infra - egress

deploy/infra/network-policy-egress.yaml

@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: git-limbosolutions-com-egress
+  namespace: git-limbosolutions-com
+spec:
+  podSelector: {}   # apply to all pods in the namespace
+  policyTypes:
+    - Egress
+  egress:
+      # Allow DNS to kube-system
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: UDP
+          port: 53
+
+    # allow namespace communication
+    - to: 
+        - namespaceSelector: 
+            matchLabels: 
+              kubernetes.io/metadata.name: git-limbosolutions-com
+          podSelector: {}
+
+    # allow backup server
+    - to:
+        - ipBlock:
+            cidr: 192.168.0.251/32
+    
+    # Allow all egress EXCEPT private networks
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # first allow everything
+            except: # remove local network (so it means blocking, cidr is allowing everything )
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+              - 169.254.0.0/16
+              - 127.0.0.0/8
+              - 224.0.0.0/4
+              - 240.0.0.0/4