Fixed network policies

2023-11-18 12:24:21 +01:00 · 2023-11-18 12:24:21 +01:00 · 35ef41ef45
parent 71a85dc3ce
commit 35ef41ef45
3 changed files with 83 additions and 16 deletions
--- a/helm/cluster_setup/Chart.yaml
+++ b/helm/cluster_setup/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v2
 name: cluster_setup
-version: 0.4.0
+version: 0.4.1
 type: application
 description: "Initial cluster setup"
 maintainers:
@ -8,8 +8,8 @@ maintainers:
    url: https://2martens.de
 annotations:
  artifacthub.io/changes: |
-    - kind: added
-      description: Added cilium network policies
+    - kind: fixed
+      description: Fixed network policies
  artifacthub.io/signKey: |
    fingerprint: F0F153B65BAD467201D7544E47393ABD1F96B7C8
    url: https://mafiasi.de/pks/key/47393ABD1F96B7C8.asc
--- a/helm/cluster_setup/templates/cilium/hubble-relay-networkpolicy.yaml
+++ b/helm/cluster_setup/templates/cilium/hubble-relay-networkpolicy.yaml
@ -26,4 +26,44 @@ specs:
          - ports:
              - port: '4244'
                protocol: TCP
+      - toEntities:
+          - world
+        toPorts:
+          - ports:
+              - port: '443'
+                protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hubble-relay
+  namespace: kube-system
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: hubble-relay
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              k8s-app: hubble-ui
+      ports:
+        - port: '80'
+          protocol: TCP
+        - port: '4245'
+          protocol: TCP
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+        - podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: '53'
+          protocol: UDP
 {{- end }}
--- a/helm/cluster_setup/templates/cilium/hubble-ui-networkpolicy.yaml
+++ b/helm/cluster_setup/templates/cilium/hubble-ui-networkpolicy.yaml
@ -16,6 +16,8 @@ specs:
              io.cilium.k8s.policy.serviceaccount: hubble-ui
        toPorts:
          - ports:
+              - port: '80'
+                protocol: TCP
              - port: '4245'
                protocol: TCP
  - endpointSelector:
@ -30,20 +32,45 @@ specs:
          - ports:
              - port: '16443'
                protocol: TCP
-      # hubble ui -> hubble relay
-      - toEndpoints:
-          - matchLabels:
-              io.cilium.k8s.policy.serviceaccount: hubble-relay
-        toPorts:
-          - ports:
-              - port: '4245'
-                protocol: TCP
      # hubble ui -> core dns
-      - toEndpoints:
-          - matchLabels:
-              io.cilium.k8s.policy.serviceaccount: coredns
+      - toEntities:
+          - world
        toPorts:
          - ports:
-              - port: '53'
-                protocol: UDP
+              - port: '443'
+                protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: hubble-ui
+  namespace: kube-system
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: hubble-ui
+  policyTypes:
+  - Egress
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              k8s-app: hubble-relay
+      ports:
+        - port: '80'
+          protocol: TCP
+        - port: '4245'
+          protocol: TCP
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+        - podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: '53'
+          protocol: UDP
+---
+
 {{- end }}