manifests/infrastructure/celery-monitoring/network-policies.yaml

---
# Celery Monitoring Network Policies
# Port-forward and health check access to Flower with proper DNS/Redis connectivity
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: celery-flower-ingress
  namespace: celery-monitoring
spec:
  description: "Allow ingress to Flower from kubectl port-forward and health checks"
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: celery-flower
      app.kubernetes.io/component: monitoring
  ingress:
  # Allow kubectl port-forward access (from cluster nodes)
  - fromEntities:
    - cluster
    - host
    toPorts:
    - ports:
      - port: "5555"
        protocol: TCP

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: celery-flower-egress
  namespace: celery-monitoring
spec:
  description: "Allow Flower to connect to Redis, DNS, and monitoring services"
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: celery-flower
      app.kubernetes.io/component: monitoring
  egress:
  # Allow all cluster-internal communication (like PieFed approach)
  # This is more permissive but still secure within the cluster
  - toEntities:
    - cluster
    - host
  

# Service access policy removed - using kubectl port-forward for local access
# Port-forward provides secure access without exposing the service externally
redaction (#1) Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me> 2025-12-24 13:40:47 +00:00			`---`
			`# Celery Monitoring Network Policies`
			`# Port-forward and health check access to Flower with proper DNS/Redis connectivity`
			`apiVersion: cilium.io/v2`
			`kind: CiliumNetworkPolicy`
			`metadata:`
			`name: celery-flower-ingress`
			`namespace: celery-monitoring`
			`spec:`
			`description: "Allow ingress to Flower from kubectl port-forward and health checks"`
			`endpointSelector:`
			`matchLabels:`
			`app.kubernetes.io/name: celery-flower`
			`app.kubernetes.io/component: monitoring`
			`ingress:`
			`# Allow kubectl port-forward access (from cluster nodes)`
			`- fromEntities:`
			`- cluster`
			`- host`
			`toPorts:`
			`- ports:`
			`- port: "5555"`
			`protocol: TCP`

			`---`
			`apiVersion: cilium.io/v2`
			`kind: CiliumNetworkPolicy`
			`metadata:`
			`name: celery-flower-egress`
			`namespace: celery-monitoring`
			`spec:`
			`description: "Allow Flower to connect to Redis, DNS, and monitoring services"`
			`endpointSelector:`
			`matchLabels:`
			`app.kubernetes.io/name: celery-flower`
			`app.kubernetes.io/component: monitoring`
			`egress:`
			`# Allow all cluster-internal communication (like PieFed approach)`
			`# This is more permissive but still secure within the cluster`
			`- toEntities:`
			`- cluster`
			`- host`



			`# Service access policy removed - using kubectl port-forward for local access`
			`# Port-forward provides secure access without exposing the service externally`