From e84294b2c2bd8b938c385dd637706f1e2ec6ae54 Mon Sep 17 00:00:00 2001
From: nold <nold@gnu.one>
Date: Thu, 15 Dec 2022 17:46:52 +0100
Subject: [PATCH] add(netpol): allow cnpg2kubeapi

---
 projects/gitea/manifests/netpol.yaml     | 16 +++++++++++++++
 projects/nextcloud/manifests/netpol.yaml | 16 +++++++++++++++
 projects/nextcloud/project.yaml          |  1 -
 resources/networkpolicy.yml              | 26 ------------------------
 4 files changed, 32 insertions(+), 27 deletions(-)
 create mode 100644 projects/gitea/manifests/netpol.yaml
 create mode 100644 projects/nextcloud/manifests/netpol.yaml

diff --git a/projects/gitea/manifests/netpol.yaml b/projects/gitea/manifests/netpol.yaml
new file mode 100644
index 00000000..02863cec
--- /dev/null
+++ b/projects/gitea/manifests/netpol.yaml
@@ -0,0 +1,16 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-cnpg-kubeapi
+  namespace: gitea
+spec:
+  endpointSelector:
+    matchLabels:
+      cnpg.io/podRole: instance
+  egress:
+  - toEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
diff --git a/projects/nextcloud/manifests/netpol.yaml b/projects/nextcloud/manifests/netpol.yaml
new file mode 100644
index 00000000..de59b99d
--- /dev/null
+++ b/projects/nextcloud/manifests/netpol.yaml
@@ -0,0 +1,16 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-cnpg-kubeapi
+  namespace: nextcloud
+spec:
+  endpointSelector:
+    matchLabels:
+      cnpg.io/podRole: instance
+  egress:
+  - toEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
diff --git a/projects/nextcloud/project.yaml b/projects/nextcloud/project.yaml
index fedd67cc..6c68a15e 100644
--- a/projects/nextcloud/project.yaml
+++ b/projects/nextcloud/project.yaml
@@ -5,7 +5,6 @@ config:
     - internet
     rules:
     - allow-minio
-    - allow-cnpg-nextcloud
 
   labels:
     environment: external
diff --git a/resources/networkpolicy.yml b/resources/networkpolicy.yml
index f0ba5b27..9caa0547 100644
--- a/resources/networkpolicy.yml
+++ b/resources/networkpolicy.yml
@@ -31,32 +31,6 @@ networkPolicy:
         to:
         - namespaceSelector: {}
 
-    allow-kubeapi:
-      podSelector: {}
-      policyTypes:
-      - Egress
-      egress:
-      - ports:
-        - port: 443
-          protocol: TCP
-        to:
-        - namespaceSelector:
-            matchLabels:
-              name: kube-system
-
-    # Cloudnative PG
-    allow-cnpg-nextcloud:
-      podSelector: {}
-      policyTypes:
-      - Egress
-      egress:
-      - ports:
-        - port: 443
-          protocol: TCP
-        to:
-        - ipBlock:
-            cidr: 10.43.0.1/32
-
     # Allow access to internet proxy
     allow-proxy:
       podSelector: {}