mirror of
https://github.com/gwg313/homelab-gitops.git
synced 2026-06-05 23:51:00 +00:00
update default deny
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
68bebdae57
commit
bfe8435665
GPG key ID:
60FF63B4826B7400
21 changed files with 470 additions and 235 deletions
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: audiobookshelf-cert
|
||||
namespace: istio-system
|
||||
spec:
|
||||
secretName: audiobookshelf-cert
|
||||
issuerRef:
|
||||
name: letsencrypt-dns
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- audiobooks.gwg313.xyz
|
||||
|
|
@ -1,3 +1,8 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: audiobookshelf
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
|
@ -5,6 +10,8 @@ metadata:
|
|||
namespace: audiobookshelf
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: audiobookshelf
|
||||
|
|
@ -15,9 +22,15 @@ spec:
|
|||
spec:
|
||||
containers:
|
||||
- name: audiobookshelf
|
||||
image: registry.gwg313.xyz/library/audiobookshelf-rootless:latest
|
||||
image: ghcr.io/advplyr/audiobookshelf:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
- containerPort: 80
|
||||
name: http
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: TZ
|
||||
value: "America/Toronto"
|
||||
volumeMounts:
|
||||
- name: audiobooks-volume
|
||||
mountPath: /audiobooks
|
||||
|
|
@ -40,3 +53,18 @@ spec:
|
|||
- name: metadata-volume
|
||||
persistentVolumeClaim:
|
||||
claimName: audiobookshelf-metadata
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: audiobookshelf-svc
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: http
|
||||
port: 8080
|
||||
targetPort: http # References the named string 'http' from the containerPort map
|
||||
protocol: TCP
|
||||
selector:
|
||||
app: audiobookshelf
|
||||
|
|
|
|||
|
|
@ -1,18 +0,0 @@
|
|||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: audiobookshelf-gateway
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
selector:
|
||||
istio: gateway
|
||||
servers:
|
||||
- port:
|
||||
number: 443
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
credentialName: audiobookshelf-cert
|
||||
hosts:
|
||||
- audiobooks.gwg313.xyz
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: audiobookshelf-iscsi-auth
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
encryptedData:
|
||||
discovery.sendtargets.auth.password: AgBlREGUmNCv4V+AAsTN4xn1+CTIQspG86tK34CH8LbAQQtCwrldsyH/ZDnDEK2bmb7Eq0o4Lt9bYYdAFt/2d74ViMWVWyarIG5dU3kwMfzysQsu3lrWtIUwlFS08YaQJg+7Eipy1LbJvncTLY9ixZ3xA7Vx+rlyhXp0bt0Aet6ItzcxTbifA14xtCGDDDRcOjkBp+lhOY70tnqAkQ7NxLooPcNGSIqMPbIwhdc8Nq9Knz7ZqVTnVyl2QxdQSooUIcYBN0V97tiwtZUvwU0pb7LsxSEac2NbwzPMfoP8LnTETURK0JhqvO6Uvi7iMNBLw3sDzR2fCX1VhleLOM1JQgk93w5VA33GZOb+7iofJt+gVIs651G9+rCS2hN8XiQPiZnCVtZ9upxM4DnHz1GvuML0NRcXyIN2zOzcZdwMXBRAQ42XwcdbZIOubiVNbV/yEDoNmA6aR1ItRYDGyheRKwphLEDnbXlgWEDnKKHiUjrj833vNTXn9wtOZ2mnfzE//cr3fvaosQthfnviI/QRo8plpXI8y9BgjNToecsbQNzNIP17ZljCZB2HTBa8urX9A9vAOcFD51k6FugfE92tnBtSu42vGi3vkEuxM2blrFAWlpsChHkyQmONJchHgNsyKqZdlRzFLraZTtic9z8HBjmOyXgykGuoPzGf29vB8bwZ3mIUE8GSsF7WV9hAGdfGzE0VnUp3CKOIMFyrudVeWFOX
|
||||
discovery.sendtargets.auth.username: AgBerGD4HXIRcJDdyknlztVIIfpLYyEnB5jIQV7tHksPPtDp4VxOQcOOnsgn2xcskpGbPP60iQJgTn9eNtHnRVylFhRDBr7ugn7LKWw0KGg/sexYx07Do6Sc7h7+MrzaoxV7kV7hOJrflALtKhSTmsiNLVnskmU+reckgLYFrFjSPOYJsDJlpq7WPXVBVW2nEJ0EMkCyfWAU1ADfpM5rvbtLu3geCAWAz557BASYgdvaBEWOT5sONC2rbl2MaSJeBVZX+Wr5IdzVd3K/VFJRSJ7xE5LAVKbuWGPpt18H86uU7mqXuyYUz7FR7nD21FT8rPvj4/rXKTR0W2U/hrH/53Jn5yFj30+iAcDhq9C4fRA8ZvI9KsESRZXq0dnInPkYpHzPIKdMwtEs/qycIMGwczRO9d6UDj3qJsJTO4E1btvzPQMt1kJ3d2U87/r7TCzcbIpLlMez8VTS0osnwVkD9/4oR074TX/0m9aMqLomsrw4oyXsetJL8O4R1A59NsjtBRvyeG00BmmJMlSrI+DF+wa131/4g/y6BsYP30QwxxxoOHH1clSdXGueHhQpttmc7le8FSJ+pyyPLR8BrFi76GojZG3GZScArJm/072WcUnsvxpitmtwKgihRFGr6V5yPU/vvPLWsV+swQ+zh6IZ1RPNn8QPk4oKqJnoAlDmMkdXhgqLucor322cxU+bNkE0v3RPBeynzEVpGSzrtYzOvw==
|
||||
node.session.auth.password: AgB/lsTVb/3hrYtzpEydBfcesvDgZUi6Si4VNjlGRS1PfK9DSLpRBZazgLkrFSIhLOviWb9Rp9zQDNTJFAZkLbPGh8zNWyTzbANgsSziht7ljBArnsT3iMRQbFvZGUkI3QM95EURVXC7GhPEfr15bkEqq93ETzaDaBvZ3tKN2XqjRTFFAR2aFVVV6rPPea3FfAVhhcR700pfbW4YpLPfHuUFentEuMo5a3QRYo3VdzPYB7lzRx+YgD9Rv1rSffTdnPJzlE9IkUeBZKnuK9Xg80Q75aPHvb6MfT++LRZHUtsftQFjbJMcFKqqDu+JktjViyrTYG/2cfdQKsHbsQu4OW4XamU0isZiz42T8cj/Dpo0C+m2meZVXkSrsvyeHCA77vl9yd24O7CkDGKLnAqe5RLWAMJVBQwnVqiDhTdTvEItoyV9MZM079CsPKSpVZMJ4GQoJDjKN3L9Z0IIWHlrV5RJ65RJA3d8/9Ku+vFtxyfGWB3GtXAFvXYW/OZn1vuIEmA3U11mgnGKDIRETBMpuJSvzVKiTxCL4yrq5Ap0VRfBlJlNbDSlj78z6x9Pd8TsSoKUA5htpObLy3+Dx2Lm6SUflKvB6ywKnIbhlfFONlUrsxX6J02taDmqTzeAFT5sSM2Xl4yFveb7XLQQOJUIc32ZAFXOkYkvr9T8lbxXDE9mJG7abzwal7i1KWrxgVnmgN8oM6QDciHqElUb+z+tE69g
|
||||
node.session.auth.username: AgCjON6B6NWGlbQsJvBLvy1SOgUt7fuIScFKqsnVLZf/AmUH6VJ70qAtjOr+MfoyhvGkpNLAb64LpUsEmxX/AI4pONZnNUVYgWSha+yEizCLsYCp2wL7PHbobg9nkYxL7vRcS/So5iIaHHS+3cHIHJI5O8Dhb6gqOz5kafNgdLu0TJ56n1Axe4QI3mz0m5/XjovzzImM3DiMaqtzJotENGxnnA/X0/zBbNZry94iWuXCTJ115+6cVn+h3SvVw0/rwcJgfNxgIJJW4Rukl6WCyC6MTKTjNnA65Z5R9oW4JviGNF/0PNGTjmkuCoJqSNZ+p5XebhTxn65ultLMxvJXZhVmSHo3es3x8wlmO49UOGhT1a38P+p/9DrrTg3xEdIeDHMmdLaZgOjjEfDh/2OP2S2ZHVEXQnFvG2VnKgmMYWyeylhBGyn4cEkLc1fFhy55g2EMCeF5zXNldTlT3Gh0ca1ipF0BBXgvuJCa9c5tNBK2QS66QVdehOLBOxrnjTnd4VPt05JXKqSQZ6S0ukNecL5hBju2nGHlXdYcVeI94/uZmpkNJC+mqRTJdXGwtUhF9F529Ln+DtkhTcGUAPBcZdP9eEc/lkAjp/lJyzW2jgTynVkqAyBZJsA7etAHAUlsFMgFOw6bG/oKXpJE7wFJ4J929/inpVj8J9rlLC7ruRlQy9gUT8A2uLwAXVmQufpjBTi2AVyS6wACG+eusvOHYg==
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: audiobookshelf-iscsi-auth
|
||||
namespace: audiobookshelf
|
||||
type: kubernetes.io/iscsi-chap
|
||||
19
audiobookshelf/iscsi-secrets-sealed.yaml
Normal file
19
audiobookshelf/iscsi-secrets-sealed.yaml
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: audiobookshelf-iscsi-auth
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
encryptedData:
|
||||
discovery.sendtargets.auth.password: AgBVapcyRSYuizQmF6FZbr3m2wkNj0jIoWIqq1zJJtQdoSVfc9GlTzTF4VI+196k27iHtRVVkRqvIsCNxj7B8iirUMpstXyLmZ0GNcK5hMebeoH9hf2YFL2ZcnVrBxVKoFC+kJVhZZBjCiZ/IAU9wopeKIChKh/X08FuZeQkOKGs7P/2hgpLzi6TlFMpvmJC/ssX/MZzjUWSPwryGCbsJy02k7b7FFrX0K3O+5RTpCeySaAr0M/WHIM8sRgt926sJ5ltpylPS3WOsT75meYknK1TiSe+y6xW7OE517uE3Za6HGZF3wFmy+3DXzJh/Cc4Z2713aQyGJ1sZPSTXmpoaN0ffF3coUQrRj5rCE66FVIHm83b7fBjn2IQi86Ivoyuk7COWsDKn0FqA6VS1zqMhAHpPHxWxaeSofMtxZkwRlFz8uaQRqfnv9+bXz1OYvHpmeWw4EiulC1r63yUXreCLcIV+5IEBft+Y0JXpacIaAsrP+mOxrdXAie+hOsNcg7/IKBCsxatwtNMQIyPWstUI3dZiv4BjpXNOgdx/wjptKkXfcg436GXVzsMVuTP7a4iotN6T1WrazcrexQMEpGcLAlnhQRKx2CehgFDNeAPVn9g257Yz4tXuG+iQ6wTyq3PJBBxS59AVYMSn+3w2oMYlkhDjPzET/FRjNc+kyzmpl3evaoSDyEtirRyOlMyvyTUOvSPN1HPZw61RNeUo4wX8yrV
|
||||
discovery.sendtargets.auth.username: AgAqjHR5K62VZpVb0oXwkgi0UXVLmgEBjxLpNX+eTvU54BGDfvaUhxbDJmb7SDQFZ5PKyQUXqmJTQpSQ0lJbK9Vhrr8rBjmseFuLdhT6AzFtRqLTIG4W9IL4VPEjhepW6tKRukqU19Z9F1Mha1VCc82uH2OuIni0Gux5+H8OrkdduKrtpCIiQK1cK3q6xqlHmpPnwEt23xnbtDqwYz9d5lA6T0xIahNm+N925e7tMm9GwKSWQA1smqPc6eH1DZwg8wUCNXn3h+HvB5l0ElTMSNtwUA/mcYeJRfPrXVQVlKcch5RqunWyWfiJBc042V/yjhIEs2YGlMsRu9YxKc+8W0AioBSvaJZmjSWJvk6/Zh2tUqPbcoc//dH5ackfwul5ZO3CB7yyiT9naiM6sFCKriMs1tu92sF8r4zKl9gXJboTCcrCUt2nKf9Dd+xB2NM3xFjMsTdHVQaQJiL6UbSoKObU2TD6IEQVALvb2wE/kjpSq3rw/tLc72nac6qripOuIKYP2L/4f8WxO63/wWYZ/yUzia2RfDhz4iGGF7dNHxsDfMwdZCP2HNjLlX+k6/oIPjKjSvcZxahrAUY6RNfTJlOvvwr6tLZwHoUq+bqgSOZ3Bcr0hvNBIbnXpWpof3wvr6RT+F7Tb08FWFF8ceRYmUYxRpacVrXJgCHE20LY1IVJdkt9/oxCmN797Atc8eUYxvESc1evUA7nW5TdptGAWQ==
|
||||
node.session.auth.password: AgBsc+wtPsGHkMfe6UQC92K9cEtUbsKw92lxbp2Ix0cGNJ5Ufhysq4VUOsXwItY/NfOXN1JAps1J4ZjCcW64dMpP2Tq9rLNMjvlsvFMHfPZ7zkDstFo55c5cAjvBLou9zc8PRMOoVftg3FUXYP+h4ZFZ4R3002TXeN7uV5KG1cfcuI2HuwHHTwtXvevHOBdp3JAN4MMIvA69wo0kr7Ef+LIBCbIXKer/gjDOQsdaffpagGNf5blvyTeky7ySnYhyQwUi7W6AG56HtV5KureTsBalD4+aGa6SChQt4D2LMAwLQg2pvwrpnUvanAZg7PWvkBdSb6Q18Jxf0OPtG5Q3CkRwdT/MXMvPlZEua7j5wh13aU9lCPeyvPl+96Uhbq8eaSLMjTjIEVs8gLE6Jfv5o0WEexu87AmtVhza+IDK/F/fHQys9y1eDD4SRhoeMV6YRWostquJalt5dUP3olaOGh2gZ5eocXKI7ekVC0O/wWKPNpxPNqN6Hh4+2SCvAySOdizMvD7MRjzKX4wqNZUfAFlaamGFcyKg7otQSMeNwNDFWheJinWTNleUAKUZVsHhYIYKppLwitjvIrqO2cDD2Q6o0ZSplYVVyF8Fb9dIbDNhHNGTu5XqJLILKiRUipEN0EiNmcYiBKfpuYtZQltvCsXra/qR2yi0SVAh3M0joovBSCxC3haLJk+X9Gtl5rf3kESjvIEmF3wM1cPmEM5s6faM
|
||||
node.session.auth.username: AgAXJAFwKHInT4nTJY4xSjDTLb2p6OuLhJx3ZABgb8lO1HZx5ny138ChrwkjpYVW3wqimaT50VNQX7pNz0Vt6XvA7HcjKA5OQC8qpsbbkxA16bw6LqXkIHKL3Herkt3izq92R72NgrF8XMfoP6bGIUpLOqeh2bk/S3TzafrduvWyPuxa83dW8VzZ/mosXd+QdZ4gFzWpJ29iwIghzuz8dF0GxXk8Z73c+fWhjMpsyiGXSUbr8CUS2PPbmxGQTTV/m0ewDLlbhtkXo1KBzM5m1nTIPEb7zI6zImXmo6OE7n1PsVXq0d1xnuMqZ55436xG6dFqwxd0m+SGHRLBDJDHMplaxms099Lot4TCZ3I5ZnFZ5+eTqbAU7dmBmSxqkBL0VEy+9XCV+lyBHKDvch/mQEe51sJIh1pkQ8G7j/Ni79j/t6+oMLv+8lee6cSrtqKtHVUwbIAzNc9TF8XrEZ+/5MFOkDgD93JyFhjY4zsqYWpPWvYo9Kjl+Y5ge+7pQxOIHPN5oIUeH23Zb5LDJt3tsz8FSH2a0Y/LcQkg1XdKI4r5aZbNyufqmDfKn5jPpZy+sQQ1KqitvV5wgqzqtaGF2H7trqoZ2YyTwVyIOPp3nCa17cwB8A7NWlGMdIXK19fqUHYYLbrT3IWDwn/k3tKgFhGQCBYk2SaVXslqAxGpsMbKXuwkdCpUd6BPCZ4290kBkreT6CUl7zZbvFrdYy25Aw==
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: audiobookshelf-iscsi-auth
|
||||
namespace: audiobookshelf
|
||||
type: kubernetes.io/iscsi-chap
|
||||
37
audiobookshelf/route.yaml
Normal file
37
audiobookshelf/route.yaml
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: audiobookshelf
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
parentRefs:
|
||||
- name: shared-edge-gateway
|
||||
namespace: cilium-ingress
|
||||
|
||||
hostnames:
|
||||
- "audiobooks.local.gwg313.xyz"
|
||||
- "audiobooks.gwg313.xyz"
|
||||
- "audiobooks.zerotier.gwg313.xyz"
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
backendRefs:
|
||||
- name: audiobookshelf
|
||||
port: 80
|
||||
---
|
||||
apiVersion: gateway.networking.k8s.io/v1beta1
|
||||
kind: ReferenceGrant
|
||||
metadata:
|
||||
name: allow-gateway-to-audiobookshelf
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
from:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
namespace: cilium-ingress
|
||||
to:
|
||||
- group: ""
|
||||
kind: Service
|
||||
name: audiobookshelf
|
||||
|
|
@ -8,4 +8,4 @@ spec:
|
|||
app: audiobookshelf
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
targetPort: 80
|
||||
|
|
|
|||
|
|
@ -1,19 +0,0 @@
|
|||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: audiobookshelf
|
||||
namespace: audiobookshelf
|
||||
spec:
|
||||
hosts:
|
||||
- audiobooks.gwg313.xyz
|
||||
gateways:
|
||||
- audiobookshelf-gateway
|
||||
http:
|
||||
- match:
|
||||
- uri:
|
||||
prefix: /
|
||||
route:
|
||||
- destination:
|
||||
host: audiobookshelf
|
||||
port:
|
||||
number: 80
|
||||
|
|
@ -28,6 +28,13 @@ spec:
|
|||
ports:
|
||||
- containerPort: 3000
|
||||
- containerPort: 2222
|
||||
resources:
|
||||
requests:
|
||||
cpu: "50m"
|
||||
memory: "128Mi"
|
||||
limits:
|
||||
cpu: "1000m"
|
||||
memory: "512Mi"
|
||||
env:
|
||||
- name: FORGEJO__server__ROOT_URL
|
||||
value: "https://git.gwg313.xyz/"
|
||||
|
|
|
|||
|
|
@ -1,13 +1,30 @@
|
|||
# ----------------------------------------------------
|
||||
# Default deny (namespace baseline)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress-to-forgejo
|
||||
name: default-deny
|
||||
namespace: forgejo
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
ingress: []
|
||||
egress: []
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Ingress only from Gateway API
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress
|
||||
namespace: forgejo
|
||||
spec:
|
||||
description: "Accept incoming traffic from the native mesh proxy"
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: forgejo
|
||||
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- ingress
|
||||
|
|
@ -15,3 +32,103 @@ spec:
|
|||
- ports:
|
||||
- port: "3000"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# DNS (cluster DNS only)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-dns
|
||||
namespace: forgejo
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: forgejo
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s:io.kubernetes.pod.namespace: kube-system
|
||||
k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: ANY
|
||||
rules:
|
||||
dns:
|
||||
- matchPattern: "*"
|
||||
|
||||
# ---
|
||||
# # ----------------------------------------------------
|
||||
# # CI runner access (in-cluster service)
|
||||
# # ----------------------------------------------------
|
||||
# apiVersion: cilium.io/v2
|
||||
# kind: CiliumNetworkPolicy
|
||||
# metadata:
|
||||
# name: allow-ci-runner
|
||||
# namespace: forgejo
|
||||
# spec:
|
||||
# endpointSelector:
|
||||
# matchLabels:
|
||||
# app: forgejo
|
||||
#
|
||||
# egress:
|
||||
# - toEndpoints:
|
||||
# - matchLabels:
|
||||
# app: ci-runner # adjust to your runner labels
|
||||
# toPorts:
|
||||
# - ports:
|
||||
# - port: "80"
|
||||
# protocol: TCP
|
||||
# - port: "443"
|
||||
# protocol: TCP
|
||||
#
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# External git providers (FQDN restricted)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-git-egress
|
||||
namespace: forgejo
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: forgejo
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: github.com
|
||||
- matchName: api.github.com
|
||||
- matchName: raw.githubusercontent.com
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# OPTIONAL: unrestricted egress (disabled by default)
|
||||
# Enable ONLY when required for troubleshooting or apps
|
||||
# ----------------------------------------------------
|
||||
# apiVersion: cilium.io/v2
|
||||
# kind: CiliumNetworkPolicy
|
||||
# metadata:
|
||||
# name: allow-all-egress
|
||||
# namespace: forgejo
|
||||
# spec:
|
||||
# endpointSelector:
|
||||
# matchLabels:
|
||||
# app: forgejo
|
||||
#
|
||||
# egress:
|
||||
# - toEntities:
|
||||
# - world
|
||||
# toPorts:
|
||||
# - ports:
|
||||
# - port: "443"
|
||||
# protocol: TCP
|
||||
# - port: "80"
|
||||
# protocol: TCP
|
||||
|
|
|
|||
|
|
@ -5,6 +5,8 @@ metadata:
|
|||
namespace: navidrome
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
|
@ -15,9 +17,16 @@ spec:
|
|||
spec:
|
||||
containers:
|
||||
- name: navidrome
|
||||
image: deluan/navidrome:latest
|
||||
image: deluan/navidrome:pr-5495
|
||||
ports:
|
||||
- containerPort: 4533
|
||||
resources:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "128Mi"
|
||||
limits:
|
||||
cpu: "1000m"
|
||||
memory: "512Mi"
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: navidrome-config
|
||||
|
|
|
|||
|
|
@ -9,8 +9,6 @@ spec:
|
|||
encryptedData:
|
||||
ND_LASTFM_APIKEY: AgCjnGsru3lcSOXWXAFnC2sxT6FY1MDOJD5hsTPEXsC4bQ9BNvmFwOhLzovTzTTd0SR9TOHlWibnWB8/tyzVsPcktBbKI1HaWH95EnFlG13gOtzMnl7jXf2qPD2LsRKukAivt4FxWIijyOHqss4Ct3Vea6XELJVC7nemmbl9tj9YVaceDWLX1oWYRLbNTqG4we4yV/06KerTQIyafbGQP/nkLhAYkJBf1mgYpKOe1vAah3m+sP9Q1LO25BNstxUASIlloFEYx3T1e8HnWUemZPLHTJNEhjoE8C9d8ULiCOQL9nQR2mYgv6YQuYRIb6CKXoc43GHemqRwJlGJeslZL3u7k27kFcsArU6XlMTNSZHZKmW0Yd0rQTNVd3DJMs+9YZ0s8DGRiGtZyK2R/LCNNnckp+TDHcWV4ivfhN2aFbgmHc1Coea5Og5f2lOf97VnIIgKgejAFbDzr4PRM1XqDFRPV7B7+iiyDDZuAeys4C/QQD2ZaBJuV3B5TR8ZkHgh+bDpkQ/5MhNY6t26dVTAIZfsBo6vRilH7ppryLXfTuAOdh8ojpqpCUUoSxqGc2IIXNoD/zKJpOJhsR5B4JOF2NbFLCDf7kSBkC8JvoG3CPti7tht3ziM5WrDMbi5+BXgTC+U9EES0yBSfvrS4dO+TntKbk+igchYdhEsDZ2Hi810o9RLnW6IjLjUWy1yYawsKgHmcuQ7+6dR5gNkvM5kZ3l+mA7BmQZttwmmKX9M52C7Yg==
|
||||
ND_LASTFM_SECRET: AgBdSpMRmm/YeUslT4eBa12ZzGwAaBgZuPsGxeCGsAq2MaU1nnvllOa4YKULdSSI6bwavBM/JGE4EE+eUzCRa9kED0+pSocOZLFCdKEvVrLvcp5UbaoFdhpG0AQeuyB2DXEJsmgqXjPoA4WdeAB+k9HRdOZR61Cx9UJXvltF9X3n07E4Zehyxuz0d1FEnfDI1FYst9EYIm8DhE7CZGib9ygH5WN4GItFgB//za2EtKnnlo5DZWl5BPn5dHYa7dIxZx4k7sNQx3sUW85HhCPKCoYufILCsSxCTXV0QSBkhRrkO+uJPIcSlYgK6es/Tq7L64Jh0ow/4cRJ9TankfzdsA/zy8bKx/OZMuEqiffHxgHZOW5gB1pVLENdUkY7xOIitEPQEbuE4pgxdmMkpFvT/o2mdw/MDJxbl3WrbLxZyvoaqxOotVp4RvGI5EpwwHAKnQfdnoLM7iB75l0I52wLYKLqyLXIz3+F9h3Zvou9xiHO+s2OlMKcgSt1c4bHta12o5ZTrFpBfsYTpVQ8V3AdSzNe81q5Id+sNMO81XtluMvDlAtRTqlqGWBden4FlBWMBGUjssJba1JJThzyqCXd44vVqtajv2a0BExI5MKLnRY1ZigHEm38qNSYo2GllfDUaPWzJUcZSKiKCDVO/D8c5dBwf6nerkM4kbXGvLIbDWfVx80BzI6kKl6vTNWym7CokeZwDSJ3Mu1dFNnu/fFg5qQ/XzOGxH8L1A9nsv6IqXxFkA==
|
||||
ND_SPOTIFY_ID: AgBTtb5SoXvc7r74BgK0hL5exzAsI23Yj8h6eaDIEmbOKKcd/S0fs7sFnn04r7RrHzQaRvowrSIwAXPWNdvpUSAObeDjb9NURe28RAHcxlKpRisjUm6NWaqo4eNlv2oZNZfmEajKmbFtSezdqAOuBbr1Yvm1d2Si05KSLlDfQHUiVN0OIvFBwSYJuYHFH7tAhbIZRzJI4HC4WrR37XV1Ow9Mms3HXS1qsM2e7Y8njkVObtJnjS5ejmbu1LajfU8laSUnsIv0d0NvlWTil1upzTca+Xm3EUJ1AG6Q9Jl74wZEd4/NU8ZiV8aqHA5j/EBLisiT9YeTD2xCJVQ3zvmXaA/SS/9w4bJpN/4x758cJDEvUK5q9r6hnF0Fvt6w4hKNoWNLdhl9oV668BjryV66HsTTJlzMjWVj9rpDx5O+XNLUgKlBjna2/uZIc/ys60l8Q+YxN0XTleFytCLfoBOOASF/EfcZYzwLR68zQqSkS4scOtqhBjyPNA0UJARtVvTmLLpP0YTMsQm7PNI2WdbZsDtgazRqTj+00o5HIXBiDSKP7mhHfkUtOQuI9fwIYek1YBxCY3D3K5vc6CNw1WSatJ8tkR+cfaf36wwM8XbW5iftUJP+c2sox2tHTHyUJXoWb4HD5u5qYOeZIWKs9XAlNzqK3fxnK1wms5XJCAEBvdm675wpaxqo9WqvFSGJfHjVAqfvUeWP9T/mv50PMvluIVRN1ZRp7ULP3c+5tFk0cpCrZ98=
|
||||
ND_SPOTIFY_SECRET: AgA+w4eh9o6qh2L7zcOKhqiNwM5knXlIWA7xLTzEO0NXs1uSTuKSQost5vWm2EB5OlwncxJmacW7um+sdA9039GnbrtIvBja0PvkWqS6I1AFZECX/+ZHVpLjh2S+K0ELqT2A9DdHXtDllcW6M84rR8QuAExFVsaHO7QvUjVlyM71f420ktm6rU3kIRMdhRvhYatKnapdq6uI3kz6Y2EwSx6wGJlfG7nDye+60l6PIyNUvezQBDZh/Ldi+Nm+mTLumhscHo0mciSsC9zM17hgd8UGCE79S8cmy6r38EJtqeLmxy02x0cTj7NoDQ/WftFCC8aj/HGSWh8Io54YNbs5LIjFDIJL6VbVe7g/TKqVONJLfTWa24DXw1m5hLgH8iP5wRE6B677hOVkLsqvxZw7ALdrwm331/kL6xRLtkG1mjnosYCh8MBUVskdvw4HbL3cwmAkLy1Jvahd6Z6BbhKVci+r8d88J/CTgRkAd6oJiZxrpsN0m5oiWP5U9WlD1lCDvhuoaAFX60zjmSbE6leroP//h3arMMBlbVxi2SLAYQVXkD4QRc32WOXuOcbKUKitckC4mzcpEYRtguJuKkj6qe2FI6fSrsaw6aidPpPSzGZLgXIrDrTd3AUj9GjTPftvkHsxjgrL6WB3Tba6KbbNrJKCN+APyMUI2jJXHY5gYl2wjoocJ4Lnen86AZtynlMvMBkM8Qma8GAjwwWugqy5ZLw9cv8bqNsa90n4V8IYHHIamQM=
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
|
|
|
|||
149
navidrome/network-policy.yaml
Normal file
149
navidrome/network-policy.yaml
Normal file
|
|
@ -0,0 +1,149 @@
|
|||
# ----------------------------------------------------
|
||||
# Default deny (namespace baseline)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
ingress: []
|
||||
egress: []
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Ingress only from Gateway API
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- ingress
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "4533"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# DNS (required)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-dns
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s:io.kubernetes.pod.namespace: kube-system
|
||||
k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: ANY
|
||||
rules:
|
||||
dns:
|
||||
- matchPattern: "*"
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Spotify API access (album art, metadata)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-spotify
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: api.spotify.com
|
||||
- matchName: i.scdn.co
|
||||
- matchName: accounts.spotify.com
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
---
|
||||
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-navidrome
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchPattern: "*.navidrome.org"
|
||||
- matchName: navidrome.org
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Last.fm API access (metadata, scrobbling, images)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-lastfm
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: ws.audioscrobbler.com
|
||||
- matchName: lastfm.freetls.fastly.net
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# OPTIONAL: unrestricted HTTPS egress (disabled)
|
||||
# ----------------------------------------------------
|
||||
# apiVersion: cilium.io/v2
|
||||
# kind: CiliumNetworkPolicy
|
||||
# metadata:
|
||||
# name: allow-all-egress
|
||||
# namespace: navidrome
|
||||
# spec:
|
||||
# endpointSelector:
|
||||
# matchLabels:
|
||||
# app: navidrome
|
||||
#
|
||||
# egress:
|
||||
# - toEntities:
|
||||
# - world
|
||||
# toPorts:
|
||||
# - ports:
|
||||
# - port: "443"
|
||||
# protocol: TCP
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
---
|
||||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: baseline-allow-coredns-egress
|
||||
spec:
|
||||
description: "Allow all pods to send DNS queries out to CoreDNS"
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s:io.kubernetes.pod.namespace: kube-system
|
||||
k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: UDP
|
||||
- port: "53"
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: baseline-allow-coredns-ingress
|
||||
spec:
|
||||
description: "Allow CoreDNS to receive incoming DNS queries"
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
k8s:io.kubernetes.pod.namespace: kube-system
|
||||
k8s-app: kube-dns
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels: {} # Accepts from any pod
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: UDP
|
||||
- port: "53"
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: baseline-allow-apiserver
|
||||
spec:
|
||||
description: "Allow all pods to communicate with the K8s API"
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
---
|
||||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: baseline-allow-coredns-to-internet
|
||||
spec:
|
||||
description: "Allow CoreDNS pods to reach upstream DNS servers on the internet"
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
k8s:io.kubernetes.pod.namespace: kube-system
|
||||
k8s-app: kube-dns
|
||||
egress:
|
||||
- toEntities:
|
||||
- world
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: ANY
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: baseline-default-deny
|
||||
spec:
|
||||
description: "Deny all ingress and egress cluster-wide by default"
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
- {}
|
||||
egress:
|
||||
- {}
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-hubble-port-forward
|
||||
namespace: kube-system
|
||||
spec:
|
||||
description: "Allow host-level port-forwarding to Hubble Relay and UI"
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- host
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "4245"
|
||||
protocol: TCP
|
||||
- port: "8081"
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-hubble-ui-to-relay
|
||||
namespace: kube-system
|
||||
spec:
|
||||
description: "Allow Hubble UI to fetch data from Hubble Relay"
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
k8s-app: hubble-relay
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
k8s-app: hubble-ui
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "4245"
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-hubble-relay-to-agents
|
||||
namespace: kube-system
|
||||
spec:
|
||||
description: "Allow Hubble Relay to collect flows from Cilium node agents"
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
k8s-app: hubble-relay
|
||||
egress:
|
||||
- toEntities:
|
||||
- host
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "4244"
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-hubble-ui-egress-to-relay
|
||||
namespace: kube-system
|
||||
spec:
|
||||
description: "Allow Hubble UI to send requests to Hubble Relay"
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
k8s-app: hubble-ui
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s-app: hubble-relay
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "4245"
|
||||
protocol: TCP
|
||||
28
platform/default-network-policies/kube-system-baseline.yaml
Normal file
28
platform/default-network-policies/kube-system-baseline.yaml
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: kube-system-baseline
|
||||
namespace: kube-system
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- cluster
|
||||
- host
|
||||
- remote-node
|
||||
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
- cluster
|
||||
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s:k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: UDP
|
||||
- port: "53"
|
||||
protocol: TCP
|
||||
40
platform/default-network-policies/kube-system-hardening.yaml
Normal file
40
platform/default-network-policies/kube-system-hardening.yaml
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: kube-system-hardening
|
||||
namespace: kube-system
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
|
||||
ingress:
|
||||
# Allow cluster-internal communication (required for DNS, CNI, etc.)
|
||||
- fromEntities:
|
||||
- cluster
|
||||
- host
|
||||
- remote-node
|
||||
|
||||
# Allow kube-apiserver to talk to system components
|
||||
- fromEntities:
|
||||
- kube-apiserver
|
||||
|
||||
egress:
|
||||
# Core dependency: Kubernetes API
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
|
||||
# CoreDNS access
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s:k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: UDP
|
||||
- port: "53"
|
||||
protocol: TCP
|
||||
|
||||
# Allow internal cluster communication (important for CNI + service mesh)
|
||||
- toEntities:
|
||||
- cluster
|
||||
- host
|
||||
- remote-node
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: kube-system-restrict-external-egress
|
||||
namespace: kube-system
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
|
||||
egress:
|
||||
# Allow Kubernetes API
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
|
||||
# Allow internal cluster communication
|
||||
- toEntities:
|
||||
- cluster
|
||||
- host
|
||||
- remote-node
|
||||
|
||||
# Allow DNS
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s:k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: UDP
|
||||
- port: "53"
|
||||
protocol: TCP
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue