cilium
1apiVersion: "cilium.io/v2"2kind: CiliumClusterwideNetworkPolicy3metadata:4name: "lock-down-dev-vms"5spec:6description: "Lock down the development VMs when enable-remote-node-identity=true.7USE ELSEWHERE AT YOUR OWN RISK."
8nodeSelector:9{}10ingress:11# Only ICMP echo/reply messages should be drop if this is commented.12- fromEntities:13- remote-node14- health15
16# SSH access to the VMs17- fromEntities:18- world19toPorts:20- ports:21- port: "22"22protocol: TCP23
24- fromEntities:25- remote-node26toPorts:27- ports:28# VXLAN tunnels between nodes29- port: "8472"30protocol: UDP31# etcd connections32- port: "2379"33protocol: TCP34- port: "2380"35protocol: TCP36# kube-api server37- port: "6443"38protocol: TCP39
40# kube-api server access for kube-dns41- fromEndpoints:42- matchLabels:43k8s:io.kubernetes.pod.namespace: kube-system44k8s-app: kube-dns45toPorts:46- ports:47- port: "6443"48protocol: TCP49
50# Health checks51- fromEntities:52- remote-node53- health54toPorts:55- ports:56- port: "4240"57protocol: TCP58
59# NodePort60# These two rules are only needed when kube-proxy is used.61# They should be removed when running in kube-proxy-free mode.62- fromEndpoints:63- matchLabels:64name: pod-to-b-intra-node-nodeport65toPorts:66- ports:67- port: "31414"68protocol: TCP69- fromEndpoints:70- matchLabels:71name: pod-to-b-multi-node-nodeport72toPorts:73- ports:74- port: "31414"75protocol: TCP76
77
78egress:79# Only ICMP echo/reply messages should be drop if this is commented.80- toEntities:81- remote-node82- health83
84# DNS traffic to kube-dns85- toEndpoints:86- matchLabels:87k8s:io.kubernetes.pod.namespace: kube-system88k8s-app: kube-dns89toPorts:90- ports:91- port: "8080"92protocol: TCP93- port: "8181"94protocol: TCP95- port: "53"96protocol: UDP97
98- toEntities:99- remote-node100toPorts:101- ports:102# VXLAN tunnels between nodes103- port: "8472"104protocol: UDP105# etcd connections106- port: "2379"107protocol: TCP108- port: "2380"109protocol: TCP110# kube-api server111- port: "6443"112protocol: TCP113
114# Health checks115- toEntities:116- remote-node117- health118toPorts:119- ports:120- port: "4240"121protocol: TCP122
123# NTP queries124- toEntities:125- world126toPorts:127- ports:128- port: "123"129protocol: UDP130- toCIDR:131- 8.8.8.8/32132- 8.8.4.4/32133toPorts:134- ports:135- port: "53"136protocol: UDP137
138# Required for host-networking pods of the connectivity-check139- toEndpoints:140- matchLabels:141name: echo-b142toPorts:143- ports:144- port: "8080"145protocol: TCP146