From 322ba293027300705978ce35069723dcff45d12e Mon Sep 17 00:00:00 2001 From: gwg313 Date: Sun, 17 May 2026 22:58:17 -0400 Subject: [PATCH] remove unneeded network policies from apps Signed-off-by: gwg313 --- apps/forgejo/network-policy.yaml | 41 ------------------------------ apps/navidrome/network-policy.yaml | 40 ----------------------------- 2 files changed, 81 deletions(-) diff --git a/apps/forgejo/network-policy.yaml b/apps/forgejo/network-policy.yaml index dbc79f0..a64962b 100644 --- a/apps/forgejo/network-policy.yaml +++ b/apps/forgejo/network-policy.yaml @@ -1,18 +1,4 @@ # ---------------------------------------------------- -# Default deny (namespace baseline) -# ---------------------------------------------------- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: default-deny - namespace: forgejo -spec: - endpointSelector: {} - ingress: [] - egress: [] - ---- -# ---------------------------------------------------- # Ingress only from Gateway API # ---------------------------------------------------- apiVersion: cilium.io/v2 @@ -32,33 +18,6 @@ spec: - ports: - port: "3000" protocol: TCP - ---- -# ---------------------------------------------------- -# DNS (cluster DNS only) -# ---------------------------------------------------- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-dns - namespace: forgejo -spec: - endpointSelector: - matchLabels: - app: forgejo - egress: - - toEndpoints: - - matchLabels: - k8s:io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns - toPorts: - - ports: - - port: "53" - protocol: ANY - rules: - dns: - - matchPattern: "*" - # --- # # ---------------------------------------------------- # # CI runner access (in-cluster service) diff --git a/apps/navidrome/network-policy.yaml b/apps/navidrome/network-policy.yaml index 12d359f..fe75eba 100644 --- a/apps/navidrome/network-policy.yaml +++ b/apps/navidrome/network-policy.yaml @@ -1,18 +1,4 @@ # ---------------------------------------------------- -# Default deny (namespace baseline) -# ---------------------------------------------------- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: default-deny - namespace: navidrome -spec: - endpointSelector: {} - ingress: [] - egress: [] - ---- -# ---------------------------------------------------- # Ingress only from Gateway API # ---------------------------------------------------- apiVersion: cilium.io/v2 @@ -33,32 +19,6 @@ spec: - port: "4533" protocol: TCP ---- -# ---------------------------------------------------- -# DNS (required) -# ---------------------------------------------------- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-dns - namespace: navidrome -spec: - endpointSelector: - matchLabels: - app: navidrome - egress: - - toEndpoints: - - matchLabels: - k8s:io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns - toPorts: - - ports: - - port: "53" - protocol: ANY - rules: - dns: - - matchPattern: "*" - --- # ---------------------------------------------------- # Spotify API access (album art, metadata)