update default deny

Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-21 11:49:50 +00:00 · 2026-05-16 15:21:35 -04:00 · 2026-05-16 15:21:35 -04:00 · bfe8435665
commit bfe8435665
parent 68bebdae57
21 changed files with 470 additions and 235 deletions
--- a/platform/default-network-policies/core-k8s-services.yaml
+++ b/platform/default-network-policies/core-k8s-services.yaml
@ -1,70 +0,0 @@
---
-apiVersion: "cilium.io/v2"
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: baseline-allow-coredns-egress
-spec:
-  description: "Allow all pods to send DNS queries out to CoreDNS"
-  endpointSelector:
-    matchLabels: {}
-  egress:
-    - toEndpoints:
-      - matchLabels:
-          k8s:io.kubernetes.pod.namespace: kube-system
-          k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-            - port: "53"
-              protocol: TCP
---
-apiVersion: "cilium.io/v2"
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: baseline-allow-coredns-ingress
-spec:
-  description: "Allow CoreDNS to receive incoming DNS queries"
-  endpointSelector:
-    matchLabels:
-      k8s:io.kubernetes.pod.namespace: kube-system
-      k8s-app: kube-dns
-  ingress:
-    - fromEndpoints:
-      - matchLabels: {} # Accepts from any pod
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-            - port: "53"
-              protocol: TCP
---
-apiVersion: "cilium.io/v2"
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: baseline-allow-apiserver
-spec:
-  description: "Allow all pods to communicate with the K8s API"
-  endpointSelector:
-    matchLabels: {}
-  egress:
-    - toEntities:
-        - kube-apiserver
---
-apiVersion: "cilium.io/v2"
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: baseline-allow-coredns-to-internet
-spec:
-  description: "Allow CoreDNS pods to reach upstream DNS servers on the internet"
-  endpointSelector:
-    matchLabels:
-      k8s:io.kubernetes.pod.namespace: kube-system
-      k8s-app: kube-dns
-  egress:
-    - toEntities:
-        - world
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: ANY
--- a/platform/default-network-policies/default-deny.yaml
+++ b/platform/default-network-policies/default-deny.yaml
@ -1,12 +0,0 @@
-apiVersion: "cilium.io/v2"
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: baseline-default-deny
-spec:
-  description: "Deny all ingress and egress cluster-wide by default"
-  endpointSelector:
-    matchLabels: {}
-  ingress:
-    - {}
-  egress:
-    - {}
--- a/platform/default-network-policies/hubble.yaml
+++ b/platform/default-network-policies/hubble.yaml
@ -1,77 +0,0 @@
-apiVersion: "cilium.io/v2"
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-hubble-port-forward
-  namespace: kube-system
-spec:
-  description: "Allow host-level port-forwarding to Hubble Relay and UI"
-  endpointSelector:
-    matchLabels:
-      io.cilium.k8s.policy.serviceaccount: hubble-relay 
-  ingress:
-    - fromEntities:
-        - host
-        - remote-node
-      toPorts:
-        - ports:
-            - port: "4245"
-              protocol: TCP
-            - port: "8081"
-              protocol: TCP
---
-apiVersion: "cilium.io/v2"
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-hubble-ui-to-relay
-  namespace: kube-system
-spec:
-  description: "Allow Hubble UI to fetch data from Hubble Relay"
-  endpointSelector:
-    matchLabels:
-      k8s-app: hubble-relay
-  ingress:
-    - fromEndpoints:
-      - matchLabels:
-          k8s-app: hubble-ui
-      toPorts:
-        - ports:
-            - port: "4245"
-              protocol: TCP
---
-apiVersion: "cilium.io/v2"
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-hubble-relay-to-agents
-  namespace: kube-system
-spec:
-  description: "Allow Hubble Relay to collect flows from Cilium node agents"
-  endpointSelector:
-    matchLabels:
-      k8s-app: hubble-relay
-  egress:
-    - toEntities:
-        - host
-        - remote-node
-      toPorts:
-        - ports:
-            - port: "4244"
-              protocol: TCP
---
-apiVersion: "cilium.io/v2"
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-hubble-ui-egress-to-relay
-  namespace: kube-system
-spec:
-  description: "Allow Hubble UI to send requests to Hubble Relay"
-  endpointSelector:
-    matchLabels:
-      k8s-app: hubble-ui
-  egress:
-    - toEndpoints:
-      - matchLabels:
-          k8s-app: hubble-relay
-      toPorts:
-        - ports:
-            - port: "4245"
-              protocol: TCP
--- a/platform/default-network-policies/kube-system-baseline.yaml
+++ b/platform/default-network-policies/kube-system-baseline.yaml
@ -0,0 +1,28 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: kube-system-baseline
+  namespace: kube-system
+spec:
+  endpointSelector: {}
+
+  ingress:
+    - fromEntities:
+        - cluster
+        - host
+        - remote-node
+
+  egress:
+    - toEntities:
+        - kube-apiserver
+        - cluster
+
+    - toEndpoints:
+        - matchLabels:
+            k8s:k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
--- a/platform/default-network-policies/kube-system-hardening.yaml
+++ b/platform/default-network-policies/kube-system-hardening.yaml
@ -0,0 +1,40 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: kube-system-hardening
+  namespace: kube-system
+spec:
+  endpointSelector: {}
+
+  ingress:
+    # Allow cluster-internal communication (required for DNS, CNI, etc.)
+    - fromEntities:
+        - cluster
+        - host
+        - remote-node
+
+    # Allow kube-apiserver to talk to system components
+    - fromEntities:
+        - kube-apiserver
+
+  egress:
+    # Core dependency: Kubernetes API
+    - toEntities:
+        - kube-apiserver
+
+    # CoreDNS access
+    - toEndpoints:
+        - matchLabels:
+            k8s:k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+
+    # Allow internal cluster communication (important for CNI + service mesh)
+    - toEntities:
+        - cluster
+        - host
+        - remote-node
--- a/platform/default-network-policies/kube-system-restrict-external-egress.yaml
+++ b/platform/default-network-policies/kube-system-restrict-external-egress.yaml
@ -0,0 +1,30 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: kube-system-restrict-external-egress
+  namespace: kube-system
+spec:
+  endpointSelector: {}
+
+  egress:
+    # Allow Kubernetes API
+    - toEntities:
+        - kube-apiserver
+
+    # Allow internal cluster communication
+    - toEntities:
+        - cluster
+        - host
+        - remote-node
+
+    # Allow DNS
+    - toEndpoints:
+        - matchLabels:
+            k8s:k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+
--- a/platform/infra-root.yaml
+++ b/platform/infra-root.yaml
@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infra-root
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops
+    targetRevision: main
+    path: infra
+    directory:
+      recurse: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true