feat: egress netpols

wittdennis · Dec 27, 2024 · ee701d8 · ee701d8
1 parent cb76bff
commit ee701d8
Show file tree

Hide file tree

Showing 8 changed files with 98 additions and 81 deletions.
diff --git a/cloud/custom-resources/argo-workflows/code-and-quest-backup-restore.yaml b/cloud/custom-resources/argo-workflows/code-and-quest-backup-restore.yaml
@@ -8,6 +8,10 @@ spec:
   entrypoint: main
   serviceAccountName: foundry-workflows
   onExit: exit-handler
+  podMetadata:
+    labels:
+      network-policy/allow-minio-traffic: apply
+      network-policy/allow-kube-apiserver-traffic: apply
   artifactGC:
     strategy: OnWorkflowDeletion
     serviceAccountName: foundry-workflows

diff --git a/cloud/custom-resources/argo-workflows/code-and-quest-offsite-backup.yaml b/cloud/custom-resources/argo-workflows/code-and-quest-offsite-backup.yaml
@@ -12,6 +12,10 @@ spec:
   workflowSpec:
     entrypoint: main
     onExit: exit-handler
+    podMetadata:
+      labels:
+        network-policy/allow-minio-traffic: apply
+        network-policy/allow-kube-apiserver-traffic: apply
     artifactGC:
       strategy: OnWorkflowDeletion
       serviceAccountName: foundry-workflows

diff --git a/cloud/custom-resources/argo-workflows/saltysausage-backup-restore.yaml b/cloud/custom-resources/argo-workflows/saltysausage-backup-restore.yaml
@@ -8,6 +8,10 @@ spec:
   entrypoint: main
   serviceAccountName: foundry-workflows
   onExit: exit-handler
+  podMetadata:
+    labels:
+      network-policy/allow-minio-traffic: apply
+      network-policy/allow-kube-apiserver-traffic: apply
   artifactGC:
     strategy: OnWorkflowDeletion
     serviceAccountName: foundry-workflows

diff --git a/cloud/custom-resources/argo-workflows/saltysausage-offsite-backup.yaml b/cloud/custom-resources/argo-workflows/saltysausage-offsite-backup.yaml
@@ -9,13 +9,12 @@ spec:
   concurrencyPolicy: "Replace"
   startingDeadlineSeconds: 0
   successfulJobsHistoryLimit: 7
-  workflowMetadata:
-    labels:
-      network-policy/allow-minio-traffic: apply
   workflowSpec:
     podMetadata:
-      network-policy/allow-minio-traffic: apply
-      network-policy/allow-kube-apiserver-traffic: apply
+      labels:
+        network-policy/allow-minio-traffic: apply
+        network-policy/allow-kube-apiserver-traffic: apply
+        network-policy/allow-backup-egress: apply
     entrypoint: main
     onExit: exit-handler
     artifactGC:

diff --git a/cloud/networking/network-policies/allow-backup-egress.yaml b/cloud/networking/network-policies/allow-backup-egress.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-backup-egress
+spec:
+  endpointSelector:
+    matchLabels:
+      network-policy/allow-backup-egress: apply
+  egress:
+    - toFQDNs:
+        - matchName: "backups92217735.blob.core.windows.net"
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+          rules:
+            http: [{}]
diff --git a/cloud/networking/network-policies/allow-kube-apiserver-traffic.yaml b/cloud/networking/network-policies/allow-kube-apiserver-traffic.yaml
@@ -1,21 +1,15 @@
-# ---
-# apiVersion: cilium.io/v2
-# kind: CiliumNetworkPolicy
-# metadata:
-#   name: allow-kube-apiserver-traffic
-# spec:
-#   endpointSelector:
-#     matchLabels:
-#       network-policy/allow-kube-apiserver-traffic: apply
-#   ingress:
-#     - fromEntities:
-#         - kube-apiserver
-#   egress:
-#     - toEntities:
-#         - kube-apiserver
-#       toPorts:
-#         - ports:
-#             - port: "443"
-#               protocol: TCP
-#           rules:
-#             http: [{}]
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-apiserver-traffic
+spec:
+  endpointSelector:
+    matchLabels:
+      network-policy/allow-kube-apiserver-traffic: apply
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
diff --git a/cloud/networking/network-policies/allow-minio-traffic.yaml b/cloud/networking/network-policies/allow-minio-traffic.yaml
@@ -1,27 +1,21 @@
-# ---
-# apiVersion: cilium.io/v2
-# kind: CiliumNetworkPolicy
-# metadata:
-#   name: allow-minio-traffic
-# spec:
-#   endpointSelector:
-#     matchLabels:
-#       network-policy/allow-minio-traffic: apply
-#   ingress:
-#     - fromEndpoints:
-#         - matchLabels:
-#             app: minio
-#             v1.min.io/tenant: default
-#             io.kubernetes.pod.namespace: storage
-#   egress:
-#     - toEndpoints:
-#         - matchLabels:
-#             app: minio
-#             v1.min.io/tenant: default
-#             io.kubernetes.pod.namespace: storage
-#       toPorts:
-#         - ports:
-#             - port: "9000"
-#               protocol: TCP
-#           rules:
-#             http: [{}]
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-minio-traffic
+spec:
+  endpointSelector:
+    matchLabels:
+      network-policy/allow-minio-traffic: apply
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app: minio
+            v1.min.io/tenant: default
+            io.kubernetes.pod.namespace: storage
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            app: minio
+            v1.min.io/tenant: default
+            io.kubernetes.pod.namespace: storage
diff --git a/cloud/networking/network-policies/default-deny-egress.yaml b/cloud/networking/network-policies/default-deny-egress.yaml
@@ -1,28 +1,28 @@
-# ---
-# apiVersion: cilium.io/v2
-# kind: CiliumNetworkPolicy
-# metadata:
-#   name: default-deny-egress
-#   namespace: foundry
-# spec:
-#   endpointSelector: {}
-#   egress:
-#     # DNS
-#     - toEndpoints:
-#         - matchLabels:
-#             io.kubernetes.pod.namespace: kube-system
-#             k8s-app: kube-dns
-#       toPorts:
-#         - ports:
-#             - port: "53"
-#               protocol: UDP
-#           rules:
-#             dns:
-#               - matchPattern: "*"
-#     # ingress-nginx
-#     - toEndpoints:
-#         - matchLabels:
-#             app.kubernetes.io/name: ingress-nginx
-#             app.kubernetes.io/instance: ingress-nginx
-#             app.kubernetes.io/component: controller
-#             io.kubernetes.pod.namespace: ingress-nginx
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+    name: default-deny-egress
+    namespace: foundry
+spec:
+    endpointSelector: {}
+    egress:
+        # DNS
+        - toEndpoints:
+              - matchLabels:
+                    io.kubernetes.pod.namespace: kube-system
+                    k8s-app: kube-dns
+          toPorts:
+              - ports:
+                    - port: "53"
+                      protocol: UDP
+                rules:
+                    dns:
+                        - matchPattern: "*"
+        # ingress-nginx
+        - toEndpoints:
+              - matchLabels:
+                    app.kubernetes.io/name: ingress-nginx
+                    app.kubernetes.io/instance: ingress-nginx
+                    app.kubernetes.io/component: controller
+                    io.kubernetes.pod.namespace: ingress-nginx