limbosolutions.com/git.limbosolutions.com
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

deploy: clean up network policies
All checks were successful
/ continuous-deploy (push) Successful in 20s
Details

Browse Source
This commit is contained in:
Márcio Fernandes
2026-03-22 13:07:25 +00:00
parent a0860185d6
commit 9b36b595b8
12 changed files with 116 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
deploy/backups/cronjobs/backup-borg-offsite.yaml
View File

@@ -12,7 +12,8 @@ spec:
template: template:
metadata: metadata:
labels: labels:
app: backup-borg-offsite dbAccess: "true"
backups.infra.limbosolutions.com/ssh: "true"
spec: spec:
restartPolicy: Never restartPolicy: Never
initContainers: initContainers:

2
deploy/backups/cronjobs/backup-pbs.yaml
View File

@@ -11,7 +11,9 @@ spec:
template: template:
metadata: metadata:
labels: labels:
dbAccess: "true"
app: backup-pbs app: backup-pbs
backups.infra.limbosolutions.com/pbs: "true"
spec: spec:
restartPolicy: Never restartPolicy: Never
initContainers: initContainers:

1
deploy/infra/.env.d/.env.example
View File

@@ -1 +0,0 @@
EGRESS_BACKUPSRV_CIDR="BACKUPSRV-IP-ADDRESS/32"

3
deploy/infra/.env.d/.gitignore vendored
View File

@@ -1,3 +0,0 @@
**
!.gitignore
!*.example

2
deploy/infra/ingress.yaml
View File

@@ -7,7 +7,7 @@ metadata:
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: traefik kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https traefik.ingress.kubernetes.io/router.entrypoints: websecure,public-https
spec: spec:
ingressClassName: traefik ingressClassName: traefik
rules: rules:

20
deploy/infra/kustomization.yaml
View File

@@ -4,26 +4,8 @@ resources:
- namespace.yaml - namespace.yaml
- cd-serviceaccount.yaml - cd-serviceaccount.yaml
- ingress.yaml - ingress.yaml
- network-policies/egress.yaml - network-policies.yaml
- network-policies/egress-local-services.yaml
- network-policies/ingress.yaml
generatorOptions: generatorOptions:
disableNameSuffixHash: true disableNameSuffixHash: true
configMapGenerator:
- name: infra-setup-vars
namespace: git-limbosolutions-com
envs:
- ./.env.d/.env
replacements:
- source:
kind: ConfigMap
name: infra-setup-vars
fieldPath: data.EGRESS_BACKUPSRV_CIDR
targets:
- select:
kind: NetworkPolicy
name: git-limbosolutions-com-egress-local
fieldPaths:
- spec.egress.0.to.0.ipBlock.cidr

108
deploy/infra/network-policies.yaml Normal file
View File

@@ -0,0 +1,108 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: deny-default
spec:
endpointSelector: {}
ingressDeny:
- fromEndpoints: []
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gitea-ingress
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: gitea
ingress:
# -------------------------------------------------------------
# Allow Traefik (in kube-system) to reach Gitea on port 3000
# -------------------------------------------------------------
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: traefik
matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: In
values:
- kube-system
toPorts:
- ports:
- port: "3000"
protocol: TCP
# -------------------------------------------------------------
# Allow SSH (2222)
# -------------------------------------------------------------
- fromCIDRSet:
- cidr: 0.0.0.0/0
toPorts:
- ports:
- port: "2222"
protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-postgresql-ingress
namespace: git-limbosolutions-com
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: postgresql
ingress:
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: gitea
matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: In
values:
- git-limbosolutions-com
- matchLabels:
dbAccess: "true"
matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: In
values:
- git-limbosolutions-com
toPorts:
- ports:
- port: "5432"
protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-valkey-ingress
namespace: git-limbosolutions-com
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: valkey
ingress:
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: gitea
matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: In
values:
- git-limbosolutions-com
toPorts:
- ports:
- port: "6379"
protocol: TCP

21
deploy/infra/network-policies/egress-local-services.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: git-limbosolutions-com-egress-local
namespace: git-limbosolutions-com
spec:
podSelector: {} # apply to all pods in the namespace
policyTypes:
- Egress
egress:
# allow backup server
- to:
- ipBlock:
cidr: ${BACKUPSRV_CIDR}

38
deploy/infra/network-policies/egress.yaml
View File

@@ -1,38 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: git-limbosolutions-com-egress
namespace: git-limbosolutions-com
spec:
podSelector: {} # apply to all pods in the namespace
policyTypes:
- Egress
egress:
# Allow DNS to kube-system
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
# allow namespace communication
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: git-limbosolutions-com
podSelector: {}
# Allow all egress EXCEPT private networks
- to:
- ipBlock:
cidr: 0.0.0.0/0 # first allow everything
except: # remove local network (so it means blocking, cidr is allowing everything )
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- 127.0.0.0/8
- 224.0.0.0/4
- 240.0.0.0/4

47
deploy/infra/network-policies/ingress.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: git-limbosolutions-com-ingress
namespace: git-limbosolutions-com
spec:
# Apply this policy only to the Gitea pods
podSelector:
matchLabels:
app.kubernetes.io/name: gitea
policyTypes:
- Ingress
ingress:
# ---------------------------------------------------------------------
# Allow HTTPS (3000) ONLY from Traefik running in kube-system
# ---------------------------------------------------------------------
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- protocol: TCP
port: http # HTTPS routed by Traefik
# ---------------------------------------------------------------------
# Allow SSH (2222) from the internet, but block all internal traffic
#
# - cidr: 0.0.0.0/0 allows all external IPs
# - except: blocks all cluster networks
#
# This forces ALL SSH traffic to come through external firewall
# ,preventing pod-to-pod or service-to-pod SSH access.
# ---------------------------------------------------------------------
- from:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/16 # Pod network (blocks all pods)
- 10.43.0.0/16 # Service network (blocks ClusterIP access)
ports:
- protocol: TCP
port: ssh # ssh port routed by firewall

2
ops-scripts/apply-app.sh
View File

@@ -36,5 +36,5 @@ if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
--namespace=git-limbosolutions-com --namespace=git-limbosolutions-com
echo "executing deploy of backups jobs." echo "executing deploy of backups jobs."
kubectl kustomize deploy/backups | kubectl apply -f - kubectl kustomize deploy/backups | kubectl -n git-limbosolutions-com apply -f -
fi fi

2
ops-scripts/apply-infra.sh
View File

@@ -2,6 +2,6 @@
set -e set -e
echo "Executing infra deploy." echo "Executing infra deploy."
kubectl kustomize deploy/infra | kubectl apply -f - kubectl kustomize deploy/infra | kubectl -n git-limbosolutions-com apply -f -