From bfe8435665ccd767f2989b4994c981cf45513b23 Mon Sep 17 00:00:00 2001 From: gwg313 Date: Sat, 16 May 2026 15:21:35 -0400 Subject: [PATCH] update default deny Signed-off-by: gwg313 --- {apps => apps_temp}/audiobookshelf.yaml | 0 audiobookshelf/certificate.yaml | 12 -- audiobookshelf/deployment.yaml | 32 +++- audiobookshelf/gateway.yaml | 18 --- audiobookshelf/iscsi-sealed.yaml | 19 --- audiobookshelf/iscsi-secrets-sealed.yaml | 19 +++ audiobookshelf/route.yaml | 37 +++++ audiobookshelf/service.yaml | 2 +- audiobookshelf/virtualservice.yaml | 19 --- forgejo/deployment.yaml | 7 + forgejo/network-policy.yaml | 121 +++++++++++++- navidrome/deployment.yaml | 11 +- navidrome/navidrome-secrets-sealed.yaml | 2 - navidrome/network-policy.yaml | 149 ++++++++++++++++++ .../core-k8s-services.yaml | 70 -------- .../default-deny.yaml | 12 -- platform/default-network-policies/hubble.yaml | 77 --------- .../kube-system-baseline.yaml | 28 ++++ .../kube-system-hardening.yaml | 40 +++++ .../kube-system-restrict-external-egress.yaml | 30 ++++ infra-root.yaml => platform/infra-root.yaml | 0 21 files changed, 470 insertions(+), 235 deletions(-) rename {apps => apps_temp}/audiobookshelf.yaml (100%) delete mode 100644 audiobookshelf/certificate.yaml delete mode 100644 audiobookshelf/gateway.yaml delete mode 100644 audiobookshelf/iscsi-sealed.yaml create mode 100644 audiobookshelf/iscsi-secrets-sealed.yaml create mode 100644 audiobookshelf/route.yaml delete mode 100644 audiobookshelf/virtualservice.yaml create mode 100644 navidrome/network-policy.yaml delete mode 100644 platform/default-network-policies/core-k8s-services.yaml delete mode 100644 platform/default-network-policies/default-deny.yaml delete mode 100644 platform/default-network-policies/hubble.yaml create mode 100644 platform/default-network-policies/kube-system-baseline.yaml create mode 100644 platform/default-network-policies/kube-system-hardening.yaml create mode 100644 platform/default-network-policies/kube-system-restrict-external-egress.yaml rename infra-root.yaml => platform/infra-root.yaml (100%) diff --git a/apps/audiobookshelf.yaml b/apps_temp/audiobookshelf.yaml similarity index 100% rename from apps/audiobookshelf.yaml rename to apps_temp/audiobookshelf.yaml diff --git a/audiobookshelf/certificate.yaml b/audiobookshelf/certificate.yaml deleted file mode 100644 index 4af686f..0000000 --- a/audiobookshelf/certificate.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: audiobookshelf-cert - namespace: istio-system -spec: - secretName: audiobookshelf-cert - issuerRef: - name: letsencrypt-dns - kind: ClusterIssuer - dnsNames: - - audiobooks.gwg313.xyz diff --git a/audiobookshelf/deployment.yaml b/audiobookshelf/deployment.yaml index 5371351..360624e 100644 --- a/audiobookshelf/deployment.yaml +++ b/audiobookshelf/deployment.yaml @@ -1,3 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: audiobookshelf +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -5,6 +10,8 @@ metadata: namespace: audiobookshelf spec: replicas: 1 + strategy: + type: Recreate selector: matchLabels: app: audiobookshelf @@ -15,9 +22,15 @@ spec: spec: containers: - name: audiobookshelf - image: registry.gwg313.xyz/library/audiobookshelf-rootless:latest + image: ghcr.io/advplyr/audiobookshelf:latest + imagePullPolicy: IfNotPresent ports: - - containerPort: 8080 + - containerPort: 80 + name: http + protocol: TCP + env: + - name: TZ + value: "America/Toronto" volumeMounts: - name: audiobooks-volume mountPath: /audiobooks @@ -40,3 +53,18 @@ spec: - name: metadata-volume persistentVolumeClaim: claimName: audiobookshelf-metadata +--- +apiVersion: v1 +kind: Service +metadata: + name: audiobookshelf-svc + namespace: audiobookshelf +spec: + type: ClusterIP + ports: + - name: http + port: 8080 + targetPort: http # References the named string 'http' from the containerPort map + protocol: TCP + selector: + app: audiobookshelf diff --git a/audiobookshelf/gateway.yaml b/audiobookshelf/gateway.yaml deleted file mode 100644 index 7d9270d..0000000 --- a/audiobookshelf/gateway.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - name: audiobookshelf-gateway - namespace: audiobookshelf -spec: - selector: - istio: gateway - servers: - - port: - number: 443 - name: https - protocol: HTTPS - tls: - mode: SIMPLE - credentialName: audiobookshelf-cert - hosts: - - audiobooks.gwg313.xyz diff --git a/audiobookshelf/iscsi-sealed.yaml b/audiobookshelf/iscsi-sealed.yaml deleted file mode 100644 index b0057c6..0000000 --- a/audiobookshelf/iscsi-sealed.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: audiobookshelf-iscsi-auth - namespace: audiobookshelf -spec: - encryptedData: - discovery.sendtargets.auth.password: AgBlREGUmNCv4V+AAsTN4xn1+CTIQspG86tK34CH8LbAQQtCwrldsyH/ZDnDEK2bmb7Eq0o4Lt9bYYdAFt/2d74ViMWVWyarIG5dU3kwMfzysQsu3lrWtIUwlFS08YaQJg+7Eipy1LbJvncTLY9ixZ3xA7Vx+rlyhXp0bt0Aet6ItzcxTbifA14xtCGDDDRcOjkBp+lhOY70tnqAkQ7NxLooPcNGSIqMPbIwhdc8Nq9Knz7ZqVTnVyl2QxdQSooUIcYBN0V97tiwtZUvwU0pb7LsxSEac2NbwzPMfoP8LnTETURK0JhqvO6Uvi7iMNBLw3sDzR2fCX1VhleLOM1JQgk93w5VA33GZOb+7iofJt+gVIs651G9+rCS2hN8XiQPiZnCVtZ9upxM4DnHz1GvuML0NRcXyIN2zOzcZdwMXBRAQ42XwcdbZIOubiVNbV/yEDoNmA6aR1ItRYDGyheRKwphLEDnbXlgWEDnKKHiUjrj833vNTXn9wtOZ2mnfzE//cr3fvaosQthfnviI/QRo8plpXI8y9BgjNToecsbQNzNIP17ZljCZB2HTBa8urX9A9vAOcFD51k6FugfE92tnBtSu42vGi3vkEuxM2blrFAWlpsChHkyQmONJchHgNsyKqZdlRzFLraZTtic9z8HBjmOyXgykGuoPzGf29vB8bwZ3mIUE8GSsF7WV9hAGdfGzE0VnUp3CKOIMFyrudVeWFOX - discovery.sendtargets.auth.username: AgBerGD4HXIRcJDdyknlztVIIfpLYyEnB5jIQV7tHksPPtDp4VxOQcOOnsgn2xcskpGbPP60iQJgTn9eNtHnRVylFhRDBr7ugn7LKWw0KGg/sexYx07Do6Sc7h7+MrzaoxV7kV7hOJrflALtKhSTmsiNLVnskmU+reckgLYFrFjSPOYJsDJlpq7WPXVBVW2nEJ0EMkCyfWAU1ADfpM5rvbtLu3geCAWAz557BASYgdvaBEWOT5sONC2rbl2MaSJeBVZX+Wr5IdzVd3K/VFJRSJ7xE5LAVKbuWGPpt18H86uU7mqXuyYUz7FR7nD21FT8rPvj4/rXKTR0W2U/hrH/53Jn5yFj30+iAcDhq9C4fRA8ZvI9KsESRZXq0dnInPkYpHzPIKdMwtEs/qycIMGwczRO9d6UDj3qJsJTO4E1btvzPQMt1kJ3d2U87/r7TCzcbIpLlMez8VTS0osnwVkD9/4oR074TX/0m9aMqLomsrw4oyXsetJL8O4R1A59NsjtBRvyeG00BmmJMlSrI+DF+wa131/4g/y6BsYP30QwxxxoOHH1clSdXGueHhQpttmc7le8FSJ+pyyPLR8BrFi76GojZG3GZScArJm/072WcUnsvxpitmtwKgihRFGr6V5yPU/vvPLWsV+swQ+zh6IZ1RPNn8QPk4oKqJnoAlDmMkdXhgqLucor322cxU+bNkE0v3RPBeynzEVpGSzrtYzOvw== - node.session.auth.password: AgB/lsTVb/3hrYtzpEydBfcesvDgZUi6Si4VNjlGRS1PfK9DSLpRBZazgLkrFSIhLOviWb9Rp9zQDNTJFAZkLbPGh8zNWyTzbANgsSziht7ljBArnsT3iMRQbFvZGUkI3QM95EURVXC7GhPEfr15bkEqq93ETzaDaBvZ3tKN2XqjRTFFAR2aFVVV6rPPea3FfAVhhcR700pfbW4YpLPfHuUFentEuMo5a3QRYo3VdzPYB7lzRx+YgD9Rv1rSffTdnPJzlE9IkUeBZKnuK9Xg80Q75aPHvb6MfT++LRZHUtsftQFjbJMcFKqqDu+JktjViyrTYG/2cfdQKsHbsQu4OW4XamU0isZiz42T8cj/Dpo0C+m2meZVXkSrsvyeHCA77vl9yd24O7CkDGKLnAqe5RLWAMJVBQwnVqiDhTdTvEItoyV9MZM079CsPKSpVZMJ4GQoJDjKN3L9Z0IIWHlrV5RJ65RJA3d8/9Ku+vFtxyfGWB3GtXAFvXYW/OZn1vuIEmA3U11mgnGKDIRETBMpuJSvzVKiTxCL4yrq5Ap0VRfBlJlNbDSlj78z6x9Pd8TsSoKUA5htpObLy3+Dx2Lm6SUflKvB6ywKnIbhlfFONlUrsxX6J02taDmqTzeAFT5sSM2Xl4yFveb7XLQQOJUIc32ZAFXOkYkvr9T8lbxXDE9mJG7abzwal7i1KWrxgVnmgN8oM6QDciHqElUb+z+tE69g - node.session.auth.username: AgCjON6B6NWGlbQsJvBLvy1SOgUt7fuIScFKqsnVLZf/AmUH6VJ70qAtjOr+MfoyhvGkpNLAb64LpUsEmxX/AI4pONZnNUVYgWSha+yEizCLsYCp2wL7PHbobg9nkYxL7vRcS/So5iIaHHS+3cHIHJI5O8Dhb6gqOz5kafNgdLu0TJ56n1Axe4QI3mz0m5/XjovzzImM3DiMaqtzJotENGxnnA/X0/zBbNZry94iWuXCTJ115+6cVn+h3SvVw0/rwcJgfNxgIJJW4Rukl6WCyC6MTKTjNnA65Z5R9oW4JviGNF/0PNGTjmkuCoJqSNZ+p5XebhTxn65ultLMxvJXZhVmSHo3es3x8wlmO49UOGhT1a38P+p/9DrrTg3xEdIeDHMmdLaZgOjjEfDh/2OP2S2ZHVEXQnFvG2VnKgmMYWyeylhBGyn4cEkLc1fFhy55g2EMCeF5zXNldTlT3Gh0ca1ipF0BBXgvuJCa9c5tNBK2QS66QVdehOLBOxrnjTnd4VPt05JXKqSQZ6S0ukNecL5hBju2nGHlXdYcVeI94/uZmpkNJC+mqRTJdXGwtUhF9F529Ln+DtkhTcGUAPBcZdP9eEc/lkAjp/lJyzW2jgTynVkqAyBZJsA7etAHAUlsFMgFOw6bG/oKXpJE7wFJ4J929/inpVj8J9rlLC7ruRlQy9gUT8A2uLwAXVmQufpjBTi2AVyS6wACG+eusvOHYg== - template: - metadata: - creationTimestamp: null - name: audiobookshelf-iscsi-auth - namespace: audiobookshelf - type: kubernetes.io/iscsi-chap diff --git a/audiobookshelf/iscsi-secrets-sealed.yaml b/audiobookshelf/iscsi-secrets-sealed.yaml new file mode 100644 index 0000000..282e9d1 --- /dev/null +++ b/audiobookshelf/iscsi-secrets-sealed.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: audiobookshelf-iscsi-auth + namespace: audiobookshelf +spec: + encryptedData: + discovery.sendtargets.auth.password: AgBVapcyRSYuizQmF6FZbr3m2wkNj0jIoWIqq1zJJtQdoSVfc9GlTzTF4VI+196k27iHtRVVkRqvIsCNxj7B8iirUMpstXyLmZ0GNcK5hMebeoH9hf2YFL2ZcnVrBxVKoFC+kJVhZZBjCiZ/IAU9wopeKIChKh/X08FuZeQkOKGs7P/2hgpLzi6TlFMpvmJC/ssX/MZzjUWSPwryGCbsJy02k7b7FFrX0K3O+5RTpCeySaAr0M/WHIM8sRgt926sJ5ltpylPS3WOsT75meYknK1TiSe+y6xW7OE517uE3Za6HGZF3wFmy+3DXzJh/Cc4Z2713aQyGJ1sZPSTXmpoaN0ffF3coUQrRj5rCE66FVIHm83b7fBjn2IQi86Ivoyuk7COWsDKn0FqA6VS1zqMhAHpPHxWxaeSofMtxZkwRlFz8uaQRqfnv9+bXz1OYvHpmeWw4EiulC1r63yUXreCLcIV+5IEBft+Y0JXpacIaAsrP+mOxrdXAie+hOsNcg7/IKBCsxatwtNMQIyPWstUI3dZiv4BjpXNOgdx/wjptKkXfcg436GXVzsMVuTP7a4iotN6T1WrazcrexQMEpGcLAlnhQRKx2CehgFDNeAPVn9g257Yz4tXuG+iQ6wTyq3PJBBxS59AVYMSn+3w2oMYlkhDjPzET/FRjNc+kyzmpl3evaoSDyEtirRyOlMyvyTUOvSPN1HPZw61RNeUo4wX8yrV + discovery.sendtargets.auth.username: AgAqjHR5K62VZpVb0oXwkgi0UXVLmgEBjxLpNX+eTvU54BGDfvaUhxbDJmb7SDQFZ5PKyQUXqmJTQpSQ0lJbK9Vhrr8rBjmseFuLdhT6AzFtRqLTIG4W9IL4VPEjhepW6tKRukqU19Z9F1Mha1VCc82uH2OuIni0Gux5+H8OrkdduKrtpCIiQK1cK3q6xqlHmpPnwEt23xnbtDqwYz9d5lA6T0xIahNm+N925e7tMm9GwKSWQA1smqPc6eH1DZwg8wUCNXn3h+HvB5l0ElTMSNtwUA/mcYeJRfPrXVQVlKcch5RqunWyWfiJBc042V/yjhIEs2YGlMsRu9YxKc+8W0AioBSvaJZmjSWJvk6/Zh2tUqPbcoc//dH5ackfwul5ZO3CB7yyiT9naiM6sFCKriMs1tu92sF8r4zKl9gXJboTCcrCUt2nKf9Dd+xB2NM3xFjMsTdHVQaQJiL6UbSoKObU2TD6IEQVALvb2wE/kjpSq3rw/tLc72nac6qripOuIKYP2L/4f8WxO63/wWYZ/yUzia2RfDhz4iGGF7dNHxsDfMwdZCP2HNjLlX+k6/oIPjKjSvcZxahrAUY6RNfTJlOvvwr6tLZwHoUq+bqgSOZ3Bcr0hvNBIbnXpWpof3wvr6RT+F7Tb08FWFF8ceRYmUYxRpacVrXJgCHE20LY1IVJdkt9/oxCmN797Atc8eUYxvESc1evUA7nW5TdptGAWQ== + node.session.auth.password: AgBsc+wtPsGHkMfe6UQC92K9cEtUbsKw92lxbp2Ix0cGNJ5Ufhysq4VUOsXwItY/NfOXN1JAps1J4ZjCcW64dMpP2Tq9rLNMjvlsvFMHfPZ7zkDstFo55c5cAjvBLou9zc8PRMOoVftg3FUXYP+h4ZFZ4R3002TXeN7uV5KG1cfcuI2HuwHHTwtXvevHOBdp3JAN4MMIvA69wo0kr7Ef+LIBCbIXKer/gjDOQsdaffpagGNf5blvyTeky7ySnYhyQwUi7W6AG56HtV5KureTsBalD4+aGa6SChQt4D2LMAwLQg2pvwrpnUvanAZg7PWvkBdSb6Q18Jxf0OPtG5Q3CkRwdT/MXMvPlZEua7j5wh13aU9lCPeyvPl+96Uhbq8eaSLMjTjIEVs8gLE6Jfv5o0WEexu87AmtVhza+IDK/F/fHQys9y1eDD4SRhoeMV6YRWostquJalt5dUP3olaOGh2gZ5eocXKI7ekVC0O/wWKPNpxPNqN6Hh4+2SCvAySOdizMvD7MRjzKX4wqNZUfAFlaamGFcyKg7otQSMeNwNDFWheJinWTNleUAKUZVsHhYIYKppLwitjvIrqO2cDD2Q6o0ZSplYVVyF8Fb9dIbDNhHNGTu5XqJLILKiRUipEN0EiNmcYiBKfpuYtZQltvCsXra/qR2yi0SVAh3M0joovBSCxC3haLJk+X9Gtl5rf3kESjvIEmF3wM1cPmEM5s6faM + node.session.auth.username: AgAXJAFwKHInT4nTJY4xSjDTLb2p6OuLhJx3ZABgb8lO1HZx5ny138ChrwkjpYVW3wqimaT50VNQX7pNz0Vt6XvA7HcjKA5OQC8qpsbbkxA16bw6LqXkIHKL3Herkt3izq92R72NgrF8XMfoP6bGIUpLOqeh2bk/S3TzafrduvWyPuxa83dW8VzZ/mosXd+QdZ4gFzWpJ29iwIghzuz8dF0GxXk8Z73c+fWhjMpsyiGXSUbr8CUS2PPbmxGQTTV/m0ewDLlbhtkXo1KBzM5m1nTIPEb7zI6zImXmo6OE7n1PsVXq0d1xnuMqZ55436xG6dFqwxd0m+SGHRLBDJDHMplaxms099Lot4TCZ3I5ZnFZ5+eTqbAU7dmBmSxqkBL0VEy+9XCV+lyBHKDvch/mQEe51sJIh1pkQ8G7j/Ni79j/t6+oMLv+8lee6cSrtqKtHVUwbIAzNc9TF8XrEZ+/5MFOkDgD93JyFhjY4zsqYWpPWvYo9Kjl+Y5ge+7pQxOIHPN5oIUeH23Zb5LDJt3tsz8FSH2a0Y/LcQkg1XdKI4r5aZbNyufqmDfKn5jPpZy+sQQ1KqitvV5wgqzqtaGF2H7trqoZ2YyTwVyIOPp3nCa17cwB8A7NWlGMdIXK19fqUHYYLbrT3IWDwn/k3tKgFhGQCBYk2SaVXslqAxGpsMbKXuwkdCpUd6BPCZ4290kBkreT6CUl7zZbvFrdYy25Aw== + template: + metadata: + creationTimestamp: null + name: audiobookshelf-iscsi-auth + namespace: audiobookshelf + type: kubernetes.io/iscsi-chap diff --git a/audiobookshelf/route.yaml b/audiobookshelf/route.yaml new file mode 100644 index 0000000..302e61c --- /dev/null +++ b/audiobookshelf/route.yaml @@ -0,0 +1,37 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: audiobookshelf + namespace: audiobookshelf +spec: + parentRefs: + - name: shared-edge-gateway + namespace: cilium-ingress + + hostnames: + - "audiobooks.local.gwg313.xyz" + - "audiobooks.gwg313.xyz" + - "audiobooks.zerotier.gwg313.xyz" + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: audiobookshelf + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: allow-gateway-to-audiobookshelf + namespace: audiobookshelf +spec: + from: + - group: gateway.networking.k8s.io + kind: Gateway + namespace: cilium-ingress + to: + - group: "" + kind: Service + name: audiobookshelf diff --git a/audiobookshelf/service.yaml b/audiobookshelf/service.yaml index f34268b..e8ff9a1 100644 --- a/audiobookshelf/service.yaml +++ b/audiobookshelf/service.yaml @@ -8,4 +8,4 @@ spec: app: audiobookshelf ports: - port: 80 - targetPort: 8080 + targetPort: 80 diff --git a/audiobookshelf/virtualservice.yaml b/audiobookshelf/virtualservice.yaml deleted file mode 100644 index f128e38..0000000 --- a/audiobookshelf/virtualservice.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: VirtualService -metadata: - name: audiobookshelf - namespace: audiobookshelf -spec: - hosts: - - audiobooks.gwg313.xyz - gateways: - - audiobookshelf-gateway - http: - - match: - - uri: - prefix: / - route: - - destination: - host: audiobookshelf - port: - number: 80 diff --git a/forgejo/deployment.yaml b/forgejo/deployment.yaml index 62ce0e3..d49dee7 100644 --- a/forgejo/deployment.yaml +++ b/forgejo/deployment.yaml @@ -28,6 +28,13 @@ spec: ports: - containerPort: 3000 - containerPort: 2222 + resources: + requests: + cpu: "50m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "512Mi" env: - name: FORGEJO__server__ROOT_URL value: "https://git.gwg313.xyz/" diff --git a/forgejo/network-policy.yaml b/forgejo/network-policy.yaml index b67cb45..dbc79f0 100644 --- a/forgejo/network-policy.yaml +++ b/forgejo/network-policy.yaml @@ -1,13 +1,30 @@ +# ---------------------------------------------------- +# Default deny (namespace baseline) +# ---------------------------------------------------- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: allow-ingress-to-forgejo + name: default-deny + namespace: forgejo +spec: + endpointSelector: {} + ingress: [] + egress: [] + +--- +# ---------------------------------------------------- +# Ingress only from Gateway API +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-ingress namespace: forgejo spec: - description: "Accept incoming traffic from the native mesh proxy" endpointSelector: matchLabels: app: forgejo + ingress: - fromEntities: - ingress @@ -15,3 +32,103 @@ spec: - ports: - port: "3000" protocol: TCP + +--- +# ---------------------------------------------------- +# DNS (cluster DNS only) +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-dns + namespace: forgejo +spec: + endpointSelector: + matchLabels: + app: forgejo + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: ANY + rules: + dns: + - matchPattern: "*" + +# --- +# # ---------------------------------------------------- +# # CI runner access (in-cluster service) +# # ---------------------------------------------------- +# apiVersion: cilium.io/v2 +# kind: CiliumNetworkPolicy +# metadata: +# name: allow-ci-runner +# namespace: forgejo +# spec: +# endpointSelector: +# matchLabels: +# app: forgejo +# +# egress: +# - toEndpoints: +# - matchLabels: +# app: ci-runner # adjust to your runner labels +# toPorts: +# - ports: +# - port: "80" +# protocol: TCP +# - port: "443" +# protocol: TCP +# +--- +# ---------------------------------------------------- +# External git providers (FQDN restricted) +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-git-egress + namespace: forgejo +spec: + endpointSelector: + matchLabels: + app: forgejo + + egress: + - toFQDNs: + - matchName: github.com + - matchName: api.github.com + - matchName: raw.githubusercontent.com + toPorts: + - ports: + - port: "443" + protocol: TCP + +--- +# ---------------------------------------------------- +# OPTIONAL: unrestricted egress (disabled by default) +# Enable ONLY when required for troubleshooting or apps +# ---------------------------------------------------- +# apiVersion: cilium.io/v2 +# kind: CiliumNetworkPolicy +# metadata: +# name: allow-all-egress +# namespace: forgejo +# spec: +# endpointSelector: +# matchLabels: +# app: forgejo +# +# egress: +# - toEntities: +# - world +# toPorts: +# - ports: +# - port: "443" +# protocol: TCP +# - port: "80" +# protocol: TCP diff --git a/navidrome/deployment.yaml b/navidrome/deployment.yaml index a2abd50..37af140 100644 --- a/navidrome/deployment.yaml +++ b/navidrome/deployment.yaml @@ -5,6 +5,8 @@ metadata: namespace: navidrome spec: replicas: 1 + strategy: + type: Recreate selector: matchLabels: app: navidrome @@ -15,9 +17,16 @@ spec: spec: containers: - name: navidrome - image: deluan/navidrome:latest + image: deluan/navidrome:pr-5495 ports: - containerPort: 4533 + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "512Mi" envFrom: - configMapRef: name: navidrome-config diff --git a/navidrome/navidrome-secrets-sealed.yaml b/navidrome/navidrome-secrets-sealed.yaml index d5a9703..965810f 100644 --- a/navidrome/navidrome-secrets-sealed.yaml +++ b/navidrome/navidrome-secrets-sealed.yaml @@ -9,8 +9,6 @@ spec: encryptedData: ND_LASTFM_APIKEY: AgCjnGsru3lcSOXWXAFnC2sxT6FY1MDOJD5hsTPEXsC4bQ9BNvmFwOhLzovTzTTd0SR9TOHlWibnWB8/tyzVsPcktBbKI1HaWH95EnFlG13gOtzMnl7jXf2qPD2LsRKukAivt4FxWIijyOHqss4Ct3Vea6XELJVC7nemmbl9tj9YVaceDWLX1oWYRLbNTqG4we4yV/06KerTQIyafbGQP/nkLhAYkJBf1mgYpKOe1vAah3m+sP9Q1LO25BNstxUASIlloFEYx3T1e8HnWUemZPLHTJNEhjoE8C9d8ULiCOQL9nQR2mYgv6YQuYRIb6CKXoc43GHemqRwJlGJeslZL3u7k27kFcsArU6XlMTNSZHZKmW0Yd0rQTNVd3DJMs+9YZ0s8DGRiGtZyK2R/LCNNnckp+TDHcWV4ivfhN2aFbgmHc1Coea5Og5f2lOf97VnIIgKgejAFbDzr4PRM1XqDFRPV7B7+iiyDDZuAeys4C/QQD2ZaBJuV3B5TR8ZkHgh+bDpkQ/5MhNY6t26dVTAIZfsBo6vRilH7ppryLXfTuAOdh8ojpqpCUUoSxqGc2IIXNoD/zKJpOJhsR5B4JOF2NbFLCDf7kSBkC8JvoG3CPti7tht3ziM5WrDMbi5+BXgTC+U9EES0yBSfvrS4dO+TntKbk+igchYdhEsDZ2Hi810o9RLnW6IjLjUWy1yYawsKgHmcuQ7+6dR5gNkvM5kZ3l+mA7BmQZttwmmKX9M52C7Yg== ND_LASTFM_SECRET: AgBdSpMRmm/YeUslT4eBa12ZzGwAaBgZuPsGxeCGsAq2MaU1nnvllOa4YKULdSSI6bwavBM/JGE4EE+eUzCRa9kED0+pSocOZLFCdKEvVrLvcp5UbaoFdhpG0AQeuyB2DXEJsmgqXjPoA4WdeAB+k9HRdOZR61Cx9UJXvltF9X3n07E4Zehyxuz0d1FEnfDI1FYst9EYIm8DhE7CZGib9ygH5WN4GItFgB//za2EtKnnlo5DZWl5BPn5dHYa7dIxZx4k7sNQx3sUW85HhCPKCoYufILCsSxCTXV0QSBkhRrkO+uJPIcSlYgK6es/Tq7L64Jh0ow/4cRJ9TankfzdsA/zy8bKx/OZMuEqiffHxgHZOW5gB1pVLENdUkY7xOIitEPQEbuE4pgxdmMkpFvT/o2mdw/MDJxbl3WrbLxZyvoaqxOotVp4RvGI5EpwwHAKnQfdnoLM7iB75l0I52wLYKLqyLXIz3+F9h3Zvou9xiHO+s2OlMKcgSt1c4bHta12o5ZTrFpBfsYTpVQ8V3AdSzNe81q5Id+sNMO81XtluMvDlAtRTqlqGWBden4FlBWMBGUjssJba1JJThzyqCXd44vVqtajv2a0BExI5MKLnRY1ZigHEm38qNSYo2GllfDUaPWzJUcZSKiKCDVO/D8c5dBwf6nerkM4kbXGvLIbDWfVx80BzI6kKl6vTNWym7CokeZwDSJ3Mu1dFNnu/fFg5qQ/XzOGxH8L1A9nsv6IqXxFkA== - ND_SPOTIFY_ID: AgBTtb5SoXvc7r74BgK0hL5exzAsI23Yj8h6eaDIEmbOKKcd/S0fs7sFnn04r7RrHzQaRvowrSIwAXPWNdvpUSAObeDjb9NURe28RAHcxlKpRisjUm6NWaqo4eNlv2oZNZfmEajKmbFtSezdqAOuBbr1Yvm1d2Si05KSLlDfQHUiVN0OIvFBwSYJuYHFH7tAhbIZRzJI4HC4WrR37XV1Ow9Mms3HXS1qsM2e7Y8njkVObtJnjS5ejmbu1LajfU8laSUnsIv0d0NvlWTil1upzTca+Xm3EUJ1AG6Q9Jl74wZEd4/NU8ZiV8aqHA5j/EBLisiT9YeTD2xCJVQ3zvmXaA/SS/9w4bJpN/4x758cJDEvUK5q9r6hnF0Fvt6w4hKNoWNLdhl9oV668BjryV66HsTTJlzMjWVj9rpDx5O+XNLUgKlBjna2/uZIc/ys60l8Q+YxN0XTleFytCLfoBOOASF/EfcZYzwLR68zQqSkS4scOtqhBjyPNA0UJARtVvTmLLpP0YTMsQm7PNI2WdbZsDtgazRqTj+00o5HIXBiDSKP7mhHfkUtOQuI9fwIYek1YBxCY3D3K5vc6CNw1WSatJ8tkR+cfaf36wwM8XbW5iftUJP+c2sox2tHTHyUJXoWb4HD5u5qYOeZIWKs9XAlNzqK3fxnK1wms5XJCAEBvdm675wpaxqo9WqvFSGJfHjVAqfvUeWP9T/mv50PMvluIVRN1ZRp7ULP3c+5tFk0cpCrZ98= - ND_SPOTIFY_SECRET: AgA+w4eh9o6qh2L7zcOKhqiNwM5knXlIWA7xLTzEO0NXs1uSTuKSQost5vWm2EB5OlwncxJmacW7um+sdA9039GnbrtIvBja0PvkWqS6I1AFZECX/+ZHVpLjh2S+K0ELqT2A9DdHXtDllcW6M84rR8QuAExFVsaHO7QvUjVlyM71f420ktm6rU3kIRMdhRvhYatKnapdq6uI3kz6Y2EwSx6wGJlfG7nDye+60l6PIyNUvezQBDZh/Ldi+Nm+mTLumhscHo0mciSsC9zM17hgd8UGCE79S8cmy6r38EJtqeLmxy02x0cTj7NoDQ/WftFCC8aj/HGSWh8Io54YNbs5LIjFDIJL6VbVe7g/TKqVONJLfTWa24DXw1m5hLgH8iP5wRE6B677hOVkLsqvxZw7ALdrwm331/kL6xRLtkG1mjnosYCh8MBUVskdvw4HbL3cwmAkLy1Jvahd6Z6BbhKVci+r8d88J/CTgRkAd6oJiZxrpsN0m5oiWP5U9WlD1lCDvhuoaAFX60zjmSbE6leroP//h3arMMBlbVxi2SLAYQVXkD4QRc32WOXuOcbKUKitckC4mzcpEYRtguJuKkj6qe2FI6fSrsaw6aidPpPSzGZLgXIrDrTd3AUj9GjTPftvkHsxjgrL6WB3Tba6KbbNrJKCN+APyMUI2jJXHY5gYl2wjoocJ4Lnen86AZtynlMvMBkM8Qma8GAjwwWugqy5ZLw9cv8bqNsa90n4V8IYHHIamQM= template: metadata: creationTimestamp: null diff --git a/navidrome/network-policy.yaml b/navidrome/network-policy.yaml new file mode 100644 index 0000000..12d359f --- /dev/null +++ b/navidrome/network-policy.yaml @@ -0,0 +1,149 @@ +# ---------------------------------------------------- +# Default deny (namespace baseline) +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: default-deny + namespace: navidrome +spec: + endpointSelector: {} + ingress: [] + egress: [] + +--- +# ---------------------------------------------------- +# Ingress only from Gateway API +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-ingress + namespace: navidrome +spec: + endpointSelector: + matchLabels: + app: navidrome + + ingress: + - fromEntities: + - ingress + toPorts: + - ports: + - port: "4533" + protocol: TCP + +--- +# ---------------------------------------------------- +# DNS (required) +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-dns + namespace: navidrome +spec: + endpointSelector: + matchLabels: + app: navidrome + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: ANY + rules: + dns: + - matchPattern: "*" + +--- +# ---------------------------------------------------- +# Spotify API access (album art, metadata) +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-spotify + namespace: navidrome +spec: + endpointSelector: + matchLabels: + app: navidrome + + egress: + - toFQDNs: + - matchName: api.spotify.com + - matchName: i.scdn.co + - matchName: accounts.spotify.com + toPorts: + - ports: + - port: "443" + protocol: TCP +--- + +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-navidrome + namespace: navidrome +spec: + endpointSelector: + matchLabels: + app: navidrome + + egress: + - toFQDNs: + - matchPattern: "*.navidrome.org" + - matchName: navidrome.org + toPorts: + - ports: + - port: "443" + protocol: TCP + +--- +# ---------------------------------------------------- +# Last.fm API access (metadata, scrobbling, images) +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-lastfm + namespace: navidrome +spec: + endpointSelector: + matchLabels: + app: navidrome + + egress: + - toFQDNs: + - matchName: ws.audioscrobbler.com + - matchName: lastfm.freetls.fastly.net + toPorts: + - ports: + - port: "443" + protocol: TCP + +--- +# ---------------------------------------------------- +# OPTIONAL: unrestricted HTTPS egress (disabled) +# ---------------------------------------------------- +# apiVersion: cilium.io/v2 +# kind: CiliumNetworkPolicy +# metadata: +# name: allow-all-egress +# namespace: navidrome +# spec: +# endpointSelector: +# matchLabels: +# app: navidrome +# +# egress: +# - toEntities: +# - world +# toPorts: +# - ports: +# - port: "443" +# protocol: TCP diff --git a/platform/default-network-policies/core-k8s-services.yaml b/platform/default-network-policies/core-k8s-services.yaml deleted file mode 100644 index 75fb153..0000000 --- a/platform/default-network-policies/core-k8s-services.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: baseline-allow-coredns-egress -spec: - description: "Allow all pods to send DNS queries out to CoreDNS" - endpointSelector: - matchLabels: {} - egress: - - toEndpoints: - - matchLabels: - k8s:io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns - toPorts: - - ports: - - port: "53" - protocol: UDP - - port: "53" - protocol: TCP ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: baseline-allow-coredns-ingress -spec: - description: "Allow CoreDNS to receive incoming DNS queries" - endpointSelector: - matchLabels: - k8s:io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns - ingress: - - fromEndpoints: - - matchLabels: {} # Accepts from any pod - toPorts: - - ports: - - port: "53" - protocol: UDP - - port: "53" - protocol: TCP ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: baseline-allow-apiserver -spec: - description: "Allow all pods to communicate with the K8s API" - endpointSelector: - matchLabels: {} - egress: - - toEntities: - - kube-apiserver ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: baseline-allow-coredns-to-internet -spec: - description: "Allow CoreDNS pods to reach upstream DNS servers on the internet" - endpointSelector: - matchLabels: - k8s:io.kubernetes.pod.namespace: kube-system - k8s-app: kube-dns - egress: - - toEntities: - - world - toPorts: - - ports: - - port: "53" - protocol: ANY diff --git a/platform/default-network-policies/default-deny.yaml b/platform/default-network-policies/default-deny.yaml deleted file mode 100644 index 5fd2d7f..0000000 --- a/platform/default-network-policies/default-deny.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: baseline-default-deny -spec: - description: "Deny all ingress and egress cluster-wide by default" - endpointSelector: - matchLabels: {} - ingress: - - {} - egress: - - {} diff --git a/platform/default-network-policies/hubble.yaml b/platform/default-network-policies/hubble.yaml deleted file mode 100644 index 2e0c040..0000000 --- a/platform/default-network-policies/hubble.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: allow-hubble-port-forward - namespace: kube-system -spec: - description: "Allow host-level port-forwarding to Hubble Relay and UI" - endpointSelector: - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-relay - ingress: - - fromEntities: - - host - - remote-node - toPorts: - - ports: - - port: "4245" - protocol: TCP - - port: "8081" - protocol: TCP ---- -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: allow-hubble-ui-to-relay - namespace: kube-system -spec: - description: "Allow Hubble UI to fetch data from Hubble Relay" - endpointSelector: - matchLabels: - k8s-app: hubble-relay - ingress: - - fromEndpoints: - - matchLabels: - k8s-app: hubble-ui - toPorts: - - ports: - - port: "4245" - protocol: TCP ---- -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: allow-hubble-relay-to-agents - namespace: kube-system -spec: - description: "Allow Hubble Relay to collect flows from Cilium node agents" - endpointSelector: - matchLabels: - k8s-app: hubble-relay - egress: - - toEntities: - - host - - remote-node - toPorts: - - ports: - - port: "4244" - protocol: TCP ---- -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: allow-hubble-ui-egress-to-relay - namespace: kube-system -spec: - description: "Allow Hubble UI to send requests to Hubble Relay" - endpointSelector: - matchLabels: - k8s-app: hubble-ui - egress: - - toEndpoints: - - matchLabels: - k8s-app: hubble-relay - toPorts: - - ports: - - port: "4245" - protocol: TCP diff --git a/platform/default-network-policies/kube-system-baseline.yaml b/platform/default-network-policies/kube-system-baseline.yaml new file mode 100644 index 0000000..1654862 --- /dev/null +++ b/platform/default-network-policies/kube-system-baseline.yaml @@ -0,0 +1,28 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: kube-system-baseline + namespace: kube-system +spec: + endpointSelector: {} + + ingress: + - fromEntities: + - cluster + - host + - remote-node + + egress: + - toEntities: + - kube-apiserver + - cluster + + - toEndpoints: + - matchLabels: + k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP diff --git a/platform/default-network-policies/kube-system-hardening.yaml b/platform/default-network-policies/kube-system-hardening.yaml new file mode 100644 index 0000000..5d3eb34 --- /dev/null +++ b/platform/default-network-policies/kube-system-hardening.yaml @@ -0,0 +1,40 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: kube-system-hardening + namespace: kube-system +spec: + endpointSelector: {} + + ingress: + # Allow cluster-internal communication (required for DNS, CNI, etc.) + - fromEntities: + - cluster + - host + - remote-node + + # Allow kube-apiserver to talk to system components + - fromEntities: + - kube-apiserver + + egress: + # Core dependency: Kubernetes API + - toEntities: + - kube-apiserver + + # CoreDNS access + - toEndpoints: + - matchLabels: + k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP + + # Allow internal cluster communication (important for CNI + service mesh) + - toEntities: + - cluster + - host + - remote-node diff --git a/platform/default-network-policies/kube-system-restrict-external-egress.yaml b/platform/default-network-policies/kube-system-restrict-external-egress.yaml new file mode 100644 index 0000000..36827f8 --- /dev/null +++ b/platform/default-network-policies/kube-system-restrict-external-egress.yaml @@ -0,0 +1,30 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: kube-system-restrict-external-egress + namespace: kube-system +spec: + endpointSelector: {} + + egress: + # Allow Kubernetes API + - toEntities: + - kube-apiserver + + # Allow internal cluster communication + - toEntities: + - cluster + - host + - remote-node + + # Allow DNS + - toEndpoints: + - matchLabels: + k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP + diff --git a/infra-root.yaml b/platform/infra-root.yaml similarity index 100% rename from infra-root.yaml rename to platform/infra-root.yaml