cilium
1apiVersion: "cilium.io/v2"
2kind: CiliumClusterwideNetworkPolicy
3metadata:
4name: "lock-down-gke"
5spec:
6description: "Lock down nodes on GKE. USE AT YOUR OWN RISK."
7nodeSelector:
8matchLabels:
9type: worker
10ingress:
11# Only ICMP echo/reply messages should be dropped if this is commented.
12- fromEntities:
13- remote-node
14- health
15
16- fromEntities:
17- world
18toPorts:
19- ports:
20# SSH access to the VMs
21- port: "22"
22protocol: TCP
23# Remote Desktop access to the VMs
24- port: "3389"
25protocol: TCP
26
27- fromEntities:
28- remote-node
29toPorts:
30- ports:
31# VXLAN tunnels between nodes
32- port: "8472"
33protocol: UDP
34# etcd connections
35- port: "2379"
36protocol: TCP
37- port: "2380"
38protocol: TCP
39# kubelet
40- port: "10250"
41protocol: TCP
42
43# Aggregator of resource usages on GKE.
44- fromEndpoints:
45- matchLabels:
46k8s:io.kubernetes.pod.namespace: kube-system
47k8s-app: metrics-server
48toPorts:
49- ports:
50- port: "10255"
51protocol: TCP
52
53# Health checks
54- fromEntities:
55- remote-node
56- health
57toPorts:
58- ports:
59- port: "4240"
60protocol: TCP
61
62# Requests from Heapster service to kube-proxy.
63- fromEndpoints:
64- matchLabels:
65k8s:io.kubernetes.pod.namespace: kube-system
66k8s-app: heapster
67toPorts:
68- ports:
69- port: "10255"
70protocol: TCP
71
72# NodePort
73# These two rules are only needed when kube-proxy is used.
74# They should be removed when running in kube-proxy-free mode.
75- fromEndpoints:
76- matchLabels:
77name: pod-to-b-intra-node-nodeport
78toPorts:
79- ports:
80- port: "31414"
81protocol: TCP
82- fromEndpoints:
83- matchLabels:
84name: pod-to-b-multi-node-nodeport
85toPorts:
86- ports:
87- port: "31414"
88protocol: TCP
89
90
91egress:
92# Only ICMP echo/reply messages should be dropped if this is commented.
93- toEntities:
94- remote-node
95- health
96
97# Access to Google servers & API.
98- toEntities:
99- world
100toPorts:
101- ports:
102- port: "443"
103protocol: TCP
104- toCIDR:
105- 169.254.169.254/32
106toPorts:
107- ports:
108- port: "53"
109protocol: UDP
110- port: "80"
111protocol: TCP
112- port: "123"
113protocol: UDP
114- port: "67"
115protocol: UDP
116
117# Traffic to GKE's L7 LB
118- toEndpoints:
119- matchLabels:
120k8s:io.kubernetes.pod.namespace: kube-system
121k8s-app: glbc
122toPorts:
123- ports:
124- port: "8080"
125protocol: TCP
126
127# Konnectivity service
128- toEndpoints:
129- matchLabels:
130k8s:io.kubernetes.pod.namespace: kube-system
131k8s-app: konnectivity-agent
132toPorts:
133- ports:
134- port: "8093"
135protocol: TCP
136
137# DNS traffic to kube-dns
138- toEndpoints:
139- matchLabels:
140k8s:io.kubernetes.pod.namespace: kube-system
141k8s-app: kube-dns
142toPorts:
143- ports:
144- port: "8080"
145protocol: TCP
146- port: "53"
147protocol: UDP
148- port: "10054"
149protocol: TCP
150- port: "10055"
151protocol: TCP
152- port: "8081"
153protocol: TCP
154
155# Aggregator of resource usages on GKE.
156- toEndpoints:
157- matchLabels:
158k8s:io.kubernetes.pod.namespace: kube-system
159k8s-app: metrics-server
160toPorts:
161- ports:
162- port: "443"
163protocol: TCP
164
165# K8s Heapster service.
166- toEndpoints:
167- matchLabels:
168k8s:io.kubernetes.pod.namespace: kube-system
169k8s-app: heapster
170toPorts:
171- ports:
172- port: "8082"
173protocol: TCP
174
175- toEntities:
176- remote-node
177toPorts:
178- ports:
179# VXLAN tunnels between nodes
180- port: "8472"
181protocol: UDP
182# etcd connections
183- port: "2379"
184protocol: TCP
185- port: "2380"
186protocol: TCP
187# kube-api server
188- port: "6443"
189protocol: TCP
190# kubelet
191- port: "10250"
192protocol: TCP
193
194# Health checks
195- toEntities:
196- remote-node
197- health
198toPorts:
199- ports:
200- port: "4240"
201protocol: TCP
202
203# Required for host-networking pods of the connectivity-check
204- toEndpoints:
205- matchLabels:
206name: echo-b
207toPorts:
208- ports:
209- port: "8080"
210protocol: TCP
211