cilium

lock-down-gke.yaml
210 строк · 4.3 Кб
Перенос по словам
1
apiVersion: "cilium.io/v2"
2
kind: CiliumClusterwideNetworkPolicy
3
metadata:
4
  name: "lock-down-gke"
5
spec:
6
  description: "Lock down nodes on GKE. USE AT YOUR OWN RISK."
7
  nodeSelector:
8
    matchLabels:
9
      type: worker
10
  ingress:
11
  # Only ICMP echo/reply messages should be dropped if this is commented.
12
  - fromEntities:
13
    - remote-node
14
    - health
15

16
  - fromEntities:
17
    - world
18
    toPorts:
19
    - ports:
20
      # SSH access to the VMs
21
      - port: "22"
22
        protocol: TCP
23
      # Remote Desktop access to the VMs
24
      - port: "3389"
25
        protocol: TCP
26

27
  - fromEntities:
28
    - remote-node
29
    toPorts:
30
    - ports:
31
      # VXLAN tunnels between nodes
32
      - port: "8472"
33
        protocol: UDP
34
      # etcd connections
35
      - port: "2379"
36
        protocol: TCP
37
      - port: "2380"
38
        protocol: TCP
39
      # kubelet
40
      - port: "10250"
41
        protocol: TCP
42

43
  # Aggregator of resource usages on GKE.
44
  - fromEndpoints:
45
    - matchLabels:
46
        k8s:io.kubernetes.pod.namespace: kube-system
47
        k8s-app: metrics-server
48
    toPorts:
49
    - ports:
50
      - port: "10255"
51
        protocol: TCP
52

53
  # Health checks
54
  - fromEntities:
55
    - remote-node
56
    - health
57
    toPorts:
58
    - ports:
59
      - port: "4240"
60
        protocol: TCP
61

62
  # Requests from Heapster service to kube-proxy.
63
  - fromEndpoints:
64
    - matchLabels:
65
        k8s:io.kubernetes.pod.namespace: kube-system
66
        k8s-app: heapster
67
    toPorts:
68
    - ports:
69
      - port: "10255"
70
        protocol: TCP
71

72
  # NodePort
73
  # These two rules are only needed when kube-proxy is used.
74
  # They should be removed when running in kube-proxy-free mode.
75
  - fromEndpoints:
76
    - matchLabels:
77
        name: pod-to-b-intra-node-nodeport
78
    toPorts:
79
    - ports:
80
      - port: "31414"
81
        protocol: TCP
82
  - fromEndpoints:
83
    - matchLabels:
84
        name: pod-to-b-multi-node-nodeport
85
    toPorts:
86
    - ports:
87
      - port: "31414"
88
        protocol: TCP
89

90

91
  egress:
92
  # Only ICMP echo/reply messages should be dropped if this is commented.
93
  - toEntities:
94
    - remote-node
95
    - health
96

97
  # Access to Google servers & API.
98
  - toEntities:
99
    - world
100
    toPorts:
101
    - ports:
102
      - port: "443"
103
        protocol: TCP
104
  - toCIDR:
105
    - 169.254.169.254/32
106
    toPorts:
107
    - ports:
108
      - port: "53"
109
        protocol: UDP
110
      - port: "80"
111
        protocol: TCP
112
      - port: "123"
113
        protocol: UDP
114
      - port: "67"
115
        protocol: UDP
116

117
  # Traffic to GKE's L7 LB
118
  - toEndpoints:
119
    - matchLabels:
120
        k8s:io.kubernetes.pod.namespace: kube-system
121
        k8s-app: glbc
122
    toPorts:
123
    - ports:
124
      - port: "8080"
125
        protocol: TCP
126

127
  # Konnectivity service
128
  - toEndpoints:
129
    - matchLabels:
130
        k8s:io.kubernetes.pod.namespace: kube-system
131
        k8s-app: konnectivity-agent
132
    toPorts:
133
    - ports:
134
      - port: "8093"
135
        protocol: TCP
136

137
  # DNS traffic to kube-dns
138
  - toEndpoints:
139
    - matchLabels:
140
        k8s:io.kubernetes.pod.namespace: kube-system
141
        k8s-app: kube-dns
142
    toPorts:
143
    - ports:
144
      - port: "8080"
145
        protocol: TCP
146
      - port: "53"
147
        protocol: UDP
148
      - port: "10054"
149
        protocol: TCP
150
      - port: "10055"
151
        protocol: TCP
152
      - port: "8081"
153
        protocol: TCP
154

155
  # Aggregator of resource usages on GKE.
156
  - toEndpoints:
157
    - matchLabels:
158
        k8s:io.kubernetes.pod.namespace: kube-system
159
        k8s-app: metrics-server
160
    toPorts:
161
    - ports:
162
      - port: "443"
163
        protocol: TCP
164

165
  # K8s Heapster service.
166
  - toEndpoints:
167
    - matchLabels:
168
        k8s:io.kubernetes.pod.namespace: kube-system
169
        k8s-app: heapster
170
    toPorts:
171
    - ports:
172
      - port: "8082"
173
        protocol: TCP
174

175
  - toEntities:
176
    - remote-node
177
    toPorts:
178
    - ports:
179
      # VXLAN tunnels between nodes
180
      - port: "8472"
181
        protocol: UDP
182
      # etcd connections
183
      - port: "2379"
184
        protocol: TCP
185
      - port: "2380"
186
        protocol: TCP
187
      # kube-api server
188
      - port: "6443"
189
        protocol: TCP
190
      # kubelet
191
      - port: "10250"
192
        protocol: TCP
193

194
  # Health checks
195
  - toEntities:
196
    - remote-node
197
    - health
198
    toPorts:
199
    - ports:
200
      - port: "4240"
201
        protocol: TCP
202

203
  # Required for host-networking pods of the connectivity-check
204
  - toEndpoints:
205
    - matchLabels:
206
        name: echo-b
207
    toPorts:
208
    - ports:
209
      - port: "8080"
210
        protocol: TCP
211
cilium

Использование cookies
