cilium
1apiVersion: "cilium.io/v2"2kind: CiliumClusterwideNetworkPolicy3metadata:4name: "lock-down-dev-vms"5spec:6description: "Lock down the development VMs when enable-remote-node-identity=false.7USE ELSEWHERE AT YOUR OWN RISK."
8nodeSelector:9{}10ingress:11# Only ICMP echo/reply messages should be drop if this is commented.12- fromEntities:13- health14- fromCIDR:15- 192.168.60.0/2416
17# SSH access to the VMs18- fromEntities:19- world20toPorts:21- ports:22- port: "22"23protocol: TCP24
25- fromCIDR:26- 192.168.60.0/2427toPorts:28- ports:29# VXLAN tunnels between nodes30- port: "8472"31protocol: UDP32# etcd connections33- port: "2379"34protocol: TCP35- port: "2380"36protocol: TCP37# kube-api server38- port: "6443"39protocol: TCP40
41# kube-api server access for kube-dns42- fromEndpoints:43- matchLabels:44k8s:io.kubernetes.pod.namespace: kube-system45k8s-app: kube-dns46toPorts:47- ports:48- port: "6443"49protocol: TCP50
51# Health checks52- fromEntities:53- health54toPorts:55- ports:56- port: "4240"57protocol: TCP58- fromCIDR:59- 192.168.60.0/2460toPorts:61- ports:62- port: "4240"63protocol: TCP64
65# NodePort66# These two rules are only needed when kube-proxy is used.67# They should be removed when running in kube-proxy-free mode.68- fromEndpoints:69- matchLabels:70name: pod-to-b-intra-node-nodeport71toPorts:72- ports:73- port: "31414"74protocol: TCP75- fromEndpoints:76- matchLabels:77name: pod-to-b-multi-node-nodeport78toPorts:79- ports:80- port: "31414"81protocol: TCP82
83
84egress:85# Only ICMP echo/reply messages should be drop if this is commented.86- toEntities:87- health88- toCIDR:89- 192.168.60.0/2490
91# DNS traffic to kube-dns92- toEndpoints:93- matchLabels:94k8s:io.kubernetes.pod.namespace: kube-system95k8s-app: kube-dns96toPorts:97- ports:98- port: "8080"99protocol: TCP100- port: "8181"101protocol: TCP102- port: "53"103protocol: UDP104
105- toCIDR:106- 192.168.60.0/24107toPorts:108- ports:109# VXLAN tunnels between nodes110- port: "8472"111protocol: UDP112# etcd connections113- port: "2379"114protocol: TCP115- port: "2380"116protocol: TCP117# kube-api server118- port: "6443"119protocol: TCP120
121# Health checks122- toEntities:123- health124toPorts:125- ports:126- port: "4240"127protocol: TCP128- toCIDR:129- 192.168.60.0/24130toPorts:131- ports:132- port: "4240"133protocol: TCP134
135# NTP queries136- toEntities:137- world138toPorts:139- ports:140- port: "123"141protocol: UDP142- toCIDR:143- 8.8.8.8/32144- 8.8.4.4/32145toPorts:146- ports:147- port: "53"148protocol: UDP149
150# Required for host-networking pods of the connectivity-check151- toEndpoints:152- matchLabels:153name: echo-b154toPorts:155- ports:156- port: "8080"157protocol: TCP158