diff --git a/infra-root.yaml b/infra-root.yaml new file mode 100644 index 0000000..9867ee0 --- /dev/null +++ b/infra-root.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: infra-root + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: infra + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/infra/network-policies-app.yaml b/infra/network-policies-app.yaml new file mode 100644 index 0000000..cd5b59c --- /dev/null +++ b/infra/network-policies-app.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: default-network-policies + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-10" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: platform/default-network-policies + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/platform/default-network-policies/core-k8s-services.yaml b/platform/default-network-policies/core-k8s-services.yaml new file mode 100644 index 0000000..75fb153 --- /dev/null +++ b/platform/default-network-policies/core-k8s-services.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-allow-coredns-egress +spec: + description: "Allow all pods to send DNS queries out to CoreDNS" + endpointSelector: + matchLabels: {} + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-allow-coredns-ingress +spec: + description: "Allow CoreDNS to receive incoming DNS queries" + endpointSelector: + matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + ingress: + - fromEndpoints: + - matchLabels: {} # Accepts from any pod + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-allow-apiserver +spec: + description: "Allow all pods to communicate with the K8s API" + endpointSelector: + matchLabels: {} + egress: + - toEntities: + - kube-apiserver +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-allow-coredns-to-internet +spec: + description: "Allow CoreDNS pods to reach upstream DNS servers on the internet" + endpointSelector: + matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + egress: + - toEntities: + - world + toPorts: + - ports: + - port: "53" + protocol: ANY diff --git a/platform/default-network-policies/default-deny.yaml b/platform/default-network-policies/default-deny.yaml new file mode 100644 index 0000000..5fd2d7f --- /dev/null +++ b/platform/default-network-policies/default-deny.yaml @@ -0,0 +1,12 @@ +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-default-deny +spec: + description: "Deny all ingress and egress cluster-wide by default" + endpointSelector: + matchLabels: {} + ingress: + - {} + egress: + - {} diff --git a/platform/default-network-policies/hubble.yaml b/platform/default-network-policies/hubble.yaml new file mode 100644 index 0000000..2e0c040 --- /dev/null +++ b/platform/default-network-policies/hubble.yaml @@ -0,0 +1,77 @@ +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-port-forward + namespace: kube-system +spec: + description: "Allow host-level port-forwarding to Hubble Relay and UI" + endpointSelector: + matchLabels: + io.cilium.k8s.policy.serviceaccount: hubble-relay + ingress: + - fromEntities: + - host + - remote-node + toPorts: + - ports: + - port: "4245" + protocol: TCP + - port: "8081" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-ui-to-relay + namespace: kube-system +spec: + description: "Allow Hubble UI to fetch data from Hubble Relay" + endpointSelector: + matchLabels: + k8s-app: hubble-relay + ingress: + - fromEndpoints: + - matchLabels: + k8s-app: hubble-ui + toPorts: + - ports: + - port: "4245" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-relay-to-agents + namespace: kube-system +spec: + description: "Allow Hubble Relay to collect flows from Cilium node agents" + endpointSelector: + matchLabels: + k8s-app: hubble-relay + egress: + - toEntities: + - host + - remote-node + toPorts: + - ports: + - port: "4244" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-ui-egress-to-relay + namespace: kube-system +spec: + description: "Allow Hubble UI to send requests to Hubble Relay" + endpointSelector: + matchLabels: + k8s-app: hubble-ui + egress: + - toEndpoints: + - matchLabels: + k8s-app: hubble-relay + toPorts: + - ports: + - port: "4245" + protocol: TCP