limbosolutions.com/git.limbosolutions.com
1
0
Fork 0
Code Issues Pull Requests Actions 1 Projects Releases Wiki Activity

infra - egress
All checks were successful
/ continuous-deploy (push) Successful in 6s
Details

Browse Source
This commit is contained in:
Márcio Fernandes
2026-03-05 22:59:43 +00:00
parent bdf8ca4446
commit dea7e3087d
6 changed files with 104 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.vscode/settings.json vendored
View File

@@ -1,5 +1,8 @@
{ {
"cSpell.words": [ "cSpell.words": [
"networkpolicies",
"poddisruptionbudgets",
"serviceaccounts",
"valkey" "valkey"
] ]
} }

43
deploy/infra/cd-service-account-rbac.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: git-limbosolutions-com
name: continuous-deploy
rules:
- apiGroups: [""]
resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies", "ingresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["get", "list", "watch", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: continuous-deploy
namespace: git-limbosolutions-com
subjects:
- kind: ServiceAccount
name: continuous-deploy
namespace: git-limbosolutions-com
roleRef:
kind: Role
name: continuous-deploy
apiGroup: rbac.authorization.k8s.io

8
deploy/infra/cd-service-account-token.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: continuous-deploy
annotations:
kubernetes.io/service-account.name: continuous-deploy
type: kubernetes.io/service-account-token

56
deploy/infra/cd-service-account.yaml
View File

@@ -4,3 +4,59 @@ kind: ServiceAccount
metadata: metadata:
name: continuous-deploy name: continuous-deploy
namespace: git-limbosolutions-com namespace: git-limbosolutions-com
---
apiVersion: v1
kind: Secret
metadata:
name: continuous-deploy
annotations:
kubernetes.io/service-account.name: continuous-deploy
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: git-limbosolutions-com
name: continuous-deploy
rules:
- apiGroups: [""]
resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies", "ingresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["get", "list", "watch", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: continuous-deploy
namespace: git-limbosolutions-com
subjects:
- kind: ServiceAccount
name: continuous-deploy
namespace: git-limbosolutions-com
roleRef:
kind: Role
name: continuous-deploy
apiGroup: rbac.authorization.k8s.io

3
deploy/infra/kustomization.yaml
View File

@@ -3,6 +3,5 @@ kind: Kustomization
resources: resources:
- namespace.yaml - namespace.yaml
- cd-service-account.yaml - cd-service-account.yaml
- cd-service-account-token.yaml - network-policy-egress.yaml
- cd-service-account-rbac.yaml

43
deploy/infra/network-policy-egress.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: git-limbosolutions-com-egress
namespace: git-limbosolutions-com
spec:
podSelector: {} # apply to all pods in the namespace
policyTypes:
- Egress
egress:
# Allow DNS to kube-system
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
# allow namespace communication
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: git-limbosolutions-com
podSelector: {}
# allow backup server
- to:
- ipBlock:
cidr: 192.168.0.251/32
# Allow all egress EXCEPT private networks
- to:
- ipBlock:
cidr: 0.0.0.0/0 # first allow everything
except: # remove local network (so it means blocking, cidr is allowing everything )
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- 127.0.0.0/8
- 224.0.0.0/4
- 240.0.0.0/4