diff --git a/cloud/networking/network-policies/allow-kube-apiserver-traffic.yaml b/cloud/networking/network-policies/allow-kube-apiserver-traffic.yaml index 71231df..f17be2e 100644 --- a/cloud/networking/network-policies/allow-kube-apiserver-traffic.yaml +++ b/cloud/networking/network-policies/allow-kube-apiserver-traffic.yaml @@ -1,21 +1,15 @@ -# --- -# apiVersion: cilium.io/v2 -# kind: CiliumNetworkPolicy -# metadata: -# name: allow-kube-apiserver-traffic -# spec: -# endpointSelector: -# matchLabels: -# network-policy/allow-kube-apiserver-traffic: apply -# ingress: -# - fromEntities: -# - kube-apiserver -# egress: -# - toEntities: -# - kube-apiserver -# toPorts: -# - ports: -# - port: "443" -# protocol: TCP -# rules: -# http: [{}] +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-apiserver-traffic +spec: + endpointSelector: + matchLabels: + network-policy/allow-kube-apiserver-traffic: apply + ingress: + - fromEntities: + - kube-apiserver + egress: + - toEntities: + - kube-apiserver diff --git a/cloud/networking/network-policies/allow-minio-traffic.yaml b/cloud/networking/network-policies/allow-minio-traffic.yaml index 9187a55..54d7918 100644 --- a/cloud/networking/network-policies/allow-minio-traffic.yaml +++ b/cloud/networking/network-policies/allow-minio-traffic.yaml @@ -1,27 +1,21 @@ -# --- -# apiVersion: cilium.io/v2 -# kind: CiliumNetworkPolicy -# metadata: -# name: allow-minio-traffic -# spec: -# endpointSelector: -# matchLabels: -# network-policy/allow-minio-traffic: apply -# ingress: -# - fromEndpoints: -# - matchLabels: -# app: minio -# v1.min.io/tenant: default -# io.kubernetes.pod.namespace: storage -# egress: -# - toEndpoints: -# - matchLabels: -# app: minio -# v1.min.io/tenant: default -# io.kubernetes.pod.namespace: storage -# toPorts: -# - ports: -# - port: "9000" -# protocol: TCP -# rules: -# http: [{}] +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-minio-traffic +spec: + endpointSelector: + matchLabels: + network-policy/allow-minio-traffic: apply + ingress: + - fromEndpoints: + - matchLabels: + app: minio + v1.min.io/tenant: default + io.kubernetes.pod.namespace: storage + egress: + - toEndpoints: + - matchLabels: + app: minio + v1.min.io/tenant: default + io.kubernetes.pod.namespace: storage diff --git a/cloud/networking/network-policies/default-deny-egress.yaml b/cloud/networking/network-policies/default-deny-egress.yaml index 4fd2ae1..90ece9e 100644 --- a/cloud/networking/network-policies/default-deny-egress.yaml +++ b/cloud/networking/network-policies/default-deny-egress.yaml @@ -1,28 +1,28 @@ -# --- -# apiVersion: cilium.io/v2 -# kind: CiliumNetworkPolicy -# metadata: -# name: default-deny-egress -# namespace: foundry -# spec: -# endpointSelector: {} -# egress: -# # DNS -# - toEndpoints: -# - matchLabels: -# io.kubernetes.pod.namespace: kube-system -# k8s-app: kube-dns -# toPorts: -# - ports: -# - port: "53" -# protocol: UDP -# rules: -# dns: -# - matchPattern: "*" -# # ingress-nginx -# - toEndpoints: -# - matchLabels: -# app.kubernetes.io/name: ingress-nginx -# app.kubernetes.io/instance: ingress-nginx -# app.kubernetes.io/component: controller -# io.kubernetes.pod.namespace: ingress-nginx +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: default-deny-egress + namespace: foundry +spec: + endpointSelector: {} + egress: + # DNS + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: "*" + # ingress-nginx + - toEndpoints: + - matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + io.kubernetes.pod.namespace: ingress-nginx