deploy: clean up network policies

deploy/backups/cronjobs/backup-borg-offsite.yaml

@@ -12,7 +12,8 @@ spec:
       template:
         metadata:
           labels:
-            app: backup-borg-offsite
+            dbAccess: "true"
+            backups.infra.limbosolutions.com/ssh: "true"
         spec:
           restartPolicy: Never
           initContainers:

deploy/backups/cronjobs/backup-pbs.yaml

@@ -11,7 +11,9 @@ spec:
       template:
         metadata:
           labels:
+            dbAccess: "true"
             app: backup-pbs
+            backups.infra.limbosolutions.com/pbs: "true"
         spec:
           restartPolicy: Never
           initContainers:

deploy/infra/.env.d/.env.example

@@ -1 +0,0 @@
-EGRESS_BACKUPSRV_CIDR="BACKUPSRV-IP-ADDRESS/32"

deploy/infra/.env.d/.gitignore

@@ -1,3 +0,0 @@
-**
-!.gitignore
-!*.example

deploy/infra/kustomization.yaml

@@ -4,26 +4,8 @@ resources:
   - namespace.yaml
   - cd-serviceaccount.yaml
   - ingress.yaml
-  - network-policies/egress.yaml
+  - network-policies.yaml
-  - network-policies/egress-local-services.yaml
-  - network-policies/ingress.yaml
 generatorOptions:
   disableNameSuffixHash: true
 
-configMapGenerator:
-  - name: infra-setup-vars
-    namespace: git-limbosolutions-com
-    envs:
-      - ./.env.d/.env
 
-replacements:
-  - source:
-      kind: ConfigMap
-      name: infra-setup-vars
-      fieldPath: data.EGRESS_BACKUPSRV_CIDR
-    targets:
-      - select:
-          kind: NetworkPolicy
-          name: git-limbosolutions-com-egress-local
-        fieldPaths:
-          - spec.egress.0.to.0.ipBlock.cidr

deploy/infra/network-policies.yaml

@@ -0,0 +1,108 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: deny-default
+spec:
+  endpointSelector: {}
+  ingressDeny:
+    - fromEndpoints: []
+---
+
+
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-gitea-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (in kube-system) to reach Gitea on port 3000
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - kube-system
+      toPorts:
+        - ports:
+            - port: "3000"
+              protocol: TCP
+
+    # -------------------------------------------------------------
+    # Allow SSH (2222)
+    # -------------------------------------------------------------
+    - fromCIDRSet:
+        - cidr: 0.0.0.0/0
+      toPorts:
+        - ports:
+            - port: "2222"
+              protocol: TCP
+
+
+---
+
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-postgresql-ingress
+  namespace: git-limbosolutions-com
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: gitea
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - git-limbosolutions-com
+        - matchLabels:
+            dbAccess: "true"
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - git-limbosolutions-com
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP
+
+---
+
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-valkey-ingress
+  namespace: git-limbosolutions-com
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: valkey
+
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: gitea
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - git-limbosolutions-com
+      toPorts:
+        - ports:
+            - port: "6379"
+              protocol: TCP
+
+

deploy/infra/network-policies/egress-local-services.yaml

@@ -1,21 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: git-limbosolutions-com-egress-local
-  namespace: git-limbosolutions-com
-spec:
-  podSelector: {}   # apply to all pods in the namespace
-  policyTypes:
-    - Egress
-  egress:
-    # allow backup server
-    - to:
-        - ipBlock:
-            cidr: ${BACKUPSRV_CIDR}
-
-
-
-
-
-
-

deploy/infra/network-policies/egress.yaml

@@ -1,38 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: git-limbosolutions-com-egress
-  namespace: git-limbosolutions-com
-spec:
-  podSelector: {}   # apply to all pods in the namespace
-  policyTypes:
-    - Egress
-  egress:
-      # Allow DNS to kube-system
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-      ports:
-        - protocol: UDP
-          port: 53
-
-    # allow namespace communication
-    - to: 
-        - namespaceSelector: 
-            matchLabels: 
-              kubernetes.io/metadata.name: git-limbosolutions-com
-          podSelector: {}
-
-    # Allow all egress EXCEPT private networks
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0 # first allow everything
-            except: # remove local network (so it means blocking, cidr is allowing everything )
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
-              - 169.254.0.0/16
-              - 127.0.0.0/8
-              - 224.0.0.0/4
-              - 240.0.0.0/4

deploy/infra/network-policies/ingress.yaml

@@ -1,47 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: git-limbosolutions-com-ingress
-  namespace: git-limbosolutions-com
-spec:
-  # Apply this policy only to the Gitea pods
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: gitea
-
-  policyTypes:
-    - Ingress
-
-  ingress:
-    # ---------------------------------------------------------------------
-    # Allow HTTPS (3000) ONLY from Traefik running in kube-system
-    # ---------------------------------------------------------------------
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: traefik
-      ports:
-        - protocol: TCP
-          port: http   # HTTPS routed by Traefik
-
-    # ---------------------------------------------------------------------
-    # Allow SSH (2222) from the internet, but block all internal traffic
-    #
-    #    - cidr: 0.0.0.0/0 allows all external IPs
-    #    - except: blocks all cluster networks
-    #
-    #    This forces ALL SSH traffic to come through external firewall
-    #    ,preventing pod-to-pod or service-to-pod SSH access.
-    # ---------------------------------------------------------------------
-    - from:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-            except:
-              - 10.0.0.0/16      # Pod network (blocks all pods)
-              - 10.43.0.0/16     # Service network (blocks ClusterIP access)
-      ports:
-        - protocol: TCP
-          port: ssh   # ssh port routed by firewall

ops-scripts/apply-app.sh

@@ -36,5 +36,5 @@ if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
     --namespace=git-limbosolutions-com
 
     echo "executing deploy of backups jobs."
-    kubectl kustomize deploy/backups | kubectl apply -f -
+    kubectl kustomize deploy/backups | kubectl -n git-limbosolutions-com apply -f -
 fi

ops-scripts/apply-infra.sh

@@ -2,6 +2,6 @@
 set -e
 echo "Executing infra deploy."
 
-kubectl kustomize deploy/infra | kubectl apply -f -
+kubectl kustomize deploy/infra | kubectl -n git-limbosolutions-com apply -f -