From ce5094c1c8dce51111acc11317d2e76a1a5a8bc2 Mon Sep 17 00:00:00 2001 From: snothub Date: Fri, 27 Mar 2026 11:49:03 +0100 Subject: [PATCH] egress --- .../network/deny-external-egress-trivy.yaml | 37 +++++++++++++++++++ infra/cluster-resources-application.yaml | 2 + infra/network-policies-application.yaml | 33 +++++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 cluster-resources/network/deny-external-egress-trivy.yaml create mode 100644 infra/network-policies-application.yaml diff --git a/cluster-resources/network/deny-external-egress-trivy.yaml b/cluster-resources/network/deny-external-egress-trivy.yaml new file mode 100644 index 0000000..939aa11 --- /dev/null +++ b/cluster-resources/network/deny-external-egress-trivy.yaml @@ -0,0 +1,37 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: deny-external-egress + namespace: trivy-system + labels: + app.kubernetes.io/managed-by: argocd + app.kubernetes.io/part-of: network-policies +spec: + endpointSelector: {} + egress: + # Allow DNS resolution + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP + + # Allow cluster-internal traffic (RFC1918) + - toCIDR: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + + # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry) + - toFQDNs: + - matchName: ghcr.io + - matchName: pkg-containers.githubusercontent.com + toPorts: + - ports: + - port: "443" + protocol: TCP diff --git a/infra/cluster-resources-application.yaml b/infra/cluster-resources-application.yaml index 4072f08..72886b4 100644 --- a/infra/cluster-resources-application.yaml +++ b/infra/cluster-resources-application.yaml @@ -18,6 +18,8 @@ spec: repoURL: git@github.com:fortedigital/sturdy-adventure.git targetRevision: HEAD path: cluster-resources + directory: + exclude: 'network' destination: server: https://kubernetes.default.svc diff --git a/infra/network-policies-application.yaml b/infra/network-policies-application.yaml new file mode 100644 index 0000000..08ec050 --- /dev/null +++ b/infra/network-policies-application.yaml @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: network-policies + namespace: argocd + labels: + app.kubernetes.io/name: network-policies + app.kubernetes.io/part-of: platform + app.kubernetes.io/managed-by: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + source: + repoURL: git@github.com:fortedigital/sturdy-adventure.git + targetRevision: HEAD + path: cluster-resources/network + + destination: + server: https://kubernetes.default.svc + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + + syncOptions: + - Validate=true + - ServerSideApply=true