homelab-gitops/apps/soulsync/network-policy.yaml
gwg313 d16fa1c3e3
update soulsync
Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-18 21:46:01 -04:00

58 lines
1.4 KiB
YAML

# ----------------------------------------------------
# Ingress only from Gateway API
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-ingress
namespace: slskd
spec:
endpointSelector:
matchLabels:
app: slskd
ingress:
- fromEntities:
- ingress
toPorts:
- ports:
- port: "5030"
protocol: TCP
- port: "8008"
protocol: TCP
---
# ----------------------------------------------------
# VPN killswitch — only allow egress to ProtonVPN endpoint
# All other internet traffic is blocked, forcing it through the tunnel
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: vpn-killswitch
namespace: slskd
spec:
endpointSelector:
matchLabels:
app: slskd
egress:
- toCIDR:
- "149.50.216.205/32"
toPorts:
- ports:
- port: "51820"
protocol: UDP
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
rules:
dns:
- matchPattern: "*"