: egress-ingress +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/egress-ingress: "true" + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: egress-nginx + namespace: ingress-nginx +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + ingress: + - fromEndpoints: + - matchLabels: + rpi5.cluster.policy/egress-ingress: "true" + matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nodes.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nodes.yaml new file mode 100644 index 0000000..b148425 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nodes.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: ingress-nodes +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/ingress-nodes: "true" + ingress: + - fromEntities: + - host + - remote-node diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-world.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-world.yaml new file mode 100644 index 0000000..24d0ce1 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-world.yaml @@ -0,0 +1,11 @@ +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: ingress-world +spec: + endpointSelector: + matchLabels: + rpi5.cluster.policy/ingress-world: "true" + ingress: + - fromEntities: + - world diff --git a/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/local-path-provisioner.yaml b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/local-path-provisioner.yaml new file mode 100644 index 0000000..947aff1 --- /dev/null +++ b/kubernetes/rpi5-cluster/apps/cilium/networkpolicies/local-path-provisioner.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: local-path-provisioner + namespace: kube-system +spec: + endpointSelector: + matchLabels: + app: local-path-provisioner + egress: + - toEntities: + - host + - remote-node + toPorts: + - ports: + - port: "6443"