feat: revisit network policies

argo-apps/cloud/ddb-proxy.cd.yaml

@@ -22,6 +22,9 @@ spec:
       values: |
 
         replicaCount: 2
+        podLabels:
+          networking.k8s.io/apply-network-policy: allow-world-http-ingress
+          network-policy/allow-dndbeyond-egress: apply
         resources:
           requests:
             cpu: 50m

argo-apps/cloud/foundry-code-and-quest-app.cd.yaml

@@ -31,6 +31,9 @@ spec:
         storage:
           className: longhorn
           size: 5Gi
+        podLabels:
+          network-policy/allow-world-http-ingress: apply
+          network-policy/allow-world-https-egress: apply
         resources:
           requests:
             cpu: 40m

argo-apps/cloud/foundry-saltysausage-app.cd.yaml

@@ -31,6 +31,9 @@ spec:
         storage:
           className: longhorn
           size: 5Gi
+        podLabels:
+          network-policy/allow-world-http-ingress: apply
+          network-policy/allow-world-https-egress: apply
         resources:
           requests:
             cpu: 40m

cloud/custom-resources/argo-workflows/saltysausage-offsite-backup.yaml

@@ -9,7 +9,13 @@ spec:
   concurrencyPolicy: "Replace"
   startingDeadlineSeconds: 0
   successfulJobsHistoryLimit: 7
+  workflowMetadata:
+    labels:
+      network-policy/allow-minio-traffic: apply
   workflowSpec:
+    podMetadata:
+      network-policy/allow-minio-traffic: apply
+      network-policy/allow-kube-apiserver-traffic: apply
     entrypoint: main
     onExit: exit-handler
     artifactGC:

cloud/custom-resources/argo-workflows/scale-workload.yaml

@@ -11,6 +11,10 @@ spec:
     serviceAccountName: foundry-workflows
   podGC:
     strategy: OnWorkflowSuccess
+  podMetadata:
+    labels:
+      network-policy/allow-kube-apiserver-traffic: apply
+      network-policy/allow-minio-traffic: apply
   securityContext:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true

cloud/networking/network-policies/allow-dndbeyond-egress.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dndbeyond-egress
+spec:
+  endpointSelector:
+    matchLabels:
+      network-policy/allow-dndbeyond-egress: apply
+  egress:
+    - toFQDNs:
+        - matchPattern: "*.dndbeyond.com"
+        - matchName: "dndbeyond.com"
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+          rules:
+            http: [{}]

cloud/networking/network-policies/allow-kube-apiserver-traffic.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-apiserver-traffic
+spec:
+  endpointSelector:
+    matchLabels:
+      network-policy/allow-kube-apiserver-traffic: apply
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+          rules:
+            http: [{}]

cloud/networking/network-policies/allow-minio-traffic.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-minio-traffic
+spec:
+  endpointSelector:
+    matchLabels:
+      network-policy/allow-minio-traffic: apply
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app: minio
+            v1.min.io/tenant: default
+            io.kubernetes.pod.namespace: storage
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            app: minio
+            v1.min.io/tenant: default
+            io.kubernetes.pod.namespace: storage
+      toPorts:
+        - ports:
+            - port: "9000"
+              protocol: TCP
+          rules:
+            http: [{}]

cloud/networking/network-policies/allow-world-http-ingress.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-http-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      network-policy/allow-world-http-ingress: apply
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/instance: ingress-nginx
+            app.kubernetes.io/component: controller
+            io.kubernetes.pod.namespace: ingress-nginx

cloud/networking/network-policies/allow-world-https-egress.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-https-egress
+spec:
+  endpointSelector:
+    matchLabels:
+      network-policy/allow-world-https-egress: apply
+  egress:
+    - toEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+          rules:
+            http: [{}]

cloud/networking/network-policies/default-deny-egress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: default-deny-egress
+  namespace: foundry
+spec:
+  endpointSelector: {}
+  egress:
+    # DNS
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchPattern: "*"
+    # ingress-nginx
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/instance: ingress-nginx
+            app.kubernetes.io/component: controller
+            io.kubernetes.pod.namespace: ingress-nginx

cloud/networking/network-policies/default-deny-ingress.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: default-deny-ingress
+spec:
+  endpointSelector: {}
+  ingress:
+    - {}