add(netpol): allow cnpg2kubeapi

projects/gitea/manifests/netpol.yaml

@@ -0,0 +1,16 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-cnpg-kubeapi
+  namespace: gitea
+spec:
+  endpointSelector:
+    matchLabels:
+      cnpg.io/podRole: instance
+  egress:
+  - toEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP

projects/nextcloud/manifests/netpol.yaml

@@ -0,0 +1,16 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-cnpg-kubeapi
+  namespace: nextcloud
+spec:
+  endpointSelector:
+    matchLabels:
+      cnpg.io/podRole: instance
+  egress:
+  - toEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP

projects/nextcloud/project.yaml

@@ -5,7 +5,6 @@ config:
     - internet
     rules:
     - allow-minio
-    - allow-cnpg-nextcloud
 
   labels:
     environment: external

resources/networkpolicy.yml

@@ -31,32 +31,6 @@ networkPolicy:
         to:
         - namespaceSelector: {}
 
-    allow-kubeapi:
-      podSelector: {}
-      policyTypes:
-      - Egress
-      egress:
-      - ports:
-        - port: 443
-          protocol: TCP
-        to:
-        - namespaceSelector:
-            matchLabels:
-              name: kube-system
-
-    # Cloudnative PG
-    allow-cnpg-nextcloud:
-      podSelector: {}
-      policyTypes:
-      - Egress
-      egress:
-      - ports:
-        - port: 443
-          protocol: TCP
-        to:
-        - ipBlock:
-            cidr: 10.43.0.1/32
-
     # Allow access to internet proxy
     allow-proxy:
       podSelector: {}