netpol all remove
This commit is contained in:
37
cluster-resources/network/deny-external-egress-trivy.yaml
Normal file
37
cluster-resources/network/deny-external-egress-trivy.yaml
Normal file
@@ -0,0 +1,37 @@
|
|||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: deny-external-egress
|
||||||
|
namespace: trivy-system
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/managed-by: argocd
|
||||||
|
app.kubernetes.io/part-of: network-policies
|
||||||
|
spec:
|
||||||
|
endpointSelector: {}
|
||||||
|
egress:
|
||||||
|
# Allow DNS resolution
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: kube-system
|
||||||
|
k8s-app: kube-dns
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "53"
|
||||||
|
protocol: UDP
|
||||||
|
- port: "53"
|
||||||
|
protocol: TCP
|
||||||
|
|
||||||
|
# Allow cluster-internal traffic (RFC1918)
|
||||||
|
- toCIDR:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 192.168.0.0/16
|
||||||
|
|
||||||
|
# Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
|
||||||
|
- toFQDNs:
|
||||||
|
- matchName: ghcr.io
|
||||||
|
- matchName: pkg-containers.githubusercontent.com
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "443"
|
||||||
|
protocol: TCP
|
||||||
@@ -20,5 +20,4 @@ resources:
|
|||||||
- renovate.yaml
|
- renovate.yaml
|
||||||
- tempo.yaml
|
- tempo.yaml
|
||||||
- grafana-dashboards.yaml
|
- grafana-dashboards.yaml
|
||||||
- network-policies-application.yaml
|
|
||||||
- karpor.yaml
|
- karpor.yaml
|
||||||
|
|||||||
@@ -1,33 +0,0 @@
|
|||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: network-policies
|
|
||||||
namespace: argocd
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: network-policies
|
|
||||||
app.kubernetes.io/part-of: platform
|
|
||||||
app.kubernetes.io/managed-by: argocd
|
|
||||||
annotations:
|
|
||||||
argocd.argoproj.io/sync-wave: "1"
|
|
||||||
finalizers:
|
|
||||||
- resources-finalizer.argocd.argoproj.io
|
|
||||||
spec:
|
|
||||||
project: default
|
|
||||||
|
|
||||||
source:
|
|
||||||
repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
|
||||||
targetRevision: HEAD
|
|
||||||
path: cluster-resources/network
|
|
||||||
|
|
||||||
destination:
|
|
||||||
server: https://kubernetes.default.svc
|
|
||||||
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
selfHeal: true
|
|
||||||
allowEmpty: false
|
|
||||||
|
|
||||||
syncOptions:
|
|
||||||
- Validate=true
|
|
||||||
- ServerSideApply=true
|
|
||||||
Reference in New Issue
Block a user