From 20c1fccff1b5a65d677ecac9c5e548dd32153e46 Mon Sep 17 00:00:00 2001 From: gwg313 Date: Sat, 16 May 2026 14:11:31 -0400 Subject: [PATCH] add infra Signed-off-by: gwg313 --- infra-root.yaml | 20 +++++ infra/network-policies-app.yaml | 20 +++++ .../core-k8s-services.yaml | 70 +++++++++++++++++ .../default-deny.yaml | 12 +++ platform/default-network-policies/hubble.yaml | 77 +++++++++++++++++++ 5 files changed, 199 insertions(+) create mode 100644 infra-root.yaml create mode 100644 infra/network-policies-app.yaml create mode 100644 platform/default-network-policies/core-k8s-services.yaml create mode 100644 platform/default-network-policies/default-deny.yaml create mode 100644 platform/default-network-policies/hubble.yaml diff --git a/infra-root.yaml b/infra-root.yaml new file mode 100644 index 0000000..9867ee0 --- /dev/null +++ b/infra-root.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: infra-root + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: infra + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/infra/network-policies-app.yaml b/infra/network-policies-app.yaml new file mode 100644 index 0000000..cd5b59c --- /dev/null +++ b/infra/network-policies-app.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: default-network-policies + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-10" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: platform/default-network-policies + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/platform/default-network-policies/core-k8s-services.yaml b/platform/default-network-policies/core-k8s-services.yaml new file mode 100644 index 0000000..75fb153 --- /dev/null +++ b/platform/default-network-policies/core-k8s-services.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-allow-coredns-egress +spec: + description: "Allow all pods to send DNS queries out to CoreDNS" + endpointSelector: + matchLabels: {} + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-allow-coredns-ingress +spec: + description: "Allow CoreDNS to receive incoming DNS queries" + endpointSelector: + matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + ingress: + - fromEndpoints: + - matchLabels: {} # Accepts from any pod + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-allow-apiserver +spec: + description: "Allow all pods to communicate with the K8s API" + endpointSelector: + matchLabels: {} + egress: + - toEntities: + - kube-apiserver +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-allow-coredns-to-internet +spec: + description: "Allow CoreDNS pods to reach upstream DNS servers on the internet" + endpointSelector: + matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + egress: + - toEntities: + - world + toPorts: + - ports: + - port: "53" + protocol: ANY diff --git a/platform/default-network-policies/default-deny.yaml b/platform/default-network-policies/default-deny.yaml new file mode 100644 index 0000000..5fd2d7f --- /dev/null +++ b/platform/default-network-policies/default-deny.yaml @@ -0,0 +1,12 @@ +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: baseline-default-deny +spec: + description: "Deny all ingress and egress cluster-wide by default" + endpointSelector: + matchLabels: {} + ingress: + - {} + egress: + - {} diff --git a/platform/default-network-policies/hubble.yaml b/platform/default-network-policies/hubble.yaml new file mode 100644 index 0000000..2e0c040 --- /dev/null +++ b/platform/default-network-policies/hubble.yaml @@ -0,0 +1,77 @@ +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-port-forward + namespace: kube-system +spec: + description: "Allow host-level port-forwarding to Hubble Relay and UI" + endpointSelector: + matchLabels: + io.cilium.k8s.policy.serviceaccount: hubble-relay + ingress: + - fromEntities: + - host + - remote-node + toPorts: + - ports: + - port: "4245" + protocol: TCP + - port: "8081" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-ui-to-relay + namespace: kube-system +spec: + description: "Allow Hubble UI to fetch data from Hubble Relay" + endpointSelector: + matchLabels: + k8s-app: hubble-relay + ingress: + - fromEndpoints: + - matchLabels: + k8s-app: hubble-ui + toPorts: + - ports: + - port: "4245" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-relay-to-agents + namespace: kube-system +spec: + description: "Allow Hubble Relay to collect flows from Cilium node agents" + endpointSelector: + matchLabels: + k8s-app: hubble-relay + egress: + - toEntities: + - host + - remote-node + toPorts: + - ports: + - port: "4244" + protocol: TCP +--- +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: allow-hubble-ui-egress-to-relay + namespace: kube-system +spec: + description: "Allow Hubble UI to send requests to Hubble Relay" + endpointSelector: + matchLabels: + k8s-app: hubble-ui + egress: + - toEndpoints: + - matchLabels: + k8s-app: hubble-relay + toPorts: + - ports: + - port: "4245" + protocol: TCP