hive-apps/resources/networkpolicy.yml

170 lines
3.5 KiB
YAML
Raw Normal View History

2021-11-28 10:12:08 +00:00
# NetworkPolicies predefinition
# rules can be added to groups. Groups or rules can be applied to projects.
#
networkPolicy:
config:
# Generate NetworkPolicy to allow communication inside of the project namespace?
# Only gets applied when other networkpolices are active on the project
allowNamespace: true
default:
groups: []
rules: []
groups:
internet:
- allow-dns
- allow-proxy
- allow-ingress
2022-12-11 10:30:44 +00:00
- allow-ingress-traffic
2021-11-28 10:12:08 +00:00
rules:
# Allow DNS to all Namespaces, deny everything else
allow-dns:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
to:
- namespaceSelector: {}
allow-kubeapi:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 443
protocol: TCP
to:
- namespaceSelector:
matchLabels:
name: kube-system
# Cloudnative PG
allow-cnpg-nextcloud:
2022-12-11 10:30:44 +00:00
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 443
protocol: TCP
to:
2022-12-11 10:30:44 +00:00
- ipBlock:
cidr: 10.43.0.1/32
2021-11-28 10:12:08 +00:00
# Allow access to internet proxy
allow-proxy:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 3128
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: proxy
# Allow access from ingress-external
allow-ingress:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
2022-01-06 10:48:28 +00:00
project.heqet.gnu.one/name: ingress-external
2021-11-28 10:12:08 +00:00
# Allow SSH for Gitea
allow-ssh:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.1.0/24
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: wiki
ports:
- port: 2222
protocol: TCP
# Allow direct access to gitea
allow-gitea:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: gitea
ports:
- port: 2222
protocol: TCP
# Allow Woodpacker-Agent to access Woodpacker Server
allow-agent:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: woodpacker-agent
allow-minio:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 9000
protocol: TCP
to:
- namespaceSelector:
matchLabels:
2022-12-11 10:30:44 +00:00
app.heqet.gnu.one/name: minio
2022-01-06 10:48:28 +00:00
allow-ingress-traffic:
podSelector: {}
policyTypes:
- Ingress
ingress:
- {}
allow-external-services:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
environment: external
2022-12-13 21:01:06 +00:00
allow-argocd:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 80
protocol: TCP
- port: 8080
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/project: argocd