re add navidrome

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-17 15:23:30 -04:00
parent 0b69038d79
commit adc6cdb0bc
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
14 changed files with 44 additions and 1 deletions

View file

@ -0,0 +1,149 @@
# ----------------------------------------------------
# Default deny (namespace baseline)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: default-deny
namespace: navidrome
spec:
endpointSelector: {}
ingress: []
egress: []
---
# ----------------------------------------------------
# Ingress only from Gateway API
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-ingress
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
ingress:
- fromEntities:
- ingress
toPorts:
- ports:
- port: "4533"
protocol: TCP
---
# ----------------------------------------------------
# DNS (required)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-dns
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
egress:
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: ANY
rules:
dns:
- matchPattern: "*"
---
# ----------------------------------------------------
# Spotify API access (album art, metadata)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-spotify
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
egress:
- toFQDNs:
- matchName: api.spotify.com
- matchName: i.scdn.co
- matchName: accounts.spotify.com
toPorts:
- ports:
- port: "443"
protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-navidrome
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
egress:
- toFQDNs:
- matchPattern: "*.navidrome.org"
- matchName: navidrome.org
toPorts:
- ports:
- port: "443"
protocol: TCP
---
# ----------------------------------------------------
# Last.fm API access (metadata, scrobbling, images)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-lastfm
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
egress:
- toFQDNs:
- matchName: ws.audioscrobbler.com
- matchName: lastfm.freetls.fastly.net
toPorts:
- ports:
- port: "443"
protocol: TCP
---
# ----------------------------------------------------
# OPTIONAL: unrestricted HTTPS egress (disabled)
# ----------------------------------------------------
# apiVersion: cilium.io/v2
# kind: CiliumNetworkPolicy
# metadata:
# name: allow-all-egress
# namespace: navidrome
# spec:
# endpointSelector:
# matchLabels:
# app: navidrome
#
# egress:
# - toEntities:
# - world
# toPorts:
# - ports:
# - port: "443"
# protocol: TCP