feat(EgressFirewall): Incept (#90)

ArthurVardevanyan · Dec 24, 2024 · b6b60a7 · b6b60a7
1 parent 98a246c
commit b6b60a7
Show file tree

Hide file tree

Showing 116 changed files with 2,014 additions and 132 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -486,6 +486,7 @@
     "pipelinerun",
     "pipelineruns",
     "pipelinesascode",
+    "pipelinesghubeus",
     "pnfs",
     "poddisruptionbudgets",
     "podsecuritypolicies",

diff --git a/kubernetes/argocd/base/egress-firewall.yaml b/kubernetes/argocd/base/egress-firewall.yaml
@@ -0,0 +1,33 @@
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: default
+  namespace: argocd
+spec:
+  egress:
+    # Control Plane
+    - type: Allow
+      to:
+        nodeSelector:
+          matchLabels:
+            node-role.kubernetes.io/control-plane: ""
+    # MicroShift
+    - type: Allow
+      to:
+        cidrSelector: 10.0.0.99/32
+    - type: Allow
+      to:
+        dnsName: microshift.arthurvardevanyan.com
+    # https://api.github.com/meta
+    - type: Allow
+      to:
+        dnsName: github.com
+    - type: Allow
+      to:
+        dnsName: api.github.com
+    - type: Allow
+      to:
+        cidrSelector: 140.82.112.0/20
+    - type: Deny
+      to:
+        cidrSelector: 0.0.0.0/0
diff --git a/kubernetes/argocd/base/kustomization.yaml b/kubernetes/argocd/base/kustomization.yaml
@@ -22,3 +22,4 @@ resources:
   - dragonfly/network-policy.yaml
   - k3s-cluster.yaml
   - microshift-cluster.yaml
+  - ./egress-firewall.yaml
diff --git a/kubernetes/argocd/base/network-policy.yaml b/kubernetes/argocd/base/network-policy.yaml
@@ -259,27 +259,27 @@ spec:
         - namespaceSelector:
             matchLabels:
               network.openshift.io/policy-group: ingress
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: allow-internet-egress
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-  labels:
-    app.kubernetes.io/instance: argocd
-spec:
-  policyTypes:
-    - Egress
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: argocd-repo-server
-  egress:
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-            except:
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
+# ---
+# apiVersion: networking.k8s.io/v1
+# kind: NetworkPolicy
+# metadata:
+#   name: allow-internet-egress
+#   namespace: argocd
+#   annotations:
+#     argocd.argoproj.io/sync-wave: "0"
+#   labels:
+#     app.kubernetes.io/instance: argocd
+# spec:
+#   policyTypes:
+#     - Egress
+#   podSelector:
+#     matchLabels:
+#       app.kubernetes.io/name: argocd-repo-server
+#   egress:
+#     - to:
+#         - ipBlock:
+#             cidr: 0.0.0.0/0
+#             except:
+#               - 10.0.0.0/8
+#               - 172.16.0.0/12
+#               - 192.168.0.0/16
diff --git a/kubernetes/argocd/base/notifications/network-policy.yaml b/kubernetes/argocd/base/notifications/network-policy.yaml
@@ -15,9 +15,10 @@ spec:
       app.kubernetes.io/name: argocd-notifications-controller
   egress:
     - to:
+        # https://api.github.com/meta
         - ipBlock:
-            cidr: 0.0.0.0/0
-            except:
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
+            cidr: 140.82.112.0/20
+            # except:
+            #   - 10.0.0.0/8
+            #   - 172.16.0.0/12
+            #   - 192.168.0.0/16
diff --git a/kubernetes/bitwarden/overlays/okd/egress-firewall.yaml b/kubernetes/bitwarden/overlays/okd/egress-firewall.yaml
@@ -0,0 +1,10 @@
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: default
+  namespace: bitwarden
+spec:
+  egress:
+    - type: Deny
+      to:
+        cidrSelector: 0.0.0.0/0
diff --git a/kubernetes/bitwarden/overlays/okd/kustomization.yaml b/kubernetes/bitwarden/overlays/okd/kustomization.yaml
@@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../base
-  - ingress.yaml
+  - ./ingress.yaml
+  - ./egress-firewall.yaml
diff --git a/kubernetes/blackbox-exporter/components/probes.yaml b/kubernetes/blackbox-exporter/components/probes.yaml
@@ -37,6 +37,7 @@ spec:
     staticConfig:
       static:
         - https://1.1.1.1/
+        - https://1.0.0.1/
         - http://192.168.100.1/
         - https://api.okd.arthurvardevanyan.com:6443/healthz
         - https://console-openshift-console.apps.okd.arthurvardevanyan.com/

diff --git a/kubernetes/blackbox-exporter/overlays/okd/egress-firewall.yaml b/kubernetes/blackbox-exporter/overlays/okd/egress-firewall.yaml
@@ -0,0 +1,50 @@
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: default
+  namespace: blackbox-exporter
+spec:
+  egress:
+    # Cloudflare DNS
+    - type: Allow
+      to:
+        cidrSelector: 1.1.1.1/32
+    - type: Allow
+      to:
+        cidrSelector: 1.0.0.1/32
+    # Cloudflare API Ips (arthurvardevanyan.com)
+    # https://www.cloudflare.com/ips/
+    - type: Allow
+      to:
+        cidrSelector: 104.16.0.0/13
+    - type: Allow
+      to:
+        cidrSelector: 172.64.0.0/13
+    # Modem
+    - type: Allow
+      to:
+        cidrSelector: 192.168.100.1/32
+    - type: Allow
+      to:
+        dnsName: truenas.arthurvardevanyan.com
+    - type: Allow
+      to:
+        dnsName: www.arthurvardevanyan.com
+    - type: Allow
+      to:
+        dnsName: truenas.arthurvardevanyan.com
+    - type: Allow
+      to:
+        dnsName: unifi.arthurvardevanyan.com
+    - type: Allow
+      to:
+        dnsName: pihole.arthurvardevanyan.com
+    - type: Allow
+      to:
+        dnsName: api.okd.arthurvardevanyan.com
+    - type: Allow
+      to:
+        dnsName: apps.okd.arthurvardevanyan.com
+    - type: Deny
+      to:
+        cidrSelector: 0.0.0.0/0
diff --git a/kubernetes/blackbox-exporter/overlays/okd/kustomization.yaml b/kubernetes/blackbox-exporter/overlays/okd/kustomization.yaml
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../base
+  - ./egress-firewall.yaml
 components:
   - ../../components
diff --git a/kubernetes/ceph/overlays/okd/egress-firewall.yaml b/kubernetes/ceph/overlays/okd/egress-firewall.yaml
@@ -0,0 +1,16 @@
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: default
+  namespace: rook-ceph
+spec:
+  egress:
+    # Control Plane
+    - type: Allow
+      to:
+        nodeSelector:
+          matchLabels:
+            node-role.kubernetes.io/control-plane: ""
+    - type: Deny
+      to:
+        cidrSelector: 0.0.0.0/0
diff --git a/kubernetes/ceph/overlays/okd/kustomization.yaml b/kubernetes/ceph/overlays/okd/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../base
+  - ./egress-firewall.yaml
diff --git a/kubernetes/cert-manager/components/cloud-dns/kustomization.yaml b/kubernetes/cert-manager/components/cloud-dns/kustomization.yaml
@@ -4,3 +4,4 @@ resources:
   - ./gcp-credentials-request.yaml
   - ./cluster-issuer.yaml
   - ./kyverno.yaml
+  - ./network-policy.yaml
diff --git a/kubernetes/cert-manager/components/cloud-dns/network-policy.yaml b/kubernetes/cert-manager/components/cloud-dns/network-policy.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-google-cloud-egress
+  namespace: cert-manager
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/instance: certificate-manager
+spec:
+  policyTypes:
+    - Egress
+  podSelector: {}
+  egress:
+    # Google Range
+    # https://support.google.com/a/answer/10026322?hl=en
+    # https://www.gstatic.com/ipranges/goog.json
+    # Cloud DNS API?
+    - to:
+        - ipBlock:
+            cidr: 172.217.0.0/16
+      # Cloud DNS DNS LookUp?
+    - to:
+        - ipBlock:
+            cidr: 216.239.32.0/19
diff --git a/kubernetes/cert-manager/components/network-policy/base/network-policy.yaml b/kubernetes/cert-manager/components/network-policy/base/network-policy.yaml
@@ -41,7 +41,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-internet-egress
+  name: allow-cloudflare-egress
   namespace: cert-manager
   annotations:
     argocd.argoproj.io/sync-wave: "0"
@@ -53,9 +53,15 @@ spec:
   podSelector: {}
   egress:
     - to:
+        # - ipBlock:
+        #     cidr: 0.0.0.0/0
+        #     except:
+        #       - 10.0.0.0/8
+        #       - 172.16.0.0/12
+        #       - 192.168.0.0/16
+        # CloudFlare API IP Ranges
+        # https://www.cloudflare.com/ips/
         - ipBlock:
-            cidr: 0.0.0.0/0
-            except:
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
+            cidr: 104.16.0.0/13
+        - ipBlock:
+            cidr: 172.64.0.0/13
diff --git a/kubernetes/cert-manager/overlays/okd/egress-firewall.yaml b/kubernetes/cert-manager/overlays/okd/egress-firewall.yaml
@@ -0,0 +1,41 @@
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: default
+  namespace: cert-manager
+spec:
+  egress:
+    # Control Plane
+    - type: Allow
+      to:
+        nodeSelector:
+          matchLabels:
+            node-role.kubernetes.io/control-plane: ""
+    # Cloudflare API Ips
+    # https://www.cloudflare.com/ips/
+    - type: Allow
+      to:
+        dnsName: api.cloudflare.com
+    - type: Allow
+      to:
+        cidrSelector: 104.16.0.0/13
+    - type: Allow
+      to:
+        cidrSelector: 172.64.0.0/13
+    # Google Range
+    # https://support.google.com/a/answer/10026322?hl=en
+    # https://www.gstatic.com/ipranges/goog.json
+    # Cloud DNS API?
+    - type: Allow
+      to:
+        dnsName: dns.googleapis.com
+    - type: Allow
+      to:
+        cidrSelector: 172.217.0.0/16
+      # Cloud DNS DNS LookUp?
+    - type: Allow
+      to:
+        cidrSelector: 216.239.32.0/19
+    - type: Deny
+      to:
+        cidrSelector: 0.0.0.0/0
diff --git a/kubernetes/cert-manager/overlays/okd/kustomization.yaml b/kubernetes/cert-manager/overlays/okd/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
   - ../../components/network-policy/base
   - ../../components/network-policy/okd
   - ./service-monitor.yaml
+  - ./egress-firewall.yaml
 components:
   - ../../components/trust-manager
   - ../../components/cloud-dns
diff --git a/kubernetes/cloudflare-ddns/overlays/okd/egress-firewall.yaml b/kubernetes/cloudflare-ddns/overlays/okd/egress-firewall.yaml
@@ -0,0 +1,28 @@
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: default
+  namespace: cloudflare-ddns
+spec:
+  egress:
+    # Cloudflare DNS
+    - type: Allow
+      to:
+        cidrSelector: 1.1.1.1/32
+    - type: Allow
+      to:
+        cidrSelector: 1.0.0.1/32
+    # Cloudflare API Ips
+    # https://www.cloudflare.com/ips/
+    - type: Allow
+      to:
+        dnsName: api.cloudflare.com
+    - type: Allow
+      to:
+        cidrSelector: 104.16.0.0/13
+    - type: Allow
+      to:
+        cidrSelector: 172.64.0.0/13
+    - type: Deny
+      to:
+        cidrSelector: 0.0.0.0/0
diff --git a/kubernetes/cloudflare-ddns/overlays/okd/kustomization.yaml b/kubernetes/cloudflare-ddns/overlays/okd/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../base
+  - ./egress-firewall.yaml
diff --git a/kubernetes/cockroachdb/overlays/okd/egress-firewall.yaml b/kubernetes/cockroachdb/overlays/okd/egress-firewall.yaml
@@ -0,0 +1,16 @@
+apiVersion: k8s.ovn.org/v1
+kind: EgressFirewall
+metadata:
+  name: default
+  namespace: cockroach-operator-system
+spec:
+  egress:
+    # Control Plane
+    - type: Allow
+      to:
+        nodeSelector:
+          matchLabels:
+            node-role.kubernetes.io/control-plane: ""
+    - type: Deny
+      to:
+        cidrSelector: 0.0.0.0/0
diff --git a/kubernetes/cockroachdb/overlays/okd/kustomization.yaml b/kubernetes/cockroachdb/overlays/okd/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../base
+  - ./egress-firewall.yaml