We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding network policies as an opt-in feature as part of this helm chart.
With some templating - this could be handled gracefully and configurable.
considerations:
default deny (baseline deny all):
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: {} policyTypes: - Ingress - Egress ingress: [] egress: []
dns-egress (allowing ingress options to target k8s dns IE nginx.nginx.svc.cluster.local:443)
nginx.nginx.svc.cluster.local:443
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns-egress spec: podSelector: {} policyTypes: - Egress # Allow access to DNS egress: - to: - namespaceSelector: {} ports: - port: 53 protocol: UDP
egress to target pods:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-tunnel-egress spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: nginx podSelector: matchLabels: app: nginx ports: - port: 8443
public egress (to cloudflare - still needs some more definitive targeting)
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-public-egress spec: # https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/ports-and-ips/ podSelector: {} policyTypes: - Egress - Ingress egress: - ports: - protocol: TCP port: 443 - protocol: UDP port: 7844 - protocol: TCP port: 7844 to: - ipBlock: cidr: 0.0.0.0/0
This is currently working for my test - hopefully I haven't overlooked anything critical.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Consider adding network policies as an opt-in feature as part of this helm chart.
With some templating - this could be handled gracefully and configurable.
considerations:
default deny (baseline deny all):
dns-egress (allowing ingress options to target k8s dns IE
nginx.nginx.svc.cluster.local:443
)egress to target pods:
public egress (to cloudflare - still needs some more definitive targeting)
This is currently working for my test - hopefully I haven't overlooked anything critical.
The text was updated successfully, but these errors were encountered: