diff --git a/helm/cluster_setup/Chart.yaml b/helm/cluster_setup/Chart.yaml index b7cb17f..3e5e9f6 100644 --- a/helm/cluster_setup/Chart.yaml +++ b/helm/cluster_setup/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: cluster_setup -version: 0.4.0 +version: 0.4.1 type: application description: "Initial cluster setup" maintainers: @@ -8,8 +8,8 @@ maintainers: url: https://2martens.de annotations: artifacthub.io/changes: | - - kind: added - description: Added cilium network policies + - kind: fixed + description: Fixed network policies artifacthub.io/signKey: | fingerprint: F0F153B65BAD467201D7544E47393ABD1F96B7C8 url: https://mafiasi.de/pks/key/47393ABD1F96B7C8.asc diff --git a/helm/cluster_setup/templates/cilium/hubble-relay-networkpolicy.yaml b/helm/cluster_setup/templates/cilium/hubble-relay-networkpolicy.yaml index 3d2e9cf..f941285 100644 --- a/helm/cluster_setup/templates/cilium/hubble-relay-networkpolicy.yaml +++ b/helm/cluster_setup/templates/cilium/hubble-relay-networkpolicy.yaml @@ -26,4 +26,44 @@ specs: - ports: - port: '4244' protocol: TCP + - toEntities: + - world + toPorts: + - ports: + - port: '443' + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: hubble-relay + namespace: kube-system +spec: + podSelector: + matchLabels: + k8s-app: hubble-relay + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + k8s-app: hubble-ui + ports: + - port: '80' + protocol: TCP + - port: '4245' + protocol: TCP + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + - podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: '53' + protocol: UDP {{- end }} \ No newline at end of file diff --git a/helm/cluster_setup/templates/cilium/hubble-ui-networkpolicy.yaml b/helm/cluster_setup/templates/cilium/hubble-ui-networkpolicy.yaml index ee100bb..8ddd224 100644 --- a/helm/cluster_setup/templates/cilium/hubble-ui-networkpolicy.yaml +++ b/helm/cluster_setup/templates/cilium/hubble-ui-networkpolicy.yaml @@ -16,6 +16,8 @@ specs: io.cilium.k8s.policy.serviceaccount: hubble-ui toPorts: - ports: + - port: '80' + protocol: TCP - port: '4245' protocol: TCP - endpointSelector: @@ -30,20 +32,45 @@ specs: - ports: - port: '16443' protocol: TCP - # hubble ui -> hubble relay - - toEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-relay - toPorts: - - ports: - - port: '4245' - protocol: TCP # hubble ui -> core dns - - toEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: coredns + - toEntities: + - world toPorts: - ports: - - port: '53' - protocol: UDP + - port: '443' + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: hubble-ui + namespace: kube-system +spec: + podSelector: + matchLabels: + k8s-app: hubble-ui + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + k8s-app: hubble-relay + ports: + - port: '80' + protocol: TCP + - port: '4245' + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + - podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: '53' + protocol: UDP +--- + {{- end }} \ No newline at end of file