From 405763f15843db52fc57d10c20f304b1fcca3ee2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= Date: Sat, 18 Apr 2026 15:11:24 +0000 Subject: [PATCH] add network-policies --- deploy/infra/kustomization.yaml | 2 +- deploy/infra/middlewares.yaml | 2 +- deploy/infra/namespace.yaml | 6 ---- deploy/infra/network-policies.yaml | 44 ++++++++++++++++++++++++++++++ ops-scripts/apply-infra.sh | 2 +- 5 files changed, 47 insertions(+), 9 deletions(-) delete mode 100644 deploy/infra/namespace.yaml create mode 100644 deploy/infra/network-policies.yaml diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml index 7af5b15..5d462da 100644 --- a/deploy/infra/kustomization.yaml +++ b/deploy/infra/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace.yaml - cd-serviceaccount.yaml + - network-policies.yaml - middlewares.yaml - ingress-web.yaml - ingress-web-public.yaml diff --git a/deploy/infra/middlewares.yaml b/deploy/infra/middlewares.yaml index 85a10d8..e5c4492 100644 --- a/deploy/infra/middlewares.yaml +++ b/deploy/infra/middlewares.yaml @@ -67,7 +67,7 @@ spec: --- -piVersion: traefik.io/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: nextcloud-deny-paths diff --git a/deploy/infra/namespace.yaml b/deploy/infra/namespace.yaml deleted file mode 100644 index a451744..0000000 --- a/deploy/infra/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cloud-limbosolutions-com - labels: - name: cloud-limbosolutions-com \ No newline at end of file diff --git a/deploy/infra/network-policies.yaml b/deploy/infra/network-policies.yaml new file mode 100644 index 0000000..f259177 --- /dev/null +++ b/deploy/infra/network-policies.yaml @@ -0,0 +1,44 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-same-namespace-ingress +spec: + endpointSelector: {} # All pods in this namespace + ingress: + - fromEndpoints: + - matchExpressions: + - key: k8s:io.kubernetes.pod.namespace + operator: In + values: + - cloud-limbosolutions-com + +--- + +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-traefik-ingress +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: nextcloud + + ingress: + # ------------------------------------------------------------- + # Allow Traefik (internal and public) to reach nextcloud web port + # ------------------------------------------------------------- + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: traefik + matchExpressions: + - key: k8s:io.kubernetes.pod.namespace + operator: In + values: + - traefik + - traefik-public + toPorts: + - ports: + - port: "80" + + protocol: TCP + diff --git a/ops-scripts/apply-infra.sh b/ops-scripts/apply-infra.sh index 0412589..4f14845 100755 --- a/ops-scripts/apply-infra.sh +++ b/ops-scripts/apply-infra.sh @@ -1,5 +1,5 @@ #!/bin/bash set -e echo "Executing infra deploy." - +kubectl create namespace cloud-limbosolutions-com || true kubectl kustomize deploy/infra | kubectl -n cloud-limbosolutions-com apply -f -