cilium

1
apiVersion: "cilium.io/v2"
2
kind: CiliumClusterwideNetworkPolicy
3
metadata:
4
  name: "lock-down-dev-vms"
5
spec:
6
  description: "Lock down the development VMs when enable-remote-node-identity=false.
7
    USE ELSEWHERE AT YOUR OWN RISK."
8
  nodeSelector:
9
    {}
10
  ingress:
11
  # Only ICMP echo/reply messages should be drop if this is commented.
12
  - fromEntities:
13
    - health
14
  - fromCIDR:
15
    - 192.168.60.0/24
16

17
  # SSH access to the VMs
18
  - fromEntities:
19
    - world
20
    toPorts:
21
    - ports:
22
      - port: "22"
23
        protocol: TCP
24

25
  - fromCIDR:
26
    - 192.168.60.0/24
27
    toPorts:
28
    - ports:
29
      # VXLAN tunnels between nodes
30
      - port: "8472"
31
        protocol: UDP
32
      # etcd connections
33
      - port: "2379"
34
        protocol: TCP
35
      - port: "2380"
36
        protocol: TCP
37
      # kube-api server
38
      - port: "6443"
39
        protocol: TCP
40

41
  # kube-api server access for kube-dns
42
  - fromEndpoints:
43
    - matchLabels:
44
        k8s:io.kubernetes.pod.namespace: kube-system
45
        k8s-app: kube-dns
46
    toPorts:
47
    - ports:
48
      - port: "6443"
49
        protocol: TCP
50

51
  # Health checks
52
  - fromEntities:
53
    - health
54
    toPorts:
55
    - ports:
56
      - port: "4240"
57
        protocol: TCP
58
  - fromCIDR:
59
    - 192.168.60.0/24
60
    toPorts:
61
    - ports:
62
      - port: "4240"
63
        protocol: TCP
64

65
  # NodePort
66
  # These two rules are only needed when kube-proxy is used.
67
  # They should be removed when running in kube-proxy-free mode.
68
  - fromEndpoints:
69
    - matchLabels:
70
        name: pod-to-b-intra-node-nodeport
71
    toPorts:
72
    - ports:
73
      - port: "31414"
74
        protocol: TCP
75
  - fromEndpoints:
76
    - matchLabels:
77
        name: pod-to-b-multi-node-nodeport
78
    toPorts:
79
    - ports:
80
      - port: "31414"
81
        protocol: TCP
82

83

84
  egress:
85
  # Only ICMP echo/reply messages should be drop if this is commented.
86
  - toEntities:
87
    - health
88
  - toCIDR:
89
    - 192.168.60.0/24
90

91
  # DNS traffic to kube-dns
92
  - toEndpoints:
93
    - matchLabels:
94
        k8s:io.kubernetes.pod.namespace: kube-system
95
        k8s-app: kube-dns
96
    toPorts:
97
    - ports:
98
      - port: "8080"
99
        protocol: TCP
100
      - port: "8181"
101
        protocol: TCP
102
      - port: "53"
103
        protocol: UDP
104

105
  - toCIDR:
106
    - 192.168.60.0/24
107
    toPorts:
108
    - ports:
109
      # VXLAN tunnels between nodes
110
      - port: "8472"
111
        protocol: UDP
112
      # etcd connections
113
      - port: "2379"
114
        protocol: TCP
115
      - port: "2380"
116
        protocol: TCP
117
      # kube-api server
118
      - port: "6443"
119
        protocol: TCP
120

121
  # Health checks
122
  - toEntities:
123
    - health
124
    toPorts:
125
    - ports:
126
      - port: "4240"
127
        protocol: TCP
128
  - toCIDR:
129
    - 192.168.60.0/24
130
    toPorts:
131
    - ports:
132
      - port: "4240"
133
        protocol: TCP
134

135
  # NTP queries
136
  - toEntities:
137
    - world
138
    toPorts:
139
    - ports:
140
      - port: "123"
141
        protocol: UDP
142
  - toCIDR:
143
    - 8.8.8.8/32
144
    - 8.8.4.4/32
145
    toPorts:
146
    - ports:
147
      - port: "53"
148
        protocol: UDP
149

150
  # Required for host-networking pods of the connectivity-check
151
  - toEndpoints:
152
    - matchLabels:
153
        name: echo-b
154
    toPorts:
155
    - ports:
156
      - port: "8080"
157
        protocol: TCP
158