redaction (#1)

Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me>
2025-12-24 13:40:47 +00:00
parent 612235d52b
commit 7327d77dcd
333 changed files with 39286 additions and 1 deletions
--- a/manifests/infrastructure/cluster-policies/host-fw-worker-nodes.yaml
+++ b/manifests/infrastructure/cluster-policies/host-fw-worker-nodes.yaml
@@ -0,0 +1,199 @@
+# policies/host-fw-worker-nodes.yaml
+apiVersion: "cilium.io/v2"
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: "host-fw-worker-nodes"
+spec:
+  description: "Worker node firewall rules - more permissive for database workloads"
+  nodeSelector:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+  ingress:
+  # Allow all cluster communication for database operations
+  - fromEntities:
+    - cluster
+    - remote-node
+    - host
+
+  # Allow PostgreSQL and Redis connections from anywhere in cluster
+  - fromEntities:
+    - cluster
+    toPorts:
+    - ports:
+      - port: "5432"
+        protocol: "TCP"  # PostgreSQL
+      - port: "6379"
+        protocol: "TCP"  # Redis
+
+  # Allow health check and monitoring ports
+  - fromEntities:
+    - cluster
+    toPorts:
+    - ports:
+      - port: "8000"
+        protocol: "TCP"  # CloudNativePG health endpoint
+      - port: "8080"
+        protocol: "TCP"
+      - port: "9187"
+        protocol: "TCP"  # PostgreSQL metrics
+      - port: "9443"
+        protocol: "TCP"  # CloudNativePG operator webhook server
+      - port: "10250"
+        protocol: "TCP"  # kubelet
+
+  # Allow kubelet access from VLAN for cluster operations
+  - fromCIDR:
+    - 10.132.0.0/24  # VLAN subnet
+    toPorts:
+    - ports:
+      - port: "10250"
+        protocol: "TCP"  # kubelet API
+
+  # HTTP and HTTPS access - allow from cluster and Tailscale network
+  # Tailscale network needed for Tailscale operator proxy pods (e.g., Kibana via MagicDNS)
+  - fromEntities:
+    - cluster
+  - fromCIDR:
+    - 100.64.0.0/10  # Tailscale CGNAT range - allow Tailscale services
+    toPorts:
+    - ports:
+      - port: "80"
+        protocol: "TCP"
+      - port: "443"
+        protocol: "TCP"
+
+  # Allow access to Talos API from Tailscale network, VLAN, and external IPs
+  # Restricted access (not world) for security - authentication still required
+  - fromCIDR:
+    - 100.64.0.0/10  # Tailscale CGNAT range
+    - 10.132.0.0/24  # VLAN subnet for node bootstrapping
+    - <NODE_1_EXTERNAL_IP>/32  # n1 external IP
+    - <NODE_2_EXTERNAL_IP>/32  # n2 external IP  
+    - <NODE_3_EXTERNAL_IP>/32  # n3 external IP
+  - fromEntities:
+    - cluster  # Allow cluster-internal access
+    toPorts:
+    - ports:
+      - port: "50000"
+        protocol: "TCP"
+      - port: "50001"
+        protocol: "TCP"
+
+  # Allow ICMP Ping
+  - icmps:
+    - fields:
+      - type: 8
+        family: IPv4
+      - type: 128
+        family: IPv6
+
+  # Allow cilium tunnel/health checks
+  - fromEntities:
+    - remote-node
+    toPorts:
+    - ports:
+      - port: "8472"
+        protocol: "UDP"
+      - port: "4240"
+        protocol: "TCP"
+
+  # Allow hubble communication
+  - fromEndpoints:
+    - matchLabels:
+        k8s-app: hubble-relay
+    toPorts:
+    - ports:
+      - port: "4244"
+        protocol: "TCP"
+
+  # NGINX Ingress Controller metrics port
+  - fromEntities:
+    - cluster
+    toPorts:
+    - ports:
+      - port: "10254"
+        protocol: "TCP"  # NGINX Ingress metrics
+
+  # OpenObserve metrics ingestion port  
+  - fromEntities:
+    - cluster
+    toPorts:
+    - ports:
+      - port: "5080"
+        protocol: "TCP"  # OpenObserve HTTP API
+
+  # Additional monitoring ports (removed unused Prometheus/Grafana ports)
+  # Note: OpenObserve is used instead of Prometheus/Grafana stack
+
+  egress:
+  # Allow all cluster communication (pods, services, nodes) - essential for CloudNativePG
+  - toEntities:
+    - cluster
+    - remote-node
+    - host
+
+  # Allow worker nodes to reach control plane services
+  - toEntities:
+    - cluster
+    - remote-node
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: "TCP"  # Kubernetes API server
+      - port: "8000"
+        protocol: "TCP"  # CloudNativePG health endpoints
+      - port: "9443"
+        protocol: "TCP"  # CloudNativePG operator webhook
+      - port: "5432"
+        protocol: "TCP"  # PostgreSQL replication
+      - port: "9187"
+        protocol: "TCP"  # PostgreSQL metrics
+
+  # Allow access to control plane via VLAN for node bootstrapping
+  # Explicit VIP access ensures new nodes can reach kubeapi without network changes
+  - toCIDR:
+    - 10.132.0.0/24  # VLAN subnet for cluster bootstrapping (includes VIP)
+    - <VIP_IP>/32  # Explicit VIP for control plane kubeapi
+    - <NODE_1_IP>/32  # n1 VLAN IP (fallback)
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: "TCP"  # Kubernetes API server
+      - port: "50000"
+        protocol: "TCP"  # Talos API
+      - port: "50001"
+        protocol: "TCP"  # Talos API trustd
+
+  # Allow DNS resolution
+  - toEndpoints:
+    - matchLabels:
+        k8s-app: kube-dns
+    toPorts:
+    - ports:
+      - port: "53"
+        protocol: "UDP"
+      - port: "53"
+        protocol: "TCP"
+
+  # Allow worker nodes to reach external services (OpenObserve, monitoring)
+  - toEntities:
+    - cluster
+    toPorts:
+    - ports:
+      - port: "5080"
+        protocol: "TCP"  # OpenObserve
+
+  # Allow outbound internet access for NTP, image pulls, etc.
+  - toEntities:
+    - world
+    toPorts:
+    - ports:
+      - port: "443"
+        protocol: "TCP"  # HTTPS
+      - port: "80"
+        protocol: "TCP"   # HTTP
+      - port: "53"
+        protocol: "UDP"   # DNS
+      - port: "123"
+        protocol: "UDP"   # NTP time synchronization