# ---------------------------------------------------- # Ingress only from Gateway API # ---------------------------------------------------- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-ingress namespace: navidrome spec: endpointSelector: matchLabels: app: navidrome ingress: - fromEntities: - ingress toPorts: - ports: - port: "4533" protocol: TCP --- # ---------------------------------------------------- # Spotify API access (album art, metadata) # ---------------------------------------------------- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-spotify namespace: navidrome spec: endpointSelector: matchLabels: app: navidrome egress: - toFQDNs: - matchName: api.spotify.com - matchName: i.scdn.co - matchName: accounts.spotify.com toPorts: - ports: - port: "443" protocol: TCP --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-navidrome namespace: navidrome spec: endpointSelector: matchLabels: app: navidrome egress: - toFQDNs: - matchPattern: "*.navidrome.org" - matchName: navidrome.org toPorts: - ports: - port: "443" protocol: TCP --- # ---------------------------------------------------- # Last.fm API access (metadata, scrobbling, images) # ---------------------------------------------------- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-lastfm namespace: navidrome spec: endpointSelector: matchLabels: app: navidrome egress: - toFQDNs: - matchName: ws.audioscrobbler.com - matchName: lastfm.freetls.fastly.net toPorts: - ports: - port: "443" protocol: TCP --- # ---------------------------------------------------- # OPTIONAL: unrestricted HTTPS egress (disabled) # ---------------------------------------------------- # apiVersion: cilium.io/v2 # kind: CiliumNetworkPolicy # metadata: # name: allow-all-egress # namespace: navidrome # spec: # endpointSelector: # matchLabels: # app: navidrome # # egress: # - toEntities: # - world # toPorts: # - ports: # - port: "443" # protocol: TCP