re add navidrome
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
0b69038d79
commit
adc6cdb0bc
14 changed files with 44 additions and 1 deletions
149
apps/navidrome/network-policy.yaml
Normal file
149
apps/navidrome/network-policy.yaml
Normal file
|
|
@ -0,0 +1,149 @@
|
|||
# ----------------------------------------------------
|
||||
# Default deny (namespace baseline)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
ingress: []
|
||||
egress: []
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Ingress only from Gateway API
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- ingress
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "4533"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# DNS (required)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-dns
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s:io.kubernetes.pod.namespace: kube-system
|
||||
k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: ANY
|
||||
rules:
|
||||
dns:
|
||||
- matchPattern: "*"
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Spotify API access (album art, metadata)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-spotify
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: api.spotify.com
|
||||
- matchName: i.scdn.co
|
||||
- matchName: accounts.spotify.com
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
---
|
||||
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-navidrome
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchPattern: "*.navidrome.org"
|
||||
- matchName: navidrome.org
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Last.fm API access (metadata, scrobbling, images)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-lastfm
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: ws.audioscrobbler.com
|
||||
- matchName: lastfm.freetls.fastly.net
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# OPTIONAL: unrestricted HTTPS egress (disabled)
|
||||
# ----------------------------------------------------
|
||||
# apiVersion: cilium.io/v2
|
||||
# kind: CiliumNetworkPolicy
|
||||
# metadata:
|
||||
# name: allow-all-egress
|
||||
# namespace: navidrome
|
||||
# spec:
|
||||
# endpointSelector:
|
||||
# matchLabels:
|
||||
# app: navidrome
|
||||
#
|
||||
# egress:
|
||||
# - toEntities:
|
||||
# - world
|
||||
# toPorts:
|
||||
# - ports:
|
||||
# - port: "443"
|
||||
# protocol: TCP
|
||||
Loading…
Add table
Add a link
Reference in a new issue