From b3d621425f543bc9088acef78fc919c765b6c333 Mon Sep 17 00:00:00 2001 From: Arthur Date: Fri, 2 Feb 2024 15:46:20 -0500 Subject: [PATCH] fix: kubeVip Network Policies --- kubernetes/argocd/base/network-policy.yaml | 19 +++++++++++++++ .../gitea/base/dragonfly/network-policy.yaml | 23 +++++++++++++++++++ kubernetes/gitea/base/network-policy.yaml | 23 +++++++++++++++++++ kubernetes/grafana/base/network-policy.yaml | 19 +++++++++++++++ .../quay/base/dragonfly/network-policy.yaml | 23 +++++++++++++++++++ kubernetes/quay/base/network-policy.yaml | 20 +++++++++++++++- 6 files changed, 126 insertions(+), 1 deletion(-) diff --git a/kubernetes/argocd/base/network-policy.yaml b/kubernetes/argocd/base/network-policy.yaml index 3f62b3809..8de87b72a 100644 --- a/kubernetes/argocd/base/network-policy.yaml +++ b/kubernetes/argocd/base/network-policy.yaml @@ -169,6 +169,25 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy +metadata: + name: allow-to-openshift-ingress + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: argocd +spec: + policyTypes: + - Egress + podSelector: {} + egress: + - to: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: name: allow-internet-egress namespace: argocd diff --git a/kubernetes/gitea/base/dragonfly/network-policy.yaml b/kubernetes/gitea/base/dragonfly/network-policy.yaml index 12a85b357..d529d73ba 100644 --- a/kubernetes/gitea/base/dragonfly/network-policy.yaml +++ b/kubernetes/gitea/base/dragonfly/network-policy.yaml @@ -135,6 +135,29 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy +metadata: + name: dragonfly-allow-to-openshift-ingress + namespace: gitea + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: gitea +spec: + policyTypes: + - Egress + podSelector: + matchLabels: + app: gitea-dragonfly + app.kubernetes.io/name: dragonfly + app.kubernetes.io/part-of: dragonfly + egress: + - to: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: name: dragonfly-operator-system namespace: gitea diff --git a/kubernetes/gitea/base/network-policy.yaml b/kubernetes/gitea/base/network-policy.yaml index 3cfe75126..37d970fa2 100644 --- a/kubernetes/gitea/base/network-policy.yaml +++ b/kubernetes/gitea/base/network-policy.yaml @@ -120,3 +120,26 @@ spec: cidr: 10.0.0.100/32 # OKD HaProxy - ipBlock: cidr: 10.0.0.131/32 # OKD KubVip +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-openshift-ingress + namespace: gitea + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: gitea +spec: + policyTypes: + - Egress + podSelector: + matchLabels: + app: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/name: gitea + egress: + - to: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress diff --git a/kubernetes/grafana/base/network-policy.yaml b/kubernetes/grafana/base/network-policy.yaml index 3fe7b4400..7738f2477 100644 --- a/kubernetes/grafana/base/network-policy.yaml +++ b/kubernetes/grafana/base/network-policy.yaml @@ -215,3 +215,22 @@ spec: cidr: 10.0.0.100/32 # OKD HaProxy - ipBlock: cidr: 10.0.0.131/32 # OKD KubVip +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-openshift-ingress + namespace: grafana + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: grafana +spec: + policyTypes: + - Egress + podSelector: {} + egress: + - to: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress diff --git a/kubernetes/quay/base/dragonfly/network-policy.yaml b/kubernetes/quay/base/dragonfly/network-policy.yaml index 8e2accc8c..2ffb8b51f 100644 --- a/kubernetes/quay/base/dragonfly/network-policy.yaml +++ b/kubernetes/quay/base/dragonfly/network-policy.yaml @@ -135,6 +135,29 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy +metadata: + name: dragonfly-allow-to-openshift-ingress + namespace: quay + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: quay +spec: + policyTypes: + - Egress + podSelector: + matchLabels: + app: quay-dragonfly + app.kubernetes.io/name: dragonfly + app.kubernetes.io/part-of: dragonfly + egress: + - to: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: name: dragonfly-operator-system namespace: quay diff --git a/kubernetes/quay/base/network-policy.yaml b/kubernetes/quay/base/network-policy.yaml index aa7b9aec8..4c0162a1e 100644 --- a/kubernetes/quay/base/network-policy.yaml +++ b/kubernetes/quay/base/network-policy.yaml @@ -116,7 +116,25 @@ spec: cidr: 10.0.0.100/32 # OKD HaProxy - ipBlock: cidr: 10.0.0.131/32 # OKD KubVip - +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-openshift-ingress + namespace: quay + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: quay +spec: + policyTypes: + - Egress + podSelector: {} + egress: + - to: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy