update default deny
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
68bebdae57
commit
bfe8435665
21 changed files with 470 additions and 235 deletions
|
|
@ -5,6 +5,8 @@ metadata:
|
|||
namespace: navidrome
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
|
@ -15,9 +17,16 @@ spec:
|
|||
spec:
|
||||
containers:
|
||||
- name: navidrome
|
||||
image: deluan/navidrome:latest
|
||||
image: deluan/navidrome:pr-5495
|
||||
ports:
|
||||
- containerPort: 4533
|
||||
resources:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "128Mi"
|
||||
limits:
|
||||
cpu: "1000m"
|
||||
memory: "512Mi"
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: navidrome-config
|
||||
|
|
|
|||
|
|
@ -9,8 +9,6 @@ spec:
|
|||
encryptedData:
|
||||
ND_LASTFM_APIKEY: AgCjnGsru3lcSOXWXAFnC2sxT6FY1MDOJD5hsTPEXsC4bQ9BNvmFwOhLzovTzTTd0SR9TOHlWibnWB8/tyzVsPcktBbKI1HaWH95EnFlG13gOtzMnl7jXf2qPD2LsRKukAivt4FxWIijyOHqss4Ct3Vea6XELJVC7nemmbl9tj9YVaceDWLX1oWYRLbNTqG4we4yV/06KerTQIyafbGQP/nkLhAYkJBf1mgYpKOe1vAah3m+sP9Q1LO25BNstxUASIlloFEYx3T1e8HnWUemZPLHTJNEhjoE8C9d8ULiCOQL9nQR2mYgv6YQuYRIb6CKXoc43GHemqRwJlGJeslZL3u7k27kFcsArU6XlMTNSZHZKmW0Yd0rQTNVd3DJMs+9YZ0s8DGRiGtZyK2R/LCNNnckp+TDHcWV4ivfhN2aFbgmHc1Coea5Og5f2lOf97VnIIgKgejAFbDzr4PRM1XqDFRPV7B7+iiyDDZuAeys4C/QQD2ZaBJuV3B5TR8ZkHgh+bDpkQ/5MhNY6t26dVTAIZfsBo6vRilH7ppryLXfTuAOdh8ojpqpCUUoSxqGc2IIXNoD/zKJpOJhsR5B4JOF2NbFLCDf7kSBkC8JvoG3CPti7tht3ziM5WrDMbi5+BXgTC+U9EES0yBSfvrS4dO+TntKbk+igchYdhEsDZ2Hi810o9RLnW6IjLjUWy1yYawsKgHmcuQ7+6dR5gNkvM5kZ3l+mA7BmQZttwmmKX9M52C7Yg==
|
||||
ND_LASTFM_SECRET: AgBdSpMRmm/YeUslT4eBa12ZzGwAaBgZuPsGxeCGsAq2MaU1nnvllOa4YKULdSSI6bwavBM/JGE4EE+eUzCRa9kED0+pSocOZLFCdKEvVrLvcp5UbaoFdhpG0AQeuyB2DXEJsmgqXjPoA4WdeAB+k9HRdOZR61Cx9UJXvltF9X3n07E4Zehyxuz0d1FEnfDI1FYst9EYIm8DhE7CZGib9ygH5WN4GItFgB//za2EtKnnlo5DZWl5BPn5dHYa7dIxZx4k7sNQx3sUW85HhCPKCoYufILCsSxCTXV0QSBkhRrkO+uJPIcSlYgK6es/Tq7L64Jh0ow/4cRJ9TankfzdsA/zy8bKx/OZMuEqiffHxgHZOW5gB1pVLENdUkY7xOIitEPQEbuE4pgxdmMkpFvT/o2mdw/MDJxbl3WrbLxZyvoaqxOotVp4RvGI5EpwwHAKnQfdnoLM7iB75l0I52wLYKLqyLXIz3+F9h3Zvou9xiHO+s2OlMKcgSt1c4bHta12o5ZTrFpBfsYTpVQ8V3AdSzNe81q5Id+sNMO81XtluMvDlAtRTqlqGWBden4FlBWMBGUjssJba1JJThzyqCXd44vVqtajv2a0BExI5MKLnRY1ZigHEm38qNSYo2GllfDUaPWzJUcZSKiKCDVO/D8c5dBwf6nerkM4kbXGvLIbDWfVx80BzI6kKl6vTNWym7CokeZwDSJ3Mu1dFNnu/fFg5qQ/XzOGxH8L1A9nsv6IqXxFkA==
|
||||
ND_SPOTIFY_ID: AgBTtb5SoXvc7r74BgK0hL5exzAsI23Yj8h6eaDIEmbOKKcd/S0fs7sFnn04r7RrHzQaRvowrSIwAXPWNdvpUSAObeDjb9NURe28RAHcxlKpRisjUm6NWaqo4eNlv2oZNZfmEajKmbFtSezdqAOuBbr1Yvm1d2Si05KSLlDfQHUiVN0OIvFBwSYJuYHFH7tAhbIZRzJI4HC4WrR37XV1Ow9Mms3HXS1qsM2e7Y8njkVObtJnjS5ejmbu1LajfU8laSUnsIv0d0NvlWTil1upzTca+Xm3EUJ1AG6Q9Jl74wZEd4/NU8ZiV8aqHA5j/EBLisiT9YeTD2xCJVQ3zvmXaA/SS/9w4bJpN/4x758cJDEvUK5q9r6hnF0Fvt6w4hKNoWNLdhl9oV668BjryV66HsTTJlzMjWVj9rpDx5O+XNLUgKlBjna2/uZIc/ys60l8Q+YxN0XTleFytCLfoBOOASF/EfcZYzwLR68zQqSkS4scOtqhBjyPNA0UJARtVvTmLLpP0YTMsQm7PNI2WdbZsDtgazRqTj+00o5HIXBiDSKP7mhHfkUtOQuI9fwIYek1YBxCY3D3K5vc6CNw1WSatJ8tkR+cfaf36wwM8XbW5iftUJP+c2sox2tHTHyUJXoWb4HD5u5qYOeZIWKs9XAlNzqK3fxnK1wms5XJCAEBvdm675wpaxqo9WqvFSGJfHjVAqfvUeWP9T/mv50PMvluIVRN1ZRp7ULP3c+5tFk0cpCrZ98=
|
||||
ND_SPOTIFY_SECRET: AgA+w4eh9o6qh2L7zcOKhqiNwM5knXlIWA7xLTzEO0NXs1uSTuKSQost5vWm2EB5OlwncxJmacW7um+sdA9039GnbrtIvBja0PvkWqS6I1AFZECX/+ZHVpLjh2S+K0ELqT2A9DdHXtDllcW6M84rR8QuAExFVsaHO7QvUjVlyM71f420ktm6rU3kIRMdhRvhYatKnapdq6uI3kz6Y2EwSx6wGJlfG7nDye+60l6PIyNUvezQBDZh/Ldi+Nm+mTLumhscHo0mciSsC9zM17hgd8UGCE79S8cmy6r38EJtqeLmxy02x0cTj7NoDQ/WftFCC8aj/HGSWh8Io54YNbs5LIjFDIJL6VbVe7g/TKqVONJLfTWa24DXw1m5hLgH8iP5wRE6B677hOVkLsqvxZw7ALdrwm331/kL6xRLtkG1mjnosYCh8MBUVskdvw4HbL3cwmAkLy1Jvahd6Z6BbhKVci+r8d88J/CTgRkAd6oJiZxrpsN0m5oiWP5U9WlD1lCDvhuoaAFX60zjmSbE6leroP//h3arMMBlbVxi2SLAYQVXkD4QRc32WOXuOcbKUKitckC4mzcpEYRtguJuKkj6qe2FI6fSrsaw6aidPpPSzGZLgXIrDrTd3AUj9GjTPftvkHsxjgrL6WB3Tba6KbbNrJKCN+APyMUI2jJXHY5gYl2wjoocJ4Lnen86AZtynlMvMBkM8Qma8GAjwwWugqy5ZLw9cv8bqNsa90n4V8IYHHIamQM=
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
|
|
|
|||
149
navidrome/network-policy.yaml
Normal file
149
navidrome/network-policy.yaml
Normal file
|
|
@ -0,0 +1,149 @@
|
|||
# ----------------------------------------------------
|
||||
# Default deny (namespace baseline)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
ingress: []
|
||||
egress: []
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Ingress only from Gateway API
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- ingress
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "4533"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# DNS (required)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-dns
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
k8s:io.kubernetes.pod.namespace: kube-system
|
||||
k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: ANY
|
||||
rules:
|
||||
dns:
|
||||
- matchPattern: "*"
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Spotify API access (album art, metadata)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-spotify
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: api.spotify.com
|
||||
- matchName: i.scdn.co
|
||||
- matchName: accounts.spotify.com
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
---
|
||||
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-navidrome
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchPattern: "*.navidrome.org"
|
||||
- matchName: navidrome.org
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# Last.fm API access (metadata, scrobbling, images)
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-lastfm
|
||||
namespace: navidrome
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: navidrome
|
||||
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: ws.audioscrobbler.com
|
||||
- matchName: lastfm.freetls.fastly.net
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "443"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# OPTIONAL: unrestricted HTTPS egress (disabled)
|
||||
# ----------------------------------------------------
|
||||
# apiVersion: cilium.io/v2
|
||||
# kind: CiliumNetworkPolicy
|
||||
# metadata:
|
||||
# name: allow-all-egress
|
||||
# namespace: navidrome
|
||||
# spec:
|
||||
# endpointSelector:
|
||||
# matchLabels:
|
||||
# app: navidrome
|
||||
#
|
||||
# egress:
|
||||
# - toEntities:
|
||||
# - world
|
||||
# toPorts:
|
||||
# - ports:
|
||||
# - port: "443"
|
||||
# protocol: TCP
|
||||
Loading…
Add table
Add a link
Reference in a new issue