hive-apps/resources/networkpolicy.yml

144 lines
3 KiB
YAML
Raw Normal View History

2021-11-28 11:12:08 +01:00
# NetworkPolicies predefinition
# rules can be added to groups. Groups or rules can be applied to projects.
#
networkPolicy:
config:
# Generate NetworkPolicy to allow communication inside of the project namespace?
# Only gets applied when other networkpolices are active on the project
allowNamespace: true
default:
groups: []
rules: []
groups:
internet:
- allow-dns
- allow-proxy
- allow-ingress
2022-12-11 11:30:44 +01:00
- allow-ingress-traffic
2021-11-28 11:12:08 +01:00
rules:
# Allow DNS to all Namespaces, deny everything else
allow-dns:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
to:
- namespaceSelector: {}
# Allow access to internet proxy
allow-proxy:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 3128
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: proxy
# Allow access from ingress-external
allow-ingress:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
2022-01-06 11:48:28 +01:00
project.heqet.gnu.one/name: ingress-external
2021-11-28 11:12:08 +01:00
# Allow SSH for Gitea
allow-ssh:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.1.0/24
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: wiki
ports:
- port: 2222
protocol: TCP
# Allow direct access to gitea
allow-gitea:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: gitea
ports:
- port: 2222
protocol: TCP
# Allow Woodpacker-Agent to access Woodpacker Server
allow-agent:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: woodpacker-agent
allow-minio:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 9000
protocol: TCP
to:
- namespaceSelector:
matchLabels:
2022-12-11 11:30:44 +01:00
app.heqet.gnu.one/name: minio
2022-01-06 11:48:28 +01:00
allow-ingress-traffic:
podSelector: {}
policyTypes:
- Ingress
ingress:
- {}
allow-external-services:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
environment: external
2022-12-13 22:01:06 +01:00
allow-argocd:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 80
protocol: TCP
- port: 8080
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/project: argocd