Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add network polices to helm chart #56

Open
brandtkeller opened this issue Sep 23, 2023 · 0 comments
Open

Add network polices to helm chart #56

brandtkeller opened this issue Sep 23, 2023 · 0 comments

Comments

@brandtkeller
Copy link

Consider adding network policies as an opt-in feature as part of this helm chart.

With some templating - this could be handled gracefully and configurable.

considerations:

default deny (baseline deny all):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress: []
  egress: []

dns-egress (allowing ingress options to target k8s dns IE nginx.nginx.svc.cluster.local:443)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
  # Allow access to DNS
  egress:
  - to:
    - namespaceSelector: {}
    ports:
    - port: 53
      protocol: UDP

egress to target pods:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-tunnel-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: nginx
      podSelector:
        matchLabels:
          app: nginx
    ports:
    - port: 8443

public egress (to cloudflare - still needs some more definitive targeting)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-public-egress
spec:
# https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/ports-and-ips/
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - ports:
    - protocol: TCP
      port: 443
    - protocol: UDP
      port: 7844
    - protocol: TCP
      port: 7844
    to:
    - ipBlock:
        cidr: 0.0.0.0/0

This is currently working for my test - hopefully I haven't overlooked anything critical.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant