egress
This commit is contained in:
snothub
37
cluster-resources/network/deny-external-egress-trivy.yaml
Normal file
37
cluster-resources/network/deny-external-egress-trivy.yaml
Normal file
@@ -0,0 +1,37 @@
|
|||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: deny-external-egress
|
||||||
|
namespace: trivy-system
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/managed-by: argocd
|
||||||
|
app.kubernetes.io/part-of: network-policies
|
||||||
|
spec:
|
||||||
|
endpointSelector: {}
|
||||||
|
egress:
|
||||||
|
# Allow DNS resolution
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.kubernetes.pod.namespace: kube-system
|
||||||
|
k8s-app: kube-dns
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "53"
|
||||||
|
protocol: UDP
|
||||||
|
- port: "53"
|
||||||
|
protocol: TCP
|
||||||
|
|
||||||
|
# Allow cluster-internal traffic (RFC1918)
|
||||||
|
- toCIDR:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 192.168.0.0/16
|
||||||
|
|
||||||
|
# Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
|
||||||
|
- toFQDNs:
|
||||||
|
- matchName: ghcr.io
|
||||||
|
- matchName: pkg-containers.githubusercontent.com
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "443"
|
||||||
|
protocol: TCP
|
||||||
@@ -18,6 +18,8 @@ spec:
|
|||||||
repoURL: git@github.com:fortedigital/sturdy-adventure.git
|
repoURL: git@github.com:fortedigital/sturdy-adventure.git
|
||||||
targetRevision: HEAD
|
targetRevision: HEAD
|
||||||
path: cluster-resources
|
path: cluster-resources
|
||||||
|
directory:
|
||||||
|
exclude: 'network'
|
||||||
|
|
||||||
destination:
|
destination:
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
|
|||||||
33
infra/network-policies-application.yaml
Normal file
33
infra/network-policies-application.yaml
Normal file
@@ -0,0 +1,33 @@
|
|||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: network-policies
|
||||||
|
namespace: argocd
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: network-policies
|
||||||
|
app.kubernetes.io/part-of: platform
|
||||||
|
app.kubernetes.io/managed-by: argocd
|
||||||
|
annotations:
|
||||||
|
argocd.argoproj.io/sync-wave: "1"
|
||||||
|
finalizers:
|
||||||
|
- resources-finalizer.argocd.argoproj.io
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
|
||||||
|
source:
|
||||||
|
repoURL: git@github.com:fortedigital/sturdy-adventure.git
|
||||||
|
targetRevision: HEAD
|
||||||
|
path: cluster-resources/network
|
||||||
|
|
||||||
|
destination:
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
prune: true
|
||||||
|
selfHeal: true
|
||||||
|
allowEmpty: false
|
||||||
|
|
||||||
|
syncOptions:
|
||||||
|
- Validate=true
|
||||||
|
- ServerSideApply=true
|
||||||
Reference in New Issue
Block a user