cilium

1
apiVersion: "cilium.io/v2"
2
kind: CiliumClusterwideNetworkPolicy
3
metadata:
4
  name: "lock-down-dev-vms"
5
spec:
6
  description: "Lock down the development VMs when enable-remote-node-identity=true.
7
    USE ELSEWHERE AT YOUR OWN RISK."
8
  nodeSelector:
9
    {}
10
  ingress:
11
  # Only ICMP echo/reply messages should be drop if this is commented.
12
  - fromEntities:
13
    - remote-node
14
    - health
15

16
  # SSH access to the VMs
17
  - fromEntities:
18
    - world
19
    toPorts:
20
    - ports:
21
      - port: "22"
22
        protocol: TCP
23

24
  - fromEntities:
25
    - remote-node
26
    toPorts:
27
    - ports:
28
      # VXLAN tunnels between nodes
29
      - port: "8472"
30
        protocol: UDP
31
      # etcd connections
32
      - port: "2379"
33
        protocol: TCP
34
      - port: "2380"
35
        protocol: TCP
36
      # kube-api server
37
      - port: "6443"
38
        protocol: TCP
39

40
  # kube-api server access for kube-dns
41
  - fromEndpoints:
42
    - matchLabels:
43
        k8s:io.kubernetes.pod.namespace: kube-system
44
        k8s-app: kube-dns
45
    toPorts:
46
    - ports:
47
      - port: "6443"
48
        protocol: TCP
49

50
  # Health checks
51
  - fromEntities:
52
    - remote-node
53
    - health
54
    toPorts:
55
    - ports:
56
      - port: "4240"
57
        protocol: TCP
58

59
  # NodePort
60
  # These two rules are only needed when kube-proxy is used.
61
  # They should be removed when running in kube-proxy-free mode.
62
  - fromEndpoints:
63
    - matchLabels:
64
        name: pod-to-b-intra-node-nodeport
65
    toPorts:
66
    - ports:
67
      - port: "31414"
68
        protocol: TCP
69
  - fromEndpoints:
70
    - matchLabels:
71
        name: pod-to-b-multi-node-nodeport
72
    toPorts:
73
    - ports:
74
      - port: "31414"
75
        protocol: TCP
76

77

78
  egress:
79
  # Only ICMP echo/reply messages should be drop if this is commented.
80
  - toEntities:
81
    - remote-node
82
    - health
83

84
  # DNS traffic to kube-dns
85
  - toEndpoints:
86
    - matchLabels:
87
        k8s:io.kubernetes.pod.namespace: kube-system
88
        k8s-app: kube-dns
89
    toPorts:
90
    - ports:
91
      - port: "8080"
92
        protocol: TCP
93
      - port: "8181"
94
        protocol: TCP
95
      - port: "53"
96
        protocol: UDP
97

98
  - toEntities:
99
    - remote-node
100
    toPorts:
101
    - ports:
102
      # VXLAN tunnels between nodes
103
      - port: "8472"
104
        protocol: UDP
105
      # etcd connections
106
      - port: "2379"
107
        protocol: TCP
108
      - port: "2380"
109
        protocol: TCP
110
      # kube-api server
111
      - port: "6443"
112
        protocol: TCP
113

114
  # Health checks
115
  - toEntities:
116
    - remote-node
117
    - health
118
    toPorts:
119
    - ports:
120
      - port: "4240"
121
        protocol: TCP
122

123
  # NTP queries
124
  - toEntities:
125
    - world
126
    toPorts:
127
    - ports:
128
      - port: "123"
129
        protocol: UDP
130
  - toCIDR:
131
    - 8.8.8.8/32
132
    - 8.8.4.4/32
133
    toPorts:
134
    - ports:
135
      - port: "53"
136
        protocol: UDP
137

138
  # Required for host-networking pods of the connectivity-check
139
  - toEndpoints:
140
    - matchLabels:
141
        name: echo-b
142
    toPorts:
143
    - ports:
144
      - port: "8080"
145
        protocol: TCP
146