update default deny

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-16 15:21:35 -04:00
parent 68bebdae57
commit bfe8435665
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
21 changed files with 470 additions and 235 deletions

View file

@ -5,6 +5,8 @@ metadata:
namespace: navidrome
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: navidrome
@ -15,9 +17,16 @@ spec:
spec:
containers:
- name: navidrome
image: deluan/navidrome:latest
image: deluan/navidrome:pr-5495
ports:
- containerPort: 4533
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "1000m"
memory: "512Mi"
envFrom:
- configMapRef:
name: navidrome-config

View file

@ -9,8 +9,6 @@ spec:
encryptedData:
ND_LASTFM_APIKEY: AgCjnGsru3lcSOXWXAFnC2sxT6FY1MDOJD5hsTPEXsC4bQ9BNvmFwOhLzovTzTTd0SR9TOHlWibnWB8/tyzVsPcktBbKI1HaWH95EnFlG13gOtzMnl7jXf2qPD2LsRKukAivt4FxWIijyOHqss4Ct3Vea6XELJVC7nemmbl9tj9YVaceDWLX1oWYRLbNTqG4we4yV/06KerTQIyafbGQP/nkLhAYkJBf1mgYpKOe1vAah3m+sP9Q1LO25BNstxUASIlloFEYx3T1e8HnWUemZPLHTJNEhjoE8C9d8ULiCOQL9nQR2mYgv6YQuYRIb6CKXoc43GHemqRwJlGJeslZL3u7k27kFcsArU6XlMTNSZHZKmW0Yd0rQTNVd3DJMs+9YZ0s8DGRiGtZyK2R/LCNNnckp+TDHcWV4ivfhN2aFbgmHc1Coea5Og5f2lOf97VnIIgKgejAFbDzr4PRM1XqDFRPV7B7+iiyDDZuAeys4C/QQD2ZaBJuV3B5TR8ZkHgh+bDpkQ/5MhNY6t26dVTAIZfsBo6vRilH7ppryLXfTuAOdh8ojpqpCUUoSxqGc2IIXNoD/zKJpOJhsR5B4JOF2NbFLCDf7kSBkC8JvoG3CPti7tht3ziM5WrDMbi5+BXgTC+U9EES0yBSfvrS4dO+TntKbk+igchYdhEsDZ2Hi810o9RLnW6IjLjUWy1yYawsKgHmcuQ7+6dR5gNkvM5kZ3l+mA7BmQZttwmmKX9M52C7Yg==
ND_LASTFM_SECRET: AgBdSpMRmm/YeUslT4eBa12ZzGwAaBgZuPsGxeCGsAq2MaU1nnvllOa4YKULdSSI6bwavBM/JGE4EE+eUzCRa9kED0+pSocOZLFCdKEvVrLvcp5UbaoFdhpG0AQeuyB2DXEJsmgqXjPoA4WdeAB+k9HRdOZR61Cx9UJXvltF9X3n07E4Zehyxuz0d1FEnfDI1FYst9EYIm8DhE7CZGib9ygH5WN4GItFgB//za2EtKnnlo5DZWl5BPn5dHYa7dIxZx4k7sNQx3sUW85HhCPKCoYufILCsSxCTXV0QSBkhRrkO+uJPIcSlYgK6es/Tq7L64Jh0ow/4cRJ9TankfzdsA/zy8bKx/OZMuEqiffHxgHZOW5gB1pVLENdUkY7xOIitEPQEbuE4pgxdmMkpFvT/o2mdw/MDJxbl3WrbLxZyvoaqxOotVp4RvGI5EpwwHAKnQfdnoLM7iB75l0I52wLYKLqyLXIz3+F9h3Zvou9xiHO+s2OlMKcgSt1c4bHta12o5ZTrFpBfsYTpVQ8V3AdSzNe81q5Id+sNMO81XtluMvDlAtRTqlqGWBden4FlBWMBGUjssJba1JJThzyqCXd44vVqtajv2a0BExI5MKLnRY1ZigHEm38qNSYo2GllfDUaPWzJUcZSKiKCDVO/D8c5dBwf6nerkM4kbXGvLIbDWfVx80BzI6kKl6vTNWym7CokeZwDSJ3Mu1dFNnu/fFg5qQ/XzOGxH8L1A9nsv6IqXxFkA==
ND_SPOTIFY_ID: AgBTtb5SoXvc7r74BgK0hL5exzAsI23Yj8h6eaDIEmbOKKcd/S0fs7sFnn04r7RrHzQaRvowrSIwAXPWNdvpUSAObeDjb9NURe28RAHcxlKpRisjUm6NWaqo4eNlv2oZNZfmEajKmbFtSezdqAOuBbr1Yvm1d2Si05KSLlDfQHUiVN0OIvFBwSYJuYHFH7tAhbIZRzJI4HC4WrR37XV1Ow9Mms3HXS1qsM2e7Y8njkVObtJnjS5ejmbu1LajfU8laSUnsIv0d0NvlWTil1upzTca+Xm3EUJ1AG6Q9Jl74wZEd4/NU8ZiV8aqHA5j/EBLisiT9YeTD2xCJVQ3zvmXaA/SS/9w4bJpN/4x758cJDEvUK5q9r6hnF0Fvt6w4hKNoWNLdhl9oV668BjryV66HsTTJlzMjWVj9rpDx5O+XNLUgKlBjna2/uZIc/ys60l8Q+YxN0XTleFytCLfoBOOASF/EfcZYzwLR68zQqSkS4scOtqhBjyPNA0UJARtVvTmLLpP0YTMsQm7PNI2WdbZsDtgazRqTj+00o5HIXBiDSKP7mhHfkUtOQuI9fwIYek1YBxCY3D3K5vc6CNw1WSatJ8tkR+cfaf36wwM8XbW5iftUJP+c2sox2tHTHyUJXoWb4HD5u5qYOeZIWKs9XAlNzqK3fxnK1wms5XJCAEBvdm675wpaxqo9WqvFSGJfHjVAqfvUeWP9T/mv50PMvluIVRN1ZRp7ULP3c+5tFk0cpCrZ98=
ND_SPOTIFY_SECRET: AgA+w4eh9o6qh2L7zcOKhqiNwM5knXlIWA7xLTzEO0NXs1uSTuKSQost5vWm2EB5OlwncxJmacW7um+sdA9039GnbrtIvBja0PvkWqS6I1AFZECX/+ZHVpLjh2S+K0ELqT2A9DdHXtDllcW6M84rR8QuAExFVsaHO7QvUjVlyM71f420ktm6rU3kIRMdhRvhYatKnapdq6uI3kz6Y2EwSx6wGJlfG7nDye+60l6PIyNUvezQBDZh/Ldi+Nm+mTLumhscHo0mciSsC9zM17hgd8UGCE79S8cmy6r38EJtqeLmxy02x0cTj7NoDQ/WftFCC8aj/HGSWh8Io54YNbs5LIjFDIJL6VbVe7g/TKqVONJLfTWa24DXw1m5hLgH8iP5wRE6B677hOVkLsqvxZw7ALdrwm331/kL6xRLtkG1mjnosYCh8MBUVskdvw4HbL3cwmAkLy1Jvahd6Z6BbhKVci+r8d88J/CTgRkAd6oJiZxrpsN0m5oiWP5U9WlD1lCDvhuoaAFX60zjmSbE6leroP//h3arMMBlbVxi2SLAYQVXkD4QRc32WOXuOcbKUKitckC4mzcpEYRtguJuKkj6qe2FI6fSrsaw6aidPpPSzGZLgXIrDrTd3AUj9GjTPftvkHsxjgrL6WB3Tba6KbbNrJKCN+APyMUI2jJXHY5gYl2wjoocJ4Lnen86AZtynlMvMBkM8Qma8GAjwwWugqy5ZLw9cv8bqNsa90n4V8IYHHIamQM=
template:
metadata:
creationTimestamp: null

View file

@ -0,0 +1,149 @@
# ----------------------------------------------------
# Default deny (namespace baseline)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: default-deny
namespace: navidrome
spec:
endpointSelector: {}
ingress: []
egress: []
---
# ----------------------------------------------------
# Ingress only from Gateway API
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-ingress
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
ingress:
- fromEntities:
- ingress
toPorts:
- ports:
- port: "4533"
protocol: TCP
---
# ----------------------------------------------------
# DNS (required)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-dns
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
egress:
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: ANY
rules:
dns:
- matchPattern: "*"
---
# ----------------------------------------------------
# Spotify API access (album art, metadata)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-spotify
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
egress:
- toFQDNs:
- matchName: api.spotify.com
- matchName: i.scdn.co
- matchName: accounts.spotify.com
toPorts:
- ports:
- port: "443"
protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-navidrome
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
egress:
- toFQDNs:
- matchPattern: "*.navidrome.org"
- matchName: navidrome.org
toPorts:
- ports:
- port: "443"
protocol: TCP
---
# ----------------------------------------------------
# Last.fm API access (metadata, scrobbling, images)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-lastfm
namespace: navidrome
spec:
endpointSelector:
matchLabels:
app: navidrome
egress:
- toFQDNs:
- matchName: ws.audioscrobbler.com
- matchName: lastfm.freetls.fastly.net
toPorts:
- ports:
- port: "443"
protocol: TCP
---
# ----------------------------------------------------
# OPTIONAL: unrestricted HTTPS egress (disabled)
# ----------------------------------------------------
# apiVersion: cilium.io/v2
# kind: CiliumNetworkPolicy
# metadata:
# name: allow-all-egress
# namespace: navidrome
# spec:
# endpointSelector:
# matchLabels:
# app: navidrome
#
# egress:
# - toEntities:
# - world
# toPorts:
# - ports:
# - port: "443"
# protocol: TCP