From b6b60a754e9694e97551b3602eb2180c61374fcb Mon Sep 17 00:00:00 2001 From: Arthur Date: Tue, 24 Dec 2024 02:24:47 +0000 Subject: [PATCH] feat(EgressFirewall): Incept (#90) --- .vscode/settings.json | 1 + kubernetes/argocd/base/egress-firewall.yaml | 33 ++++ kubernetes/argocd/base/kustomization.yaml | 1 + kubernetes/argocd/base/network-policy.yaml | 48 +++--- .../base/notifications/network-policy.yaml | 11 +- .../overlays/okd/egress-firewall.yaml | 10 ++ .../bitwarden/overlays/okd/kustomization.yaml | 3 +- .../blackbox-exporter/components/probes.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 50 ++++++ .../overlays/okd/kustomization.yaml | 1 + .../ceph/overlays/okd/egress-firewall.yaml | 16 ++ .../ceph/overlays/okd/kustomization.yaml | 1 + .../components/cloud-dns/kustomization.yaml | 1 + .../components/cloud-dns/network-policy.yaml | 26 +++ .../network-policy/base/network-policy.yaml | 18 +- .../overlays/okd/egress-firewall.yaml | 41 +++++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 28 ++++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 74 +++++++++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 28 ++++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 19 +++ .../overlays/okd/kustomization.yaml | 1 + .../gitea/overlays/okd/egress-firewall.yaml | 19 +++ .../gitea/overlays/okd/kustomization.yaml | 1 + .../base/arc-systems/egress-firewall.yaml | 142 ++++++++++++++++ .../github-runners/base/kustomization.yaml | 2 + .../runner-scale-sets/egress-firewall.yaml | 150 +++++++++++++++++ .../grafana/overlays/okd/egress-firewall.yaml | 14 ++ .../grafana/overlays/okd/kustomization.yaml | 3 +- .../overlays/okd/egress-firewall.yaml | 10 ++ .../heimdall/overlays/okd/kustomization.yaml | 5 +- .../overlays/okd/egress-firewall.yaml | 20 +++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 10 ++ .../influxdb/overlays/okd/kustomization.yaml | 2 +- .../overlays/okd/egress-firewall.yaml | 22 +++ .../overlays/okd/kustomization.yaml | 1 + .../knative/overlays/okd/egress-firewall.yaml | 33 ++++ .../knative/overlays/okd/kustomization.yaml | 1 + .../{default => k3s}/kustomization.yaml | 0 .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../kube-vip/overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 19 +++ .../kubevirt/overlays/okd/kustomization.yaml | 1 + .../kyverno/overlays/okd/egress-firewall.yaml | 16 ++ .../kyverno/overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + kubernetes/loki/base/network-policy.yaml | 92 +++++------ .../loki/overlays/okd/egress-firewall.yaml | 10 ++ .../loki/overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 10 ++ .../overlays/okd/kustomization.yaml | 1 + .../minio-operator/base/network-policy.yaml | 52 +++--- .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../netbox/overlays/okd/egress-firewall.yaml | 19 +++ .../netbox/overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 51 ++++++ .../overlays/okd/kustomization.yaml | 1 + .../nextcloud/base/postgres/postgres.yaml | 4 +- .../nextcloud/base/preview-cronjob.yaml | 2 +- .../overlays/okd/egress-firewall.yaml | 45 +++++ .../nextcloud/overlays/okd/kustomization.yaml | 5 +- .../nmstate/overlays/okd/egress-firewall.yaml | 16 ++ .../nmstate/overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 16 ++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 19 +++ .../overlays/okd/kustomization.yaml | 1 + .../pihole/overlays/okd/egress-firewall.yaml | 30 ++++ .../pihole/overlays/okd/kustomization.yaml | 7 +- .../applications/grafana/postgres.yaml | 4 +- .../overlays/okd/egress-firewall.yaml | 27 +++ .../postgres/overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 34 ++++ .../overlays/okd/kustomization.yaml | 1 + .../quay/base/postgres/quay/postgres.yaml | 4 +- .../quay/overlays/okd/egress-firewall.yaml | 139 ++++++++++++++++ .../quay/overlays/okd/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 155 ++++++++++++++++++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/operator/egress-firewall.yaml | 77 +++++++++ .../overlays/operator/kustomization.yaml | 1 + .../overlays/okd/egress-firewall.yaml | 50 ++++++ .../overlays/okd/kustomization.yaml | 1 + .../vault/overlays/okd/egress-firewall.yaml | 35 ++++ .../vault/overlays/okd/kustomization.yaml | 1 + .../vault/overlays/okd/network-policy.yaml | 16 +- .../velero/overlays/okd/egress-firewall.yaml | 19 +++ .../velero/overlays/okd/kustomization.yaml | 1 + .../version-checker/base/network-policy.yaml | 18 ++ .../overlays/okd/egress-firewall.yaml | 74 +++++++++ .../overlays/okd/kustomization.yaml | 1 + .../zitadel/overlays/okd/egress-firewall.yaml | 10 ++ .../overlays/okd/network.yaml | 2 +- .../base/egress-firewall.yaml | 24 +++ .../base/kustomization.yaml | 1 + tekton/base/overlay-test.yaml | 4 +- 116 files changed, 2014 insertions(+), 132 deletions(-) create mode 100644 kubernetes/argocd/base/egress-firewall.yaml create mode 100644 kubernetes/bitwarden/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/blackbox-exporter/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/ceph/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/cert-manager/components/cloud-dns/network-policy.yaml create mode 100644 kubernetes/cert-manager/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/cloudflare-ddns/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/cockroachdb/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/container-security/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/dragonfly-operator/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/eclipse-che/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/external-dns/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/external-secrets-operator/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/gitea/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/github-runners/base/arc-systems/egress-firewall.yaml create mode 100644 kubernetes/github-runners/base/runner-scale-sets/egress-firewall.yaml create mode 100644 kubernetes/grafana/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/heimdall/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/homeassistant/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/imagepuller/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/influxdb/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/keep-alive/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/knative/overlays/okd/egress-firewall.yaml rename kubernetes/kube-eagle/overlays/{default => k3s}/kustomization.yaml (100%) create mode 100644 kubernetes/kube-eagle/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/kube-vip/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/kubevirt/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/kyverno/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/loki-operator/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/loki/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/mariadb-galera/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/minio-operator/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/mongodb-operator/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/netbox/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/network-observability/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/nextcloud/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/nmstate/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/observability-operator/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/openshift-logging/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/photoprism/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/pihole/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/postgres/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/prometheus/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/quay/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/stackrox-central/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/tekton/overlays/operator/egress-firewall.yaml create mode 100644 kubernetes/uptime-kuma/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/vault/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/velero/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/version-checker/overlays/okd/egress-firewall.yaml create mode 100644 kubernetes/zitadel/overlays/okd/egress-firewall.yaml create mode 100644 okd/openshift-monitoring/base/egress-firewall.yaml diff --git a/.vscode/settings.json b/.vscode/settings.json index 35f5bc7ad..c6ffca23e 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -486,6 +486,7 @@ "pipelinerun", "pipelineruns", "pipelinesascode", + "pipelinesghubeus", "pnfs", "poddisruptionbudgets", "podsecuritypolicies", diff --git a/kubernetes/argocd/base/egress-firewall.yaml b/kubernetes/argocd/base/egress-firewall.yaml new file mode 100644 index 000000000..b8ffaa0e8 --- /dev/null +++ b/kubernetes/argocd/base/egress-firewall.yaml @@ -0,0 +1,33 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: argocd +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + # MicroShift + - type: Allow + to: + cidrSelector: 10.0.0.99/32 + - type: Allow + to: + dnsName: microshift.arthurvardevanyan.com + # https://api.github.com/meta + - type: Allow + to: + dnsName: github.com + - type: Allow + to: + dnsName: api.github.com + - type: Allow + to: + cidrSelector: 140.82.112.0/20 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/argocd/base/kustomization.yaml b/kubernetes/argocd/base/kustomization.yaml index 32f1dc9fc..b3a4f09d2 100644 --- a/kubernetes/argocd/base/kustomization.yaml +++ b/kubernetes/argocd/base/kustomization.yaml @@ -22,3 +22,4 @@ resources: - dragonfly/network-policy.yaml - k3s-cluster.yaml - microshift-cluster.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/argocd/base/network-policy.yaml b/kubernetes/argocd/base/network-policy.yaml index 4ba8d7feb..2ba06f28c 100644 --- a/kubernetes/argocd/base/network-policy.yaml +++ b/kubernetes/argocd/base/network-policy.yaml @@ -259,27 +259,27 @@ spec: - namespaceSelector: matchLabels: network.openshift.io/policy-group: ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-internet-egress - namespace: argocd - annotations: - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/instance: argocd -spec: - policyTypes: - - Egress - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 +# --- +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# name: allow-internet-egress +# namespace: argocd +# annotations: +# argocd.argoproj.io/sync-wave: "0" +# labels: +# app.kubernetes.io/instance: argocd +# spec: +# policyTypes: +# - Egress +# podSelector: +# matchLabels: +# app.kubernetes.io/name: argocd-repo-server +# egress: +# - to: +# - ipBlock: +# cidr: 0.0.0.0/0 +# except: +# - 10.0.0.0/8 +# - 172.16.0.0/12 +# - 192.168.0.0/16 diff --git a/kubernetes/argocd/base/notifications/network-policy.yaml b/kubernetes/argocd/base/notifications/network-policy.yaml index 7a87f8e59..f540dacf2 100644 --- a/kubernetes/argocd/base/notifications/network-policy.yaml +++ b/kubernetes/argocd/base/notifications/network-policy.yaml @@ -15,9 +15,10 @@ spec: app.kubernetes.io/name: argocd-notifications-controller egress: - to: + # https://api.github.com/meta - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 + cidr: 140.82.112.0/20 + # except: + # - 10.0.0.0/8 + # - 172.16.0.0/12 + # - 192.168.0.0/16 diff --git a/kubernetes/bitwarden/overlays/okd/egress-firewall.yaml b/kubernetes/bitwarden/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..60f52e13b --- /dev/null +++ b/kubernetes/bitwarden/overlays/okd/egress-firewall.yaml @@ -0,0 +1,10 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: bitwarden +spec: + egress: + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/bitwarden/overlays/okd/kustomization.yaml b/kubernetes/bitwarden/overlays/okd/kustomization.yaml index 6eaffff21..984c41f55 100644 --- a/kubernetes/bitwarden/overlays/okd/kustomization.yaml +++ b/kubernetes/bitwarden/overlays/okd/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base - - ingress.yaml + - ./ingress.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/blackbox-exporter/components/probes.yaml b/kubernetes/blackbox-exporter/components/probes.yaml index 80a8b0e70..b03a10585 100644 --- a/kubernetes/blackbox-exporter/components/probes.yaml +++ b/kubernetes/blackbox-exporter/components/probes.yaml @@ -37,6 +37,7 @@ spec: staticConfig: static: - https://1.1.1.1/ + - https://1.0.0.1/ - http://192.168.100.1/ - https://api.okd.arthurvardevanyan.com:6443/healthz - https://console-openshift-console.apps.okd.arthurvardevanyan.com/ diff --git a/kubernetes/blackbox-exporter/overlays/okd/egress-firewall.yaml b/kubernetes/blackbox-exporter/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..3f83ad1a4 --- /dev/null +++ b/kubernetes/blackbox-exporter/overlays/okd/egress-firewall.yaml @@ -0,0 +1,50 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: blackbox-exporter +spec: + egress: + # Cloudflare DNS + - type: Allow + to: + cidrSelector: 1.1.1.1/32 + - type: Allow + to: + cidrSelector: 1.0.0.1/32 + # Cloudflare API Ips (arthurvardevanyan.com) + # https://www.cloudflare.com/ips/ + - type: Allow + to: + cidrSelector: 104.16.0.0/13 + - type: Allow + to: + cidrSelector: 172.64.0.0/13 + # Modem + - type: Allow + to: + cidrSelector: 192.168.100.1/32 + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Allow + to: + dnsName: www.arthurvardevanyan.com + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Allow + to: + dnsName: unifi.arthurvardevanyan.com + - type: Allow + to: + dnsName: pihole.arthurvardevanyan.com + - type: Allow + to: + dnsName: api.okd.arthurvardevanyan.com + - type: Allow + to: + dnsName: apps.okd.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/blackbox-exporter/overlays/okd/kustomization.yaml b/kubernetes/blackbox-exporter/overlays/okd/kustomization.yaml index 64ca97217..1feba1721 100644 --- a/kubernetes/blackbox-exporter/overlays/okd/kustomization.yaml +++ b/kubernetes/blackbox-exporter/overlays/okd/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml components: - ../../components diff --git a/kubernetes/ceph/overlays/okd/egress-firewall.yaml b/kubernetes/ceph/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..6f34e2a20 --- /dev/null +++ b/kubernetes/ceph/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: rook-ceph +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/ceph/overlays/okd/kustomization.yaml b/kubernetes/ceph/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/ceph/overlays/okd/kustomization.yaml +++ b/kubernetes/ceph/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/cert-manager/components/cloud-dns/kustomization.yaml b/kubernetes/cert-manager/components/cloud-dns/kustomization.yaml index bb638c0d5..942d6fd2c 100644 --- a/kubernetes/cert-manager/components/cloud-dns/kustomization.yaml +++ b/kubernetes/cert-manager/components/cloud-dns/kustomization.yaml @@ -4,3 +4,4 @@ resources: - ./gcp-credentials-request.yaml - ./cluster-issuer.yaml - ./kyverno.yaml + - ./network-policy.yaml diff --git a/kubernetes/cert-manager/components/cloud-dns/network-policy.yaml b/kubernetes/cert-manager/components/cloud-dns/network-policy.yaml new file mode 100644 index 000000000..75e65cc28 --- /dev/null +++ b/kubernetes/cert-manager/components/cloud-dns/network-policy.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-google-cloud-egress + namespace: cert-manager + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: certificate-manager +spec: + policyTypes: + - Egress + podSelector: {} + egress: + # Google Range + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + # Cloud DNS API? + - to: + - ipBlock: + cidr: 172.217.0.0/16 + # Cloud DNS DNS LookUp? + - to: + - ipBlock: + cidr: 216.239.32.0/19 diff --git a/kubernetes/cert-manager/components/network-policy/base/network-policy.yaml b/kubernetes/cert-manager/components/network-policy/base/network-policy.yaml index b46b04fa9..e50001681 100644 --- a/kubernetes/cert-manager/components/network-policy/base/network-policy.yaml +++ b/kubernetes/cert-manager/components/network-policy/base/network-policy.yaml @@ -41,7 +41,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-internet-egress + name: allow-cloudflare-egress namespace: cert-manager annotations: argocd.argoproj.io/sync-wave: "0" @@ -53,9 +53,15 @@ spec: podSelector: {} egress: - to: + # - ipBlock: + # cidr: 0.0.0.0/0 + # except: + # - 10.0.0.0/8 + # - 172.16.0.0/12 + # - 192.168.0.0/16 + # CloudFlare API IP Ranges + # https://www.cloudflare.com/ips/ - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 + cidr: 104.16.0.0/13 + - ipBlock: + cidr: 172.64.0.0/13 diff --git a/kubernetes/cert-manager/overlays/okd/egress-firewall.yaml b/kubernetes/cert-manager/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..91cbab4d9 --- /dev/null +++ b/kubernetes/cert-manager/overlays/okd/egress-firewall.yaml @@ -0,0 +1,41 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: cert-manager +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + # Cloudflare API Ips + # https://www.cloudflare.com/ips/ + - type: Allow + to: + dnsName: api.cloudflare.com + - type: Allow + to: + cidrSelector: 104.16.0.0/13 + - type: Allow + to: + cidrSelector: 172.64.0.0/13 + # Google Range + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + # Cloud DNS API? + - type: Allow + to: + dnsName: dns.googleapis.com + - type: Allow + to: + cidrSelector: 172.217.0.0/16 + # Cloud DNS DNS LookUp? + - type: Allow + to: + cidrSelector: 216.239.32.0/19 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/cert-manager/overlays/okd/kustomization.yaml b/kubernetes/cert-manager/overlays/okd/kustomization.yaml index 1e19f6e92..f070462f7 100644 --- a/kubernetes/cert-manager/overlays/okd/kustomization.yaml +++ b/kubernetes/cert-manager/overlays/okd/kustomization.yaml @@ -7,6 +7,7 @@ resources: - ../../components/network-policy/base - ../../components/network-policy/okd - ./service-monitor.yaml + - ./egress-firewall.yaml components: - ../../components/trust-manager - ../../components/cloud-dns diff --git a/kubernetes/cloudflare-ddns/overlays/okd/egress-firewall.yaml b/kubernetes/cloudflare-ddns/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..6126dcf8f --- /dev/null +++ b/kubernetes/cloudflare-ddns/overlays/okd/egress-firewall.yaml @@ -0,0 +1,28 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: cloudflare-ddns +spec: + egress: + # Cloudflare DNS + - type: Allow + to: + cidrSelector: 1.1.1.1/32 + - type: Allow + to: + cidrSelector: 1.0.0.1/32 + # Cloudflare API Ips + # https://www.cloudflare.com/ips/ + - type: Allow + to: + dnsName: api.cloudflare.com + - type: Allow + to: + cidrSelector: 104.16.0.0/13 + - type: Allow + to: + cidrSelector: 172.64.0.0/13 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/cloudflare-ddns/overlays/okd/kustomization.yaml b/kubernetes/cloudflare-ddns/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/cloudflare-ddns/overlays/okd/kustomization.yaml +++ b/kubernetes/cloudflare-ddns/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/cockroachdb/overlays/okd/egress-firewall.yaml b/kubernetes/cockroachdb/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..641f35aa5 --- /dev/null +++ b/kubernetes/cockroachdb/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: cockroach-operator-system +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/cockroachdb/overlays/okd/kustomization.yaml b/kubernetes/cockroachdb/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/cockroachdb/overlays/okd/kustomization.yaml +++ b/kubernetes/cockroachdb/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/container-security/overlays/okd/egress-firewall.yaml b/kubernetes/container-security/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..a8649ed14 --- /dev/null +++ b/kubernetes/container-security/overlays/okd/egress-firewall.yaml @@ -0,0 +1,74 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: container-security-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + # https://www.cloudflare.com/ips/ + # Cloudflare IP Ranges + - type: Allow + to: + cidrSelector: 104.24.0.0/14 + # Amazon IP Range + # https://ip-ranges.amazonaws.com/ip-ranges.json + - type: Allow + to: + cidrSelector: 52.44.0.0/15 + - type: Allow + to: + cidrSelector: 54.236.0.0/15 + # Google Range + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + cidrSelector: 34.64.0.0/10 + - type: Allow + to: + dnsName: registry.arthurvardevanyan.com + - type: Allow + to: + dnsName: apps.okd.arthurvardevanyan.com + - type: Allow + to: + dnsName: cgr.dev + - type: Allow + to: + dnsName: docker.dragonflydb.io + - type: Allow + to: + dnsName: docker.io + - type: Allow + to: + dnsName: registry-1.docker.io + - type: Allow + to: + dnsName: ghcr.io + - type: Allow + to: + dnsName: gcr.io + - type: Allow + to: + dnsName: quay.io + - type: Allow + to: + dnsName: registry.access.redhat.com + - type: Allow + to: + dnsName: registry.developers.crunchydata.com + - type: Allow + to: + dnsName: registry.k8s.io + - type: Allow + to: + dnsName: registry.redhat.io + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/container-security/overlays/okd/kustomization.yaml b/kubernetes/container-security/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/container-security/overlays/okd/kustomization.yaml +++ b/kubernetes/container-security/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/dragonfly-operator/overlays/okd/egress-firewall.yaml b/kubernetes/dragonfly-operator/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..65300433d --- /dev/null +++ b/kubernetes/dragonfly-operator/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: dragonfly-operator-system +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/dragonfly-operator/overlays/okd/kustomization.yaml b/kubernetes/dragonfly-operator/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/dragonfly-operator/overlays/okd/kustomization.yaml +++ b/kubernetes/dragonfly-operator/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/eclipse-che/overlays/okd/egress-firewall.yaml b/kubernetes/eclipse-che/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..0eea72a5a --- /dev/null +++ b/kubernetes/eclipse-che/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: eclipse-che-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/eclipse-che/overlays/okd/kustomization.yaml b/kubernetes/eclipse-che/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/eclipse-che/overlays/okd/kustomization.yaml +++ b/kubernetes/eclipse-che/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/external-dns/overlays/okd/egress-firewall.yaml b/kubernetes/external-dns/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..072d1c4fc --- /dev/null +++ b/kubernetes/external-dns/overlays/okd/egress-firewall.yaml @@ -0,0 +1,28 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: external-dns +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: pihole.okd.arthurvardevanyan.com + - type: Allow + to: + cidrSelector: 10.0.0.99/32 + - type: Allow + to: + dnsName: pihole.apps.okd.arthurvardevanyan.com + - type: Allow + to: + cidrSelector: 10.0.0.131/32 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/external-dns/overlays/okd/kustomization.yaml b/kubernetes/external-dns/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/external-dns/overlays/okd/kustomization.yaml +++ b/kubernetes/external-dns/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/external-secrets-operator/overlays/okd/egress-firewall.yaml b/kubernetes/external-secrets-operator/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..0336c1001 --- /dev/null +++ b/kubernetes/external-secrets-operator/overlays/okd/egress-firewall.yaml @@ -0,0 +1,19 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: external-secrets-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: vault.apps.okd.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml b/kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml index 10da45a30..4be9e4cae 100644 --- a/kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml +++ b/kubernetes/external-secrets-operator/overlays/okd/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml components: - ../../components/helm diff --git a/kubernetes/gitea/overlays/okd/egress-firewall.yaml b/kubernetes/gitea/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..a772546c7 --- /dev/null +++ b/kubernetes/gitea/overlays/okd/egress-firewall.yaml @@ -0,0 +1,19 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: gitea +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/gitea/overlays/okd/kustomization.yaml b/kubernetes/gitea/overlays/okd/kustomization.yaml index 1ed352291..7b4f20ab9 100644 --- a/kubernetes/gitea/overlays/okd/kustomization.yaml +++ b/kubernetes/gitea/overlays/okd/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - ../../base - route.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/github-runners/base/arc-systems/egress-firewall.yaml b/kubernetes/github-runners/base/arc-systems/egress-firewall.yaml new file mode 100644 index 000000000..3cc55214a --- /dev/null +++ b/kubernetes/github-runners/base/arc-systems/egress-firewall.yaml @@ -0,0 +1,142 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: github-arc-systems +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + # GitHub Apis + # https://api.github.com/meta + - type: Allow + to: + dnsName: github.com + - type: Allow + to: + dnsName: api.github.com + - type: Allow + to: + dnsName: raw.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus1.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus2.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus3.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus4.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus5.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus6.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus7.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus8.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus9.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus10.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus11.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus12.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus13.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus14.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus15.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus16.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus17.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus18.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus19.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus20.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus21.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus22.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus23.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus24.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus25.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus26.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus27.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus28.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus29.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus30.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus31.actions.githubusercontent.com + - type: Allow + to: + cidrSelector: 140.82.112.0/20 + - type: Allow + to: + cidrSelector: 20.72.64.0/18 + - type: Allow + to: + cidrSelector: 20.253.0.0/17 + - type: Allow + to: + cidrSelector: 20.85.128.0/17 + - type: Allow + to: + cidrSelector: 185.199.108.0/22 + - type: Allow + to: + cidrSelector: 20.232.0.0/16 + - type: Allow + to: + cidrSelector: 20.150.82.0/24 + + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/github-runners/base/kustomization.yaml b/kubernetes/github-runners/base/kustomization.yaml index 9da3f4eed..25a10d517 100644 --- a/kubernetes/github-runners/base/kustomization.yaml +++ b/kubernetes/github-runners/base/kustomization.yaml @@ -8,6 +8,7 @@ resources: - ./arc-systems/network-policy.yaml - ./arc-systems/deployment.yaml - ./arc-systems/limit-range.yaml + - ./arc-systems/egress-firewall.yaml - ./runner-scale-sets/rbac.yaml - ./runner-scale-sets/secret.yaml - ./runner-scale-sets/namespace.yaml @@ -23,3 +24,4 @@ resources: - ./runner-scale-sets/runners/kfca.yaml - ./runner-scale-sets/runners/kfco.yaml - ./runner-scale-sets/limit-range.yaml + - ./runner-scale-sets/egress-firewall.yaml diff --git a/kubernetes/github-runners/base/runner-scale-sets/egress-firewall.yaml b/kubernetes/github-runners/base/runner-scale-sets/egress-firewall.yaml new file mode 100644 index 000000000..a3bf76992 --- /dev/null +++ b/kubernetes/github-runners/base/runner-scale-sets/egress-firewall.yaml @@ -0,0 +1,150 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: github-arc-runners +spec: + egress: + # GitHub Apis + # https://api.github.com/meta + - type: Allow + to: + dnsName: github.com + - type: Allow + to: + dnsName: api.github.com + - type: Allow + to: + dnsName: raw.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus1.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus2.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus3.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus4.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus5.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus6.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus7.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus8.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus9.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus10.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus11.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus12.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus13.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus14.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus15.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus16.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus17.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus18.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus19.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus20.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus21.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus22.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus23.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus24.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus25.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus26.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus27.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus28.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus29.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus30.actions.githubusercontent.com + - type: Allow + to: + dnsName: pipelinesghubeus31.actions.githubusercontent.com + - type: Allow + to: + dnsName: broker.actions.githubusercontent.com + - type: Allow + to: + dnsName: objects.githubusercontent.com + - type: Allow + to: + cidrSelector: 140.82.112.0/20 + - type: Allow + to: + cidrSelector: 20.72.64.0/18 + - type: Allow + to: + cidrSelector: 20.253.0.0/17 + - type: Allow + to: + cidrSelector: 20.85.128.0/17 + - type: Allow + to: + cidrSelector: 185.199.108.0/22 + - type: Allow + to: + cidrSelector: 20.232.0.0/16 + - type: Allow + to: + cidrSelector: 20.150.82.0/24 + # Golang + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + dnsName: proxy.golang.org + - type: Allow + to: + cidrSelector: 142.250.0.0/15 # Google Range + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/grafana/overlays/okd/egress-firewall.yaml b/kubernetes/grafana/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..7dfb10b53 --- /dev/null +++ b/kubernetes/grafana/overlays/okd/egress-firewall.yaml @@ -0,0 +1,14 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: grafana +spec: + egress: + # Control Plane + - type: Allow + to: + dnsName: thanos-querier-openshift-monitoring.apps.okd.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/grafana/overlays/okd/kustomization.yaml b/kubernetes/grafana/overlays/okd/kustomization.yaml index 1ed352291..7d58139c7 100644 --- a/kubernetes/grafana/overlays/okd/kustomization.yaml +++ b/kubernetes/grafana/overlays/okd/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base - - route.yaml + - ./route.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/heimdall/overlays/okd/egress-firewall.yaml b/kubernetes/heimdall/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..888d74361 --- /dev/null +++ b/kubernetes/heimdall/overlays/okd/egress-firewall.yaml @@ -0,0 +1,10 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: heimdall +spec: + egress: + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/heimdall/overlays/okd/kustomization.yaml b/kubernetes/heimdall/overlays/okd/kustomization.yaml index 3f62a6f37..f54da8ac4 100644 --- a/kubernetes/heimdall/overlays/okd/kustomization.yaml +++ b/kubernetes/heimdall/overlays/okd/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base - - route.yaml - - rbac.yaml + - ./route.yaml + - ./rbac.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/homeassistant/overlays/okd/egress-firewall.yaml b/kubernetes/homeassistant/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..98ee8bbc2 --- /dev/null +++ b/kubernetes/homeassistant/overlays/okd/egress-firewall.yaml @@ -0,0 +1,20 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: homeassistant +spec: + # Doesn't Apply to Network Attach Definitions Interface + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/homeassistant/overlays/okd/kustomization.yaml b/kubernetes/homeassistant/overlays/okd/kustomization.yaml index 298a6a776..d2b9e1841 100644 --- a/kubernetes/homeassistant/overlays/okd/kustomization.yaml +++ b/kubernetes/homeassistant/overlays/okd/kustomization.yaml @@ -5,3 +5,4 @@ resources: - ./ingress.yaml - ./rbac.yaml - ./dns.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/imagepuller/overlays/okd/egress-firewall.yaml b/kubernetes/imagepuller/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..73d051b7d --- /dev/null +++ b/kubernetes/imagepuller/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: kubernetes-imagepuller-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/imagepuller/overlays/okd/kustomization.yaml b/kubernetes/imagepuller/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/imagepuller/overlays/okd/kustomization.yaml +++ b/kubernetes/imagepuller/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/influxdb/overlays/okd/egress-firewall.yaml b/kubernetes/influxdb/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..a73658474 --- /dev/null +++ b/kubernetes/influxdb/overlays/okd/egress-firewall.yaml @@ -0,0 +1,10 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: influxdb +spec: + egress: + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/influxdb/overlays/okd/kustomization.yaml b/kubernetes/influxdb/overlays/okd/kustomization.yaml index 1ed352291..0985eebc4 100644 --- a/kubernetes/influxdb/overlays/okd/kustomization.yaml +++ b/kubernetes/influxdb/overlays/okd/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base - - route.yaml + - ./route.yaml diff --git a/kubernetes/keep-alive/overlays/okd/egress-firewall.yaml b/kubernetes/keep-alive/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..2496575ec --- /dev/null +++ b/kubernetes/keep-alive/overlays/okd/egress-firewall.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: keep-alive +spec: + egress: + # Google Range + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + dnsName: storage.googleapis.com + - type: Allow + to: + cidrSelector: 142.250.0.0/15 + - type: Allow + to: + cidrSelector: 172.217.0.0/16 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/keep-alive/overlays/okd/kustomization.yaml b/kubernetes/keep-alive/overlays/okd/kustomization.yaml index 1379f2df5..b52b77bc0 100644 --- a/kubernetes/keep-alive/overlays/okd/kustomization.yaml +++ b/kubernetes/keep-alive/overlays/okd/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization namespace: keep-alive resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/knative/overlays/okd/egress-firewall.yaml b/kubernetes/knative/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..eb6e421ce --- /dev/null +++ b/kubernetes/knative/overlays/okd/egress-firewall.yaml @@ -0,0 +1,33 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: knative-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 +--- +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: knative-serving +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/knative/overlays/okd/kustomization.yaml b/kubernetes/knative/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/knative/overlays/okd/kustomization.yaml +++ b/kubernetes/knative/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/kube-eagle/overlays/default/kustomization.yaml b/kubernetes/kube-eagle/overlays/k3s/kustomization.yaml similarity index 100% rename from kubernetes/kube-eagle/overlays/default/kustomization.yaml rename to kubernetes/kube-eagle/overlays/k3s/kustomization.yaml diff --git a/kubernetes/kube-eagle/overlays/okd/egress-firewall.yaml b/kubernetes/kube-eagle/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..fab2243e9 --- /dev/null +++ b/kubernetes/kube-eagle/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: kube-eagle +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/kube-eagle/overlays/okd/kustomization.yaml b/kubernetes/kube-eagle/overlays/okd/kustomization.yaml index 8f9a7cb44..2f25eb0f3 100644 --- a/kubernetes/kube-eagle/overlays/okd/kustomization.yaml +++ b/kubernetes/kube-eagle/overlays/okd/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - ../../base - ./network-policy.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/kube-vip/overlays/okd/egress-firewall.yaml b/kubernetes/kube-vip/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..b0850096b --- /dev/null +++ b/kubernetes/kube-vip/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: kube-vip +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/kube-vip/overlays/okd/kustomization.yaml b/kubernetes/kube-vip/overlays/okd/kustomization.yaml index 3cbee7ec0..eac6ca809 100644 --- a/kubernetes/kube-vip/overlays/okd/kustomization.yaml +++ b/kubernetes/kube-vip/overlays/okd/kustomization.yaml @@ -4,6 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 resources: - ../../base - ./okd.yaml + - ./egress-firewall.yaml patches: - target: kind: DaemonSet diff --git a/kubernetes/kubevirt/overlays/okd/egress-firewall.yaml b/kubernetes/kubevirt/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..73453856f --- /dev/null +++ b/kubernetes/kubevirt/overlays/okd/egress-firewall.yaml @@ -0,0 +1,19 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: kubevirt-hyperconverged +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: quay.io + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/kubevirt/overlays/okd/kustomization.yaml b/kubernetes/kubevirt/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/kubevirt/overlays/okd/kustomization.yaml +++ b/kubernetes/kubevirt/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/kyverno/overlays/okd/egress-firewall.yaml b/kubernetes/kyverno/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..db45276a2 --- /dev/null +++ b/kubernetes/kyverno/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: kyverno +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/kyverno/overlays/okd/kustomization.yaml b/kubernetes/kyverno/overlays/okd/kustomization.yaml index f78f3b0f4..1ab30d277 100644 --- a/kubernetes/kyverno/overlays/okd/kustomization.yaml +++ b/kubernetes/kyverno/overlays/okd/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization namespace: kyverno resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/loki-operator/overlays/okd/egress-firewall.yaml b/kubernetes/loki-operator/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..803786cac --- /dev/null +++ b/kubernetes/loki-operator/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: loki-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/loki-operator/overlays/okd/kustomization.yaml b/kubernetes/loki-operator/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/loki-operator/overlays/okd/kustomization.yaml +++ b/kubernetes/loki-operator/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/loki/base/network-policy.yaml b/kubernetes/loki/base/network-policy.yaml index f6e9eb27d..30dc62cb5 100644 --- a/kubernetes/loki/base/network-policy.yaml +++ b/kubernetes/loki/base/network-policy.yaml @@ -94,31 +94,31 @@ spec: podSelector: matchLabels: app: grafana ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-api-server - namespace: loki - annotations: - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/instance: loki -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - to: - - podSelector: - matchLabels: - app: openshift-kube-apiserver - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-kube-apiserver - ports: - - protocol: TCP - port: 6443 +# --- +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# name: allow-api-server +# namespace: loki +# annotations: +# argocd.argoproj.io/sync-wave: "0" +# labels: +# app.kubernetes.io/instance: loki +# spec: +# podSelector: {} +# policyTypes: +# - Egress +# egress: +# - to: +# - podSelector: +# matchLabels: +# app: openshift-kube-apiserver +# namespaceSelector: +# matchLabels: +# kubernetes.io/metadata.name: openshift-kube-apiserver +# ports: +# - protocol: TCP +# port: 6443 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -157,24 +157,24 @@ spec: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: network-observability ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-truenas-egress - namespace: loki - annotations: - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/instance: loki -spec: - policyTypes: - - Egress - podSelector: {} - egress: - - to: - - ipBlock: - cidr: 10.0.0.3/32 - ports: - - protocol: TCP - port: 9000 +# --- +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# name: allow-truenas-egress +# namespace: loki +# annotations: +# argocd.argoproj.io/sync-wave: "0" +# labels: +# app.kubernetes.io/instance: loki +# spec: +# policyTypes: +# - Egress +# podSelector: {} +# egress: +# - to: +# - ipBlock: +# cidr: 10.0.0.3/32 +# ports: +# - protocol: TCP +# port: 9000 diff --git a/kubernetes/loki/overlays/okd/egress-firewall.yaml b/kubernetes/loki/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..9b65f0aec --- /dev/null +++ b/kubernetes/loki/overlays/okd/egress-firewall.yaml @@ -0,0 +1,10 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: loki +spec: + egress: + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/loki/overlays/okd/kustomization.yaml b/kubernetes/loki/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/loki/overlays/okd/kustomization.yaml +++ b/kubernetes/loki/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/mariadb-galera/overlays/okd/egress-firewall.yaml b/kubernetes/mariadb-galera/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..346b3a8a5 --- /dev/null +++ b/kubernetes/mariadb-galera/overlays/okd/egress-firewall.yaml @@ -0,0 +1,10 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: mariadb-galera +spec: + egress: + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/mariadb-galera/overlays/okd/kustomization.yaml b/kubernetes/mariadb-galera/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/mariadb-galera/overlays/okd/kustomization.yaml +++ b/kubernetes/mariadb-galera/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/minio-operator/base/network-policy.yaml b/kubernetes/minio-operator/base/network-policy.yaml index 0ec036be8..f8569c335 100644 --- a/kubernetes/minio-operator/base/network-policy.yaml +++ b/kubernetes/minio-operator/base/network-policy.yaml @@ -88,32 +88,32 @@ spec: protocol: UDP - port: 5353 protocol: TCP ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-internet-egress - namespace: minio-operator - annotations: - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/instance: minio-operator -spec: - policyTypes: - - Egress - podSelector: - matchLabels: - app: console - app.kubernetes.io/instance: minio-operator-console - app.kubernetes.io/name: operator - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 +# --- +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# name: allow-internet-egress +# namespace: minio-operator +# annotations: +# argocd.argoproj.io/sync-wave: "0" +# labels: +# app.kubernetes.io/instance: minio-operator +# spec: +# policyTypes: +# - Egress +# podSelector: +# matchLabels: +# app: console +# app.kubernetes.io/instance: minio-operator-console +# app.kubernetes.io/name: operator +# egress: +# - to: +# - ipBlock: +# cidr: 0.0.0.0/0 +# except: +# - 10.0.0.0/8 +# - 172.16.0.0/12 +# - 192.168.0.0/16 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/kubernetes/minio-operator/overlays/okd/egress-firewall.yaml b/kubernetes/minio-operator/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..a7a7f29e9 --- /dev/null +++ b/kubernetes/minio-operator/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: minio-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/minio-operator/overlays/okd/kustomization.yaml b/kubernetes/minio-operator/overlays/okd/kustomization.yaml index 0985eebc4..7d58139c7 100644 --- a/kubernetes/minio-operator/overlays/okd/kustomization.yaml +++ b/kubernetes/minio-operator/overlays/okd/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - ../../base - ./route.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/mongodb-operator/overlays/okd/egress-firewall.yaml b/kubernetes/mongodb-operator/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..faea21f39 --- /dev/null +++ b/kubernetes/mongodb-operator/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: mongodb-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/mongodb-operator/overlays/okd/kustomization.yaml b/kubernetes/mongodb-operator/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/mongodb-operator/overlays/okd/kustomization.yaml +++ b/kubernetes/mongodb-operator/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/netbox/overlays/okd/egress-firewall.yaml b/kubernetes/netbox/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..f8b9b5faa --- /dev/null +++ b/kubernetes/netbox/overlays/okd/egress-firewall.yaml @@ -0,0 +1,19 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: netbox +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/netbox/overlays/okd/kustomization.yaml b/kubernetes/netbox/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/netbox/overlays/okd/kustomization.yaml +++ b/kubernetes/netbox/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/network-observability/overlays/okd/egress-firewall.yaml b/kubernetes/network-observability/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..6f583992c --- /dev/null +++ b/kubernetes/network-observability/overlays/okd/egress-firewall.yaml @@ -0,0 +1,51 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: network-observability +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 +--- +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: network-observability-loki +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 + +--- +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: network-observability-privileged +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/network-observability/overlays/okd/kustomization.yaml b/kubernetes/network-observability/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/network-observability/overlays/okd/kustomization.yaml +++ b/kubernetes/network-observability/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/nextcloud/base/postgres/postgres.yaml b/kubernetes/nextcloud/base/postgres/postgres.yaml index 724cbd592..15713fd48 100644 --- a/kubernetes/nextcloud/base/postgres/postgres.yaml +++ b/kubernetes/nextcloud/base/postgres/postgres.yaml @@ -61,7 +61,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 10Gi + storage: 15Gi - name: repo2 s3: bucket: postgres @@ -76,7 +76,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 5Gi + storage: 10Gi name: "" replicas: 2 resources: diff --git a/kubernetes/nextcloud/base/preview-cronjob.yaml b/kubernetes/nextcloud/base/preview-cronjob.yaml index 2aca5e8ef..17e1ea3ef 100644 --- a/kubernetes/nextcloud/base/preview-cronjob.yaml +++ b/kubernetes/nextcloud/base/preview-cronjob.yaml @@ -12,7 +12,7 @@ metadata: spec: schedule: "0 */3 * * *" concurrencyPolicy: Forbid - suspend: true + suspend: false startingDeadlineSeconds: 60 jobTemplate: spec: diff --git a/kubernetes/nextcloud/overlays/okd/egress-firewall.yaml b/kubernetes/nextcloud/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..7bd13b1cd --- /dev/null +++ b/kubernetes/nextcloud/overlays/okd/egress-firewall.yaml @@ -0,0 +1,45 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: nextcloud +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Allow + to: + dnsName: nextcloud.arthurvardevanyan.com + - type: Allow + to: + cidrSelector: 10.0.0.131/32 + - type: Allow + to: + dnsName: nextcloud.com + - type: Allow + to: + dnsName: download.nextcloud.com + - type: Allow + to: + dnsName: s16.nextcloud.com + - type: Allow + to: + dnsName: x15.x10hosting.com + # GitHub Apis + # https://api.github.com/meta + - type: Allow + to: + dnsName: raw.githubusercontent.com + - type: Allow + to: + cidrSelector: 185.199.108.0/22 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/nextcloud/overlays/okd/kustomization.yaml b/kubernetes/nextcloud/overlays/okd/kustomization.yaml index 3f62a6f37..f54da8ac4 100644 --- a/kubernetes/nextcloud/overlays/okd/kustomization.yaml +++ b/kubernetes/nextcloud/overlays/okd/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base - - route.yaml - - rbac.yaml + - ./route.yaml + - ./rbac.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/nmstate/overlays/okd/egress-firewall.yaml b/kubernetes/nmstate/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..d1dd5b57b --- /dev/null +++ b/kubernetes/nmstate/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: nmstate +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/nmstate/overlays/okd/kustomization.yaml b/kubernetes/nmstate/overlays/okd/kustomization.yaml index aee8cc1ec..a08f0e5a2 100644 --- a/kubernetes/nmstate/overlays/okd/kustomization.yaml +++ b/kubernetes/nmstate/overlays/okd/kustomization.yaml @@ -4,3 +4,4 @@ resources: - ../../base - ./network/nodeNetworkConfigurationPolicy.yaml - ./network/networkAttachmentDefinition.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/observability-operator/overlays/okd/egress-firewall.yaml b/kubernetes/observability-operator/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..2694ece6c --- /dev/null +++ b/kubernetes/observability-operator/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: observability-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/observability-operator/overlays/okd/kustomization.yaml b/kubernetes/observability-operator/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/observability-operator/overlays/okd/kustomization.yaml +++ b/kubernetes/observability-operator/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/openshift-logging/overlays/okd/egress-firewall.yaml b/kubernetes/openshift-logging/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..31e87f910 --- /dev/null +++ b/kubernetes/openshift-logging/overlays/okd/egress-firewall.yaml @@ -0,0 +1,16 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: openshift-logging +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/openshift-logging/overlays/okd/kustomization.yaml b/kubernetes/openshift-logging/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/openshift-logging/overlays/okd/kustomization.yaml +++ b/kubernetes/openshift-logging/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/photoprism/overlays/okd/egress-firewall.yaml b/kubernetes/photoprism/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..73ef6a229 --- /dev/null +++ b/kubernetes/photoprism/overlays/okd/egress-firewall.yaml @@ -0,0 +1,19 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: photoprism +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/photoprism/overlays/okd/kustomization.yaml b/kubernetes/photoprism/overlays/okd/kustomization.yaml index 1ed352291..7b4f20ab9 100644 --- a/kubernetes/photoprism/overlays/okd/kustomization.yaml +++ b/kubernetes/photoprism/overlays/okd/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - ../../base - route.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/pihole/overlays/okd/egress-firewall.yaml b/kubernetes/pihole/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..862c3953a --- /dev/null +++ b/kubernetes/pihole/overlays/okd/egress-firewall.yaml @@ -0,0 +1,30 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: pihole +spec: + egress: + - type: Allow + to: + cidrSelector: 1.1.1.1/32 + - type: Allow + to: + cidrSelector: 1.0.0.1/32 + - type: Allow + to: + dnsName: unifi.arthurvardevanyan.com + - type: Allow + to: + cidrSelector: 10.0.0.1/32 + # GitHub Apis + # https://api.github.com/meta + - type: Allow + to: + dnsName: raw.githubusercontent.com + - type: Allow + to: + cidrSelector: 185.199.108.0/22 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/pihole/overlays/okd/kustomization.yaml b/kubernetes/pihole/overlays/okd/kustomization.yaml index 9c3502621..540643f6e 100644 --- a/kubernetes/pihole/overlays/okd/kustomization.yaml +++ b/kubernetes/pihole/overlays/okd/kustomization.yaml @@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base - - ingress.yaml - - service.yaml - - dns.yaml + - ./ingress.yaml + - ./service.yaml + - ./dns.yaml + - ./egress-firewall.yaml patches: - target: kind: Statefulset diff --git a/kubernetes/postgres/components/applications/grafana/postgres.yaml b/kubernetes/postgres/components/applications/grafana/postgres.yaml index cba317763..71ba70c59 100644 --- a/kubernetes/postgres/components/applications/grafana/postgres.yaml +++ b/kubernetes/postgres/components/applications/grafana/postgres.yaml @@ -59,7 +59,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 1Gi + storage: 2Gi - name: repo2 s3: bucket: postgres @@ -75,7 +75,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 2Gi + storage: 4Gi name: "" replicas: 2 resources: diff --git a/kubernetes/postgres/overlays/okd/egress-firewall.yaml b/kubernetes/postgres/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..19f7e0d51 --- /dev/null +++ b/kubernetes/postgres/overlays/okd/egress-firewall.yaml @@ -0,0 +1,27 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: postgres +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + # Cloudflare API Ips + # https://www.cloudflare.com/ips/ + - type: Allow + to: + cidrSelector: 104.16.0.0/13 + - type: Allow + to: + cidrSelector: 172.64.0.0/13 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/postgres/overlays/okd/kustomization.yaml b/kubernetes/postgres/overlays/okd/kustomization.yaml index 97ab1a447..d8ab36a95 100644 --- a/kubernetes/postgres/overlays/okd/kustomization.yaml +++ b/kubernetes/postgres/overlays/okd/kustomization.yaml @@ -5,3 +5,4 @@ resources: - ../../components/applications - ../../components/pg_dump - ../../components/pg_admin + - ./egress-firewall.yaml diff --git a/kubernetes/prometheus/overlays/okd/egress-firewall.yaml b/kubernetes/prometheus/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..96405f38d --- /dev/null +++ b/kubernetes/prometheus/overlays/okd/egress-firewall.yaml @@ -0,0 +1,34 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: prometheus +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + cidrSelector: 10.0.0.3/32 + - type: Allow + to: + cidrSelector: 10.0.0.99/32 + - type: Allow + to: + cidrSelector: 10.0.0.5/32 + - type: Allow + to: + cidrSelector: 10.0.0.107/32 + - type: Allow + to: + cidrSelector: 10.0.0.108/32 + - type: Allow + to: + cidrSelector: 10.0.0.109/32 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/prometheus/overlays/okd/kustomization.yaml b/kubernetes/prometheus/overlays/okd/kustomization.yaml index 59408361d..f2a31df3c 100644 --- a/kubernetes/prometheus/overlays/okd/kustomization.yaml +++ b/kubernetes/prometheus/overlays/okd/kustomization.yaml @@ -4,5 +4,6 @@ resources: - ../../base - dns.yaml - route.yaml + - ./egress-firewall.yaml components: - ../../components/node-exporter diff --git a/kubernetes/quay/base/postgres/quay/postgres.yaml b/kubernetes/quay/base/postgres/quay/postgres.yaml index 111bb43e9..8c05bd111 100644 --- a/kubernetes/quay/base/postgres/quay/postgres.yaml +++ b/kubernetes/quay/base/postgres/quay/postgres.yaml @@ -62,7 +62,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 10Gi + storage: 15Gi - name: repo2 s3: bucket: postgres @@ -77,7 +77,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 5Gi + storage: 10Gi name: "" replicas: 2 resources: diff --git a/kubernetes/quay/overlays/okd/egress-firewall.yaml b/kubernetes/quay/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..cb8af066a --- /dev/null +++ b/kubernetes/quay/overlays/okd/egress-firewall.yaml @@ -0,0 +1,139 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: quay +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + # https://www.cloudflare.com/ips/ + # Cloudflare IP Ranges + - type: Allow + to: + cidrSelector: 104.24.0.0/14 + # Amazon IP Range + # https://ip-ranges.amazonaws.com/ip-ranges.json + - type: Allow + to: + cidrSelector: 52.44.0.0/15 + - type: Allow + to: + cidrSelector: 54.236.0.0/15 + # Google Range + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + cidrSelector: 34.64.0.0/10 + # Akamai + - type: Allow + to: + cidrSelector: 172.105.78.0/24 + - type: Allow + to: + cidrSelector: 172.105.78.12/32 + - type: Allow + to: + dnsName: registry.arthurvardevanyan.com + - type: Allow + to: + dnsName: apps.okd.arthurvardevanyan.com + - type: Allow + to: + dnsName: cgr.dev + - type: Allow + to: + dnsName: docker.dragonflydb.io + - type: Allow + to: + dnsName: docker.io + - type: Allow + to: + dnsName: registry-1.docker.io + - type: Allow + to: + dnsName: ghcr.io + - type: Allow + to: + dnsName: gcr.io + - type: Allow + to: + dnsName: quay.io + - type: Allow + to: + dnsName: registry.access.redhat.com + - type: Allow + to: + dnsName: registry.developers.crunchydata.com + - type: Allow + to: + dnsName: registry.k8s.io + - type: Allow + to: + dnsName: registry.redhat.io + - type: Allow + to: + dnsName: security.access.redhat.com + # https://github.com/quay/quay-docs/blob/master/modules/clair-updater-urls.adoc + - type: Allow + to: + dnsName: secdb.alpinelinux.org + - type: Allow + to: + dnsName: deu1-dev1.alpinelinux.org + - type: Allow + to: + dnsName: repo.us-west-2.amazonaws.com + - type: Allow + to: + dnsName: cdn.amazonlinux.com + - type: Allow + to: + dnsName: cdn.amazonlinux.com + - type: Allow + to: + dnsName: deb.debian.org + - type: Allow + to: + dnsName: security-tracker.debian.org + - type: Allow + to: + dnsName: nvd.nist.gov + - type: Allow + to: + dnsName: linux.oracle.com + - type: Allow + to: + dnsName: packages.vmware.com + - type: Allow + to: + dnsName: support.novell.com + - type: Allow + to: + dnsName: security-metadata.canonical.com + - type: Allow + to: + dnsName: api.launchpad.net + - type: Allow + to: + dnsName: osv-vulnerabilities.storage.googleapis.com + # Golang + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + dnsName: pkg.go.dev + - type: Allow + to: + cidrSelector: 34.128.0.0/10 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/quay/overlays/okd/kustomization.yaml b/kubernetes/quay/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/quay/overlays/okd/kustomization.yaml +++ b/kubernetes/quay/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/stackrox-central/overlays/okd/egress-firewall.yaml b/kubernetes/stackrox-central/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..3189d19bc --- /dev/null +++ b/kubernetes/stackrox-central/overlays/okd/egress-firewall.yaml @@ -0,0 +1,155 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: stackrox +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Allow + to: + dnsName: microshift.arthurvardevanyan.com + - type: Allow + to: + dnsName: collector-modules.stackrox.io + - type: Allow + to: + dnsName: console.redhat.com + + # https://www.cloudflare.com/ips/ + # Cloudflare IP Ranges + - type: Allow + to: + cidrSelector: 104.16.0.0/13 + - type: Allow + to: + cidrSelector: 104.24.0.0/14 + # Amazon IP Range + # https://ip-ranges.amazonaws.com/ip-ranges.json + - type: Allow + to: + cidrSelector: 52.44.0.0/15 + - type: Allow + to: + cidrSelector: 54.236.0.0/15 + # Google Range + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + cidrSelector: 34.64.0.0/10 + # Akamai + - type: Allow + to: + cidrSelector: 172.105.78.0/24 + - type: Allow + to: + cidrSelector: 23.40.100.0/24 + - type: Allow + to: + cidrSelector: 172.105.78.12/32 + - type: Allow + to: + dnsName: registry.arthurvardevanyan.com + - type: Allow + to: + dnsName: apps.okd.arthurvardevanyan.com + - type: Allow + to: + dnsName: cgr.dev + - type: Allow + to: + dnsName: docker.dragonflydb.io + - type: Allow + to: + dnsName: docker.io + - type: Allow + to: + dnsName: registry-1.docker.io + - type: Allow + to: + dnsName: ghcr.io + - type: Allow + to: + dnsName: gcr.io + - type: Allow + to: + dnsName: quay.io + - type: Allow + to: + dnsName: registry.access.redhat.com + - type: Allow + to: + dnsName: registry.developers.crunchydata.com + - type: Allow + to: + dnsName: registry.k8s.io + - type: Allow + to: + dnsName: registry.redhat.io + - type: Allow + to: + dnsName: security.access.redhat.com + # https://github.com/quay/quay-docs/blob/master/modules/clair-updater-urls.adoc + - type: Allow + to: + dnsName: secdb.alpinelinux.org + - type: Allow + to: + dnsName: deu1-dev1.alpinelinux.org + - type: Allow + to: + dnsName: repo.us-west-2.amazonaws.com + - type: Allow + to: + dnsName: cdn.amazonlinux.com + - type: Allow + to: + dnsName: cdn.amazonlinux.com + - type: Allow + to: + dnsName: deb.debian.org + - type: Allow + to: + dnsName: security-tracker.debian.org + - type: Allow + to: + dnsName: nvd.nist.gov + - type: Allow + to: + dnsName: linux.oracle.com + - type: Allow + to: + dnsName: packages.vmware.com + - type: Allow + to: + dnsName: support.novell.com + - type: Allow + to: + dnsName: security-metadata.canonical.com + - type: Allow + to: + dnsName: api.launchpad.net + - type: Allow + to: + dnsName: osv-vulnerabilities.storage.googleapis.com + # Golang + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + dnsName: pkg.go.dev + - type: Allow + to: + cidrSelector: 34.128.0.0/10 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/stackrox-central/overlays/okd/kustomization.yaml b/kubernetes/stackrox-central/overlays/okd/kustomization.yaml index 0a98491fa..2d1b67679 100644 --- a/kubernetes/stackrox-central/overlays/okd/kustomization.yaml +++ b/kubernetes/stackrox-central/overlays/okd/kustomization.yaml @@ -4,3 +4,4 @@ resources: - ../../base - route.yaml - scc.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/tekton/overlays/operator/egress-firewall.yaml b/kubernetes/tekton/overlays/operator/egress-firewall.yaml new file mode 100644 index 000000000..53c3e9c45 --- /dev/null +++ b/kubernetes/tekton/overlays/operator/egress-firewall.yaml @@ -0,0 +1,77 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: openshift-pipelines-operator +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Deny + to: + cidrSelector: 0.0.0.0/0 +--- +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: openshift-pipelines +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: hook.pipelinesascode.com + # Amazon IP Range + # https://ip-ranges.amazonaws.com/ip-ranges.json + - type: Allow + to: + cidrSelector: 52.44.0.0/15 + - type: Allow + to: + cidrSelector: + 184.72.128.0/17 + # GitHub Apis + # https://api.github.com/meta + - type: Allow + to: + dnsName: github.com + - type: Allow + to: + dnsName: api.github.com + - type: Allow + to: + dnsName: raw.githubusercontent.com + - type: Allow + to: + cidrSelector: 140.82.112.0/20 + - type: Allow + to: + cidrSelector: 20.72.64.0/18 + - type: Allow + to: + cidrSelector: 20.253.0.0/17 + - type: Allow + to: + cidrSelector: 20.85.128.0/17 + - type: Allow + to: + cidrSelector: 185.199.108.0/22 + - type: Allow + to: + cidrSelector: 20.232.0.0/16 + - type: Allow + to: + cidrSelector: 20.150.82.0/24 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/tekton/overlays/operator/kustomization.yaml b/kubernetes/tekton/overlays/operator/kustomization.yaml index d823ff41f..bfcf99fc2 100644 --- a/kubernetes/tekton/overlays/operator/kustomization.yaml +++ b/kubernetes/tekton/overlays/operator/kustomization.yaml @@ -6,6 +6,7 @@ resources: - ./operator.yaml - ./dashboard-readonly.yaml - ./kyverno.yaml + - ./egress-firewall.yaml components: - ../../components/okd - ../../components/gosmee diff --git a/kubernetes/uptime-kuma/overlays/okd/egress-firewall.yaml b/kubernetes/uptime-kuma/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..7453822c2 --- /dev/null +++ b/kubernetes/uptime-kuma/overlays/okd/egress-firewall.yaml @@ -0,0 +1,50 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: uptime-kuma +spec: + egress: + # Cloudflare DNS + - type: Allow + to: + cidrSelector: 1.1.1.1/32 + - type: Allow + to: + cidrSelector: 1.0.0.1/32 + # Cloudflare API Ips (arthurvardevanyan.com) + # https://www.cloudflare.com/ips/ + - type: Allow + to: + cidrSelector: 104.16.0.0/13 + - type: Allow + to: + cidrSelector: 172.64.0.0/13 + # Modem + - type: Allow + to: + cidrSelector: 192.168.100.1/32 + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Allow + to: + dnsName: www.arthurvardevanyan.com + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Allow + to: + dnsName: unifi.arthurvardevanyan.com + - type: Allow + to: + dnsName: pihole.arthurvardevanyan.com + - type: Allow + to: + dnsName: api.okd.arthurvardevanyan.com + - type: Allow + to: + dnsName: apps.okd.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/uptime-kuma/overlays/okd/kustomization.yaml b/kubernetes/uptime-kuma/overlays/okd/kustomization.yaml index 1ed352291..7b4f20ab9 100644 --- a/kubernetes/uptime-kuma/overlays/okd/kustomization.yaml +++ b/kubernetes/uptime-kuma/overlays/okd/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - ../../base - route.yaml + - ./egress-firewall.yaml diff --git a/kubernetes/vault/overlays/okd/egress-firewall.yaml b/kubernetes/vault/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..4bb843ee2 --- /dev/null +++ b/kubernetes/vault/overlays/okd/egress-firewall.yaml @@ -0,0 +1,35 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: vault +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + # MicroShift + - type: Allow + to: + cidrSelector: 10.0.0.99/32 + - type: Allow + to: + dnsName: microshift.arthurvardevanyan.com + # Google Range + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + dnsName: kms.googleapis.com + - type: Allow + to: + cidrSelector: 142.250.0.0/15 + - type: Allow + to: + cidrSelector: 172.217.0.0/16 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/vault/overlays/okd/kustomization.yaml b/kubernetes/vault/overlays/okd/kustomization.yaml index 58f3af83b..02e7e7bd1 100644 --- a/kubernetes/vault/overlays/okd/kustomization.yaml +++ b/kubernetes/vault/overlays/okd/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - ../../base - network-policy.yaml + - ./egress-firewall.yaml components: - ../../components/ha - ../../components/singleton diff --git a/kubernetes/vault/overlays/okd/network-policy.yaml b/kubernetes/vault/overlays/okd/network-policy.yaml index 8a9a41255..399731d07 100644 --- a/kubernetes/vault/overlays/okd/network-policy.yaml +++ b/kubernetes/vault/overlays/okd/network-policy.yaml @@ -71,9 +71,15 @@ spec: app: vault egress: - to: + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 + cidr: 142.250.0.0/15 + # - ipBlock: + # cidr: 0.0.0.0/0 + # except: + # - 10.0.0.0/8 + # - 172.16.0.0/12 + # - 192.168.0.0/16 + - ipBlock: + cidr: 172.217.0.0/16 diff --git a/kubernetes/velero/overlays/okd/egress-firewall.yaml b/kubernetes/velero/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..0ccf71a54 --- /dev/null +++ b/kubernetes/velero/overlays/okd/egress-firewall.yaml @@ -0,0 +1,19 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: velero +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: truenas.arthurvardevanyan.com + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/velero/overlays/okd/kustomization.yaml b/kubernetes/velero/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/velero/overlays/okd/kustomization.yaml +++ b/kubernetes/velero/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/version-checker/base/network-policy.yaml b/kubernetes/version-checker/base/network-policy.yaml index a6203df48..567f69bb8 100644 --- a/kubernetes/version-checker/base/network-policy.yaml +++ b/kubernetes/version-checker/base/network-policy.yaml @@ -92,6 +92,24 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy +metadata: + name: allow-ingress-egress + namespace: version-checker + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: version-checker +spec: + policyTypes: + - Egress + podSelector: {} + egress: + - to: + - ipBlock: + cidr: 10.0.0.131/32 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: name: allow-internet-egress namespace: version-checker diff --git a/kubernetes/version-checker/overlays/okd/egress-firewall.yaml b/kubernetes/version-checker/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..7b8723a94 --- /dev/null +++ b/kubernetes/version-checker/overlays/okd/egress-firewall.yaml @@ -0,0 +1,74 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: version-checker +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + # https://www.cloudflare.com/ips/ + # Cloudflare IP Ranges + - type: Allow + to: + cidrSelector: 104.24.0.0/14 + # Amazon IP Range + # https://ip-ranges.amazonaws.com/ip-ranges.json + - type: Allow + to: + cidrSelector: 52.44.0.0/15 + - type: Allow + to: + cidrSelector: 54.236.0.0/15 + # Google Range + # https://support.google.com/a/answer/10026322?hl=en + # https://www.gstatic.com/ipranges/goog.json + - type: Allow + to: + cidrSelector: 34.64.0.0/10 + - type: Allow + to: + dnsName: registry.arthurvardevanyan.com + - type: Allow + to: + dnsName: apps.okd.arthurvardevanyan.com + - type: Allow + to: + dnsName: cgr.dev + - type: Allow + to: + dnsName: docker.dragonflydb.io + - type: Allow + to: + dnsName: docker.io + - type: Allow + to: + dnsName: registry-1.docker.io + - type: Allow + to: + dnsName: ghcr.io + - type: Allow + to: + dnsName: gcr.io + - type: Allow + to: + dnsName: quay.io + - type: Allow + to: + dnsName: registry.access.redhat.com + - type: Allow + to: + dnsName: registry.developers.crunchydata.com + - type: Allow + to: + dnsName: registry.k8s.io + - type: Allow + to: + dnsName: registry.redhat.io + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/kubernetes/version-checker/overlays/okd/kustomization.yaml b/kubernetes/version-checker/overlays/okd/kustomization.yaml index 2333422e2..8a89936eb 100644 --- a/kubernetes/version-checker/overlays/okd/kustomization.yaml +++ b/kubernetes/version-checker/overlays/okd/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./egress-firewall.yaml diff --git a/kubernetes/zitadel/overlays/okd/egress-firewall.yaml b/kubernetes/zitadel/overlays/okd/egress-firewall.yaml new file mode 100644 index 000000000..8a4d2626b --- /dev/null +++ b/kubernetes/zitadel/overlays/okd/egress-firewall.yaml @@ -0,0 +1,10 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: zitadel +spec: + egress: + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/okd/okd-configuration/overlays/okd/network.yaml b/okd/okd-configuration/overlays/okd/network.yaml index 3d3f973dd..5f9078a71 100644 --- a/okd/okd-configuration/overlays/okd/network.yaml +++ b/okd/okd-configuration/overlays/okd/network.yaml @@ -61,7 +61,7 @@ spec: syslogFacility: local0 type: OVNKubernetes managementState: Managed - useMultiNetworkPolicy: false + useMultiNetworkPolicy: true # migration: # mtu: # machine: diff --git a/okd/openshift-monitoring/base/egress-firewall.yaml b/okd/openshift-monitoring/base/egress-firewall.yaml new file mode 100644 index 000000000..a5a77c1ec --- /dev/null +++ b/okd/openshift-monitoring/base/egress-firewall.yaml @@ -0,0 +1,24 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default + namespace: alert-manager-discord +spec: + egress: + # Control Plane + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: "" + - type: Allow + to: + dnsName: discord.com + # https://www.cloudflare.com/ips/ + # Cloudflare IP Ranges + - type: Allow + to: + cidrSelector: 162.158.0.0/15 + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/okd/openshift-monitoring/base/kustomization.yaml b/okd/openshift-monitoring/base/kustomization.yaml index ee3725fd3..9cddb4fde 100644 --- a/okd/openshift-monitoring/base/kustomization.yaml +++ b/okd/openshift-monitoring/base/kustomization.yaml @@ -7,3 +7,4 @@ resources: - ./openshift-monitoring-cr-controller - ./rules.yaml - ./custom-rbac.yaml + - ./egress-firewall.yaml diff --git a/tekton/base/overlay-test.yaml b/tekton/base/overlay-test.yaml index 257c0d955..4d74d2ff6 100644 --- a/tekton/base/overlay-test.yaml +++ b/tekton/base/overlay-test.yaml @@ -113,7 +113,7 @@ spec: volumes: - name: tmp emptyDir: - sizeLimit: 10Mi + sizeLimit: 100Mi - name: test emptyDir: - sizeLimit: 10Mi + sizeLimit: 100Mi