hive-apps/resources/networkpolicy.yml

162 lines
3.4 KiB
YAML

# NetworkPolicies predefinition
# rules can be added to groups. Groups or rules can be applied to projects.
#
networkPolicy:
config:
# Generate NetworkPolicy to allow communication inside of the project namespace?
# Only gets applied when other networkpolices are active on the project
allowNamespace: true
default:
groups: []
rules: []
groups:
internet:
- allow-dns
- allow-proxy
- allow-ingress
- allow-ingress-traffic
rules:
# Allow DNS to all Namespaces, deny everything else
allow-dns:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
to:
- namespaceSelector: {}
# Allow access to internet proxy
allow-proxy:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 3128
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: proxy
# Allow access from ingress-external
allow-ingress:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
project.heqet.gnu.one/name: ingress-external
# Allow SSH for Gitea
allow-ssh:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.1.0/24
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: wiki
ports:
- port: 2222
protocol: TCP
# Allow direct access to gitea
allow-gitea:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: forgejo
ports:
- port: 2222
protocol: TCP
# Allow Woodpacker-Agent to access Woodpacker Server
allow-agent:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: woodpacker-agent
allow-minio:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 9000
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/name: s3
allow-ingress-traffic:
podSelector: {}
policyTypes:
- Ingress
ingress:
- {}
allow-external-services:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
environment: external
allow-argocd:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 80
protocol: TCP
- port: 8080
protocol: TCP
to:
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/project: argocd
# Allow access to internet proxy
allow-localai:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 80
protocol: TCP
- port: 8080
protocol: TCP
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: local-ai
- namespaceSelector:
matchLabels:
app.heqet.gnu.one/project: ai